#   This is prefixed by `setup-header`.

users_generic() {
    echo '-- Ensure UID 1000 does not exist'
    #   Ubuntu images (and perhaps others) have a pre-created user with
    #   UID 1000; if the dent user is also using Ubuntu with a default
    #   install, she will be UID 1000 as well and dent will not be able
    #   to create that user in the container because it already exists.
    #   So make sure it doesn't.
    uname1000=$(id -un 1000) || true
    [[ -n $uname1000 ]] && userdel --force --remove "$uname1000"

    echo '-- User creation'
    #   IMPORTANT: we do *not* add the user to the `wheel` or `sudo` group.
    #   The user has explicit NOPASSWD: access via /etc/sudoers.d/50-%{uname}
    #   below, and additional group perms usually add PASSWD: which breaks
    #   `sudo -v`. There are ways of working around this (see below), but
    #   they're not reliable. We should only add the user to any of these
    #   groups on systems where something breaks seriously enough we can afford
    #   to have `sudo -v` break.
    local -a groups=() allgroups=(systemd-journal)
    for group in ${allgroups[@]}; do
        grep -q "^$group:" /etc/group && groups+=("$group")
    done
    groups=$(IFS=, ; echo "${groups[*]}")

    useradd --shell /bin/bash \
        --create-home --home-dir /home/%{uname}  \
        --user-group --groups "$groups" \
        --uid %{uid} -c '%{ugecos}' %{uname}

    #   Since we have no password, we must let the user sudo without one.
    mkdir -p /etc/sudoers.d/    # In case we skipped sudo install
    cat << _____ > /etc/sudoers.d/50-%{uname}
#   We add explicit sudo for the user of this container because we do not, for
#   reasons explained above and below, try to use group membership for this.
%{uname} ALL=(ALL:ALL) NOPASSWD:ALL

#   Changing verifypw from its default of 'all' to 'any' for the user will in
#   original sudo ensure that if that if NOPASSWD: is lacking on any entries in
#   /etc/sudoers (as it is for, e.g., %sudo group on Debian) the user can still
#   `sudo -v` without a password. But this does not work with e.g. sudo-rs
#   (the new Rust `sudo` shipped with Ubuntu 26.04), so we leave this here
#   just as a safety net that can't really be relied upon.
Defaults:%{uname} verifypw = any
_____
    chmod 0750 /etc/sudoers.d/[0-9]*
}

users_alpine() {
    echo '-- User creation (alpine)'

    #   Alpine `adduser` has no option to set the group, but unlike this
    #   command on some other systems, it automatically puts the user in
    #   her own group with the same name and id.
    #addgroup --gid %{uid} %{uname}

    #   -D avoids assigning a password
    adduser -D --uid %{uid} -g '%{ugecos}' \
        --shell /bin/bash --home /home/%{uname}   %{uname}

    #   XXX Should `adduser %{uname} $group` for any groups?

    #   Since we have no password, we must let the user sudo without one.
    mkdir -p /etc/sudoers.d/    # In case we skipped sudo install
    echo '%{uname} ALL=(ALL:ALL) NOPASSWD:ALL' > /etc/sudoers.d/50-%{uname}
}

dot_home() {
    echo '-- dot-home install'
    local url_prefix=https://raw.githubusercontent.com/dot-home/dot-home
    local url_branch=main
    local url="$url_prefix/$url_branch/bootstrap-user"
    export LOGNAME=%{uname} HOME=~%{uname}
    export DH_BOOTSTRAP_USERS="$url_prefix/$url_branch/dh/bootstrap-users"

    rm -f $HOME/.profile $HOME/.bash_profile $HOME/.bashrc

    if curl -sfL "$url" | sudo -E -u $LOGNAME bash; then
        echo "dot-home installed for user $LOGNAME"
    else
        echo "WARNING: dot-home install failure"
        sleep 3
    fi
}

users_%{useradd}
dot_home
