#!/bin/sh
# provision.sh — one-shot provision: clone repo onto edge box, run install.sh
#
# Usage (run from onyx):
#   ./scripts/provision.sh user@<edge-ip-or-hostname>
#
# What it does:
#   1. SSH into edge box, install required pkgs (acme-client + wireguard-tools)
#   2. git clone this repo to /tmp/production-openbsd
#   3. Run /tmp/production-openbsd/scripts/install.sh on the edge box
#      which copies /etc/* + enables services + reloads
#
# Expected pre-state:
#   - OpenBSD 7.6+ installed on edge box
#   - User 'user' exists with sudo/doas access
#   - Your SSH pubkey already in user@edge:.ssh/authorized_keys
#   - WG keys generated separately (see etc/hostname.wg0.example header)

set -eu

TARGET="${1:-}"
[ -n "$TARGET" ] || { echo "Usage: $0 user@<edge-ip>" >&2; exit 1; }

REPO_URL="ssh://git@192.168.0.100:222/s8n/production-openbsd.git"
REMOTE_PATH="/tmp/production-openbsd"

echo "[*] Provisioning $TARGET ..."

ssh "$TARGET" -- "/bin/sh -se" <<EOF
set -eu
echo "[remote] installing prerequisites"
doas pkg_add -I acme-client wireguard-tools git rsync || true
[ -d $REMOTE_PATH ] && rm -rf $REMOTE_PATH
git clone $REPO_URL $REMOTE_PATH
cd $REMOTE_PATH
doas /bin/sh scripts/install.sh
echo "[remote] provision complete"
EOF

echo "[*] Done. Verify: ssh $TARGET 'doas pfctl -sr | head'"