#!/usr/bin/env bash
set -euo pipefail

if [ ! -x /usr/libexec/niceos-k8s-ssh-enrollment ]; then
    echo "ERROR: /usr/libexec/niceos-k8s-ssh-enrollment is not installed or not executable" >&2
    exit 1
fi

/usr/libexec/niceos-k8s-ssh-enrollment status

echo
echo "Recommended SSH enrollment flow:"
echo "  1. From administrator workstation:"
echo "       ssh-copy-id root@NODE_IP"
echo
echo "  2. Then test key-only login from a new terminal:"
echo "       ssh -o PreferredAuthentications=publickey -o PasswordAuthentication=no root@NODE_IP"
echo
echo "  3. NiceOS will remove the temporary password SSH drop-in after it observes:"
echo "       Accepted publickey for root"
echo
echo "Runtime files:"
echo "  temporary drop-in:"
echo "    /etc/ssh/sshd_config.d/20-niceos-k8s-firstboot-root-password.conf"
echo
echo "  main hardening profile:"
echo "    /etc/ssh/sshd_config.d/40-niceos-k8s-node.conf"
echo
echo "  root authorized keys:"
echo "    /root/.ssh/authorized_keys"
echo
echo "  enrollment state:"
echo "    /var/lib/niceos/k8s-ssh-enrollment/"
echo

if command -v sshd >/dev/null 2>&1; then
    echo "Effective sshd settings:"
    sshd -T | grep -Ei 'permitrootlogin|pubkeyauthentication|passwordauthentication|kbdinteractiveauthentication|authenticationmethods|authorizedkeysfile' || true
else
    echo "WARNING: sshd command not found; cannot print effective sshd settings" >&2
fi