#!/bin/bash
set -euo pipefail

# FreeIPA client — installs client packages and optionally enrolls this host.
# Packages: sssd + cyrus-sasl-gssapi from pacman; freeipa-client (AUR) for
# ipa-client-install, ipa-getkeytab, etc.

PACMAN_PKGS=(sssd cyrus-sasl-gssapi openldap krb5 oddjob)
AUR_PKGS=(freeipa-client)

echo "[+] Installing FreeIPA client packages..."
pacman -S --noconfirm --needed "${PACMAN_PKGS[@]}"

if command -v yay &>/dev/null; then
    echo "[+] Installing freeipa-client (AUR)..."
    yay -S --noconfirm --needed "${AUR_PKGS[@]}"
else
    echo "[!] yay not found — skipping AUR packages (freeipa-client)."
    echo "    Install yay, then run: yay -S --needed freeipa-client"
fi

# Enable sssd (without starting — host is not enrolled yet)
systemctl enable sssd.service 2>/dev/null || true

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CLIENT_ENROLL="$SCRIPT_DIR/../../FreeipaAnsible/freeipa-client.sh"

echo ""
echo "[✓] FreeIPA client packages installed."
echo ""
echo "    To enroll this host, run one of:"
echo "      ipa-client-install --domain=<domain> --server=<server> --principal=admin"
if [[ -f "$CLIENT_ENROLL" ]]; then
    echo "      $CLIENT_ENROLL --interactive"
    echo "      $CLIENT_ENROLL --answerfile /path/to/answerfile.json"
fi
echo ""
echo "    After enrollment, enable auto-home-dir creation:"
echo "      authselect select sssd with-mkhomedir --force"