#!/bin/bash
set -e

# 1. 准备 SSH 目录
mkdir -p /root/.ssh
chmod 700 /root/.ssh
touch /root/.ssh/authorized_keys
touch /root/.ssh/environment

printenv | grep -E '^(PATH|BUN|CARGO|RUST|ANTHROPIC|OPENAI|OPENCODE|TERM|SHELL|WORKSPACE)' > /root/.ssh/environment
# 2. 动态注入挂载的公钥 (解决只读冲突的核心逻辑)
if [ -f /tmp/host_id_ed25519.pub ]; then
    echo "检测到挂载的公钥，正在注入..."
    # 仅当公钥不存在时才追加，避免重复
    if ! grep -qf /tmp/host_id_ed25519.pub /root/.ssh/authorized_keys 2>/dev/null; then
        cat /tmp/host_id_ed25519.pub >> /root/.ssh/authorized_keys
        echo "✅ 公钥注入成功"
    else
        echo "ℹ️ 公钥已存在，无需重复注入"
    fi
fi

# 3. 强制修复权限 (SSH 对此非常敏感)
chmod 600 /root/.ssh/authorized_keys
chown -R root:root /root/.ssh


# 根据不同 OS 启动 SSH
if [ -f /usr/sbin/sshd ]; then
    /usr/sbin/sshd  # Fedora 路径
else
    service ssh start # Ubuntu 路径
fi

exec "$@"