# Run this in an elevated PowerShell window on the Windows 10 laptop.
$ErrorActionPreference = "Stop"

$UserName = "codexadmin"
$PublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa4OV0Skf15xhRDPFQl+ZED7ud1b59I9QekDX/fpYYj openclaw-node"

function Assert-Administrator {
    $identity = [Security.Principal.WindowsIdentity]::GetCurrent()
    $principal = New-Object Security.Principal.WindowsPrincipal($identity)
    if (-not $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
        throw "Please run PowerShell as Administrator."
    }
}

function New-StrongPassword {
    $chars = "abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ23456789!@#$%^&*_-+=".ToCharArray()
    $bytes = New-Object byte[] 28
    [Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
    -join ($bytes | ForEach-Object { $chars[$_ % $chars.Length] })
}

function Ensure-OpenSshServer {
    $capability = Get-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
    if ($capability.State -ne "Installed") {
        Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 | Out-Null
    }

    $sshdPath = Join-Path $env:WINDIR "System32\OpenSSH\sshd.exe"
    $sshKeygenPath = Join-Path $env:WINDIR "System32\OpenSSH\ssh-keygen.exe"
    if (-not (Test-Path $sshdPath)) {
        throw "OpenSSH Server capability is installed, but sshd.exe was not found at $sshdPath. Reboot Windows and run this script again."
    }

    New-Item -ItemType Directory -Path "$env:ProgramData\ssh" -Force | Out-Null
    if (Test-Path $sshKeygenPath) {
        & $sshKeygenPath -A | Out-Null
    }

    $service = Get-Service -Name sshd -ErrorAction SilentlyContinue
    if ($null -eq $service) {
        New-Service `
            -Name sshd `
            -BinaryPathName "`"$sshdPath`"" `
            -DisplayName "OpenSSH SSH Server" `
            -Description "OpenSSH SSH Server" `
            -StartupType Automatic | Out-Null
    }

    Set-Service -Name sshd -StartupType Automatic
    Start-Service -Name sshd

    New-Item -Path "HKLM:\SOFTWARE\OpenSSH" -Force | Out-Null
    New-ItemProperty `
        -Path "HKLM:\SOFTWARE\OpenSSH" `
        -Name DefaultShell `
        -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" `
        -PropertyType String `
        -Force | Out-Null
}

function Ensure-CodexAdminUser {
    $password = New-StrongPassword
    $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
    $user = Get-LocalUser -Name $UserName -ErrorAction SilentlyContinue

    if ($null -eq $user) {
        New-LocalUser `
            -Name $UserName `
            -Password $securePassword `
            -FullName "Codex Managed Admin" `
            -Description "Local admin account for authorized SSH management." `
            -PasswordNeverExpires | Out-Null
    } else {
        Set-LocalUser -Name $UserName -Password $securePassword
        Enable-LocalUser -Name $UserName
    }

    Add-LocalGroupMember -Group "Administrators" -Member $UserName -ErrorAction SilentlyContinue
    return $password
}

function Ensure-SshAdminKey {
    $sshDir = "$env:ProgramData\ssh"
    $authFile = Join-Path $sshDir "administrators_authorized_keys"
    $configFile = Join-Path $sshDir "sshd_config"

    New-Item -ItemType Directory -Path $sshDir -Force | Out-Null
    Set-Content -Path $authFile -Value $PublicKey -Encoding ascii

    & icacls $authFile /inheritance:r | Out-Null
    & icacls $authFile /grant "Administrators:F" /grant "SYSTEM:F" | Out-Null

    $config = Get-Content $configFile -Raw
    $config = $config -replace "(?m)^#?\s*PubkeyAuthentication\s+.*$", "PubkeyAuthentication yes"
    $config = $config -replace "(?m)^#?\s*PasswordAuthentication\s+.*$", "PasswordAuthentication no"

    if ($config -notmatch "(?ms)^Match\s+Group\s+administrators\b.*?AuthorizedKeysFile\s+__PROGRAMDATA__/ssh/administrators_authorized_keys") {
        $config = $config.TrimEnd() + "`r`n`r`nMatch Group administrators`r`n    AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys`r`n"
    }

    Set-Content -Path $configFile -Value $config -Encoding ascii
    Restart-Service sshd
}

function Ensure-Firewall {
    $ruleName = "Codex SSH Management"
    Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue | Remove-NetFirewallRule
    New-NetFirewallRule `
        -DisplayName $ruleName `
        -Direction Inbound `
        -Action Allow `
        -Protocol TCP `
        -LocalPort 22 `
        -Profile Private,Domain `
        -RemoteAddress LocalSubnet | Out-Null
}

function Show-ConnectionInfo {
    $addresses = Get-NetIPAddress -AddressFamily IPv4 |
        Where-Object {
            $_.IPAddress -notlike "127.*" -and
            $_.IPAddress -notlike "169.254.*" -and
            $_.PrefixOrigin -ne "WellKnown"
        } |
        Select-Object -ExpandProperty IPAddress

    Write-Host ""
    Write-Host "Codex onboarding complete."
    Write-Host "Username: $UserName"
    Write-Host "Generated local password: $GeneratedPassword"
    Write-Host "SSH test command from the management host:"
    foreach ($address in $addresses) {
        Write-Host "  ssh $UserName@$address"
    }
    Write-Host ""
    Write-Host "Send these IPv4 addresses to Codex so it can try the SSH connection."
}

Assert-Administrator
Ensure-OpenSshServer
$GeneratedPassword = Ensure-CodexAdminUser
Ensure-SshAdminKey
Ensure-Firewall
Show-ConnectionInfo