#!/bin/bash
#
# 反向 SSH 隧道一键安装脚本
# 用法: sudo bash setup-reverse-tunnel.sh -h <micro-proxy IP> -u <micro-proxy 用户> -p <分配端口> [-n <隧道名称>]
# 示例: sudo bash setup-reverse-tunnel.sh -h 168.110.99.211 -u root -p 2222 -n home
#

set -e

# ============ 默认参数 ============
JUMP_HOST=""
JUMP_USER="root"
TUNNEL_PORT=""
TUNNEL_NAME="reverse-ssh"
JUMP_SSH_PORT=22
LOCAL_SSH_PORT=22

# ============ 颜色输出 ============
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

info()  { echo -e "${BLUE}[INFO]${NC} $1"; }
ok()    { echo -e "${GREEN}[ OK ]${NC} $1"; }
warn()  { echo -e "${YELLOW}[WARN]${NC} $1"; }
err()   { echo -e "${RED}[FAIL]${NC} $1"; exit 1; }

# ============ 解析参数 ============
usage() {
    cat <<EOF
用法: sudo bash $0 -h <跳板机IP> -u <跳板机用户> -p <分配端口> [-n <隧道名>] [-P <跳板机SSH端口>]

必选参数:
  -h    跳板机 IP（micro-proxy 的公网 IP）
  -u    跳板机登录用户名
  -p    分配给本机的反向端口（每台机器必须唯一，建议 2222、2223、2224...）

可选参数:
  -n    隧道名称（默认 reverse-ssh，多个隧道时用于区分）
  -P    跳板机 SSH 端口（默认 22）
  -L    本机 SSH 端口（默认 22）

示例:
  sudo bash $0 -h 168.110.99.211 -u root -p 2222 -n home
EOF
    exit 1
}

while getopts "h:u:p:n:P:L:" opt; do
    case $opt in
        h) JUMP_HOST="$OPTARG" ;;
        u) JUMP_USER="$OPTARG" ;;
        p) TUNNEL_PORT="$OPTARG" ;;
        n) TUNNEL_NAME="$OPTARG" ;;
        P) JUMP_SSH_PORT="$OPTARG" ;;
        L) LOCAL_SSH_PORT="$OPTARG" ;;
        *) usage ;;
    esac
done

[ -z "$JUMP_HOST" ] && usage
[ -z "$TUNNEL_PORT" ] && usage

# ============ 检查 root ============
if [ "$EUID" -ne 0 ]; then
    err "请使用 sudo 或 root 用户运行此脚本"
fi

# ============ 检查依赖 ============
info "检查必要工具..."
for cmd in ssh ssh-keygen ssh-copy-id systemctl; do
    if ! command -v $cmd &>/dev/null; then
        err "缺少命令: $cmd，请先安装 openssh-client"
    fi
done
ok "依赖检查通过"

# ============ 生成 SSH 密钥 ============
SSH_KEY="/root/.ssh/id_ed25519_tunnel"
if [ ! -f "$SSH_KEY" ]; then
    info "生成 SSH 密钥: $SSH_KEY"
    mkdir -p /root/.ssh
    chmod 700 /root/.ssh
    ssh-keygen -t ed25519 -f "$SSH_KEY" -N "" -C "reverse-tunnel-$(hostname)"
    ok "密钥生成完成"
else
    ok "SSH 密钥已存在: $SSH_KEY"
fi

# ============ 推送公钥到跳板机 ============
info "把公钥推送到跳板机 $JUMP_USER@$JUMP_HOST（可能需要输入密码）"
ssh-copy-id -i "${SSH_KEY}.pub" -p "$JUMP_SSH_PORT" -o StrictHostKeyChecking=accept-new "$JUMP_USER@$JUMP_HOST" \
    || err "推送公钥失败，请检查跳板机地址、用户名、密码是否正确"
ok "公钥已添加到跳板机"

# ============ 测试免密登录 ============
info "测试免密登录..."
if ssh -i "$SSH_KEY" -p "$JUMP_SSH_PORT" -o BatchMode=yes -o ConnectTimeout=5 "$JUMP_USER@$JUMP_HOST" "echo OK" &>/dev/null; then
    ok "免密登录成功"
else
    err "免密登录测试失败，请检查跳板机的 SSH 配置"
fi

# ============ 创建 systemd 服务 ============
SERVICE_FILE="/etc/systemd/system/${TUNNEL_NAME}.service"
info "创建 systemd 服务: $SERVICE_FILE"

cat > "$SERVICE_FILE" <<EOF
[Unit]
Description=Reverse SSH Tunnel to $JUMP_HOST (port $TUNNEL_PORT)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=root
ExecStart=/usr/bin/ssh -NT \\
    -o ServerAliveInterval=30 \\
    -o ServerAliveCountMax=3 \\
    -o ExitOnForwardFailure=yes \\
    -o StrictHostKeyChecking=accept-new \\
    -o UserKnownHostsFile=/root/.ssh/known_hosts \\
    -i $SSH_KEY \\
    -p $JUMP_SSH_PORT \\
    -R ${TUNNEL_PORT}:localhost:${LOCAL_SSH_PORT} \\
    $JUMP_USER@$JUMP_HOST
Restart=always
RestartSec=10
StartLimitInterval=0

[Install]
WantedBy=multi-user.target
EOF

ok "服务文件已创建"

# ============ 启动服务 ============
info "启动并启用服务..."
systemctl daemon-reload
systemctl enable "$TUNNEL_NAME.service"
systemctl restart "$TUNNEL_NAME.service"
sleep 3

# ============ 验证状态 ============
if systemctl is-active --quiet "$TUNNEL_NAME.service"; then
    ok "反向隧道服务运行中"
else
    warn "服务未正常运行，查看日志:"
    journalctl -u "$TUNNEL_NAME.service" --no-pager -n 20
    err "请检查上述日志排错"
fi

# ============ 总结 ============
HOSTNAME=$(hostname)
cat <<EOF

==========================================================
${GREEN}✓ 反向 SSH 隧道部署成功${NC}
==========================================================

机器名称       : $HOSTNAME
跳板机         : $JUMP_USER@$JUMP_HOST:$JUMP_SSH_PORT
本机 SSH 端口  : $LOCAL_SSH_PORT
分配反向端口   : $TUNNEL_PORT
systemd 服务   : $TUNNEL_NAME.service

------ 在跳板机 $JUMP_HOST 上验证 ------
  ss -tlnp | grep $TUNNEL_PORT
  ssh -p $TUNNEL_PORT <本机用户名>@127.0.0.1

------ 在你笔电的 ~/.ssh/config 里加 ------
Host $TUNNEL_NAME
    HostName 127.0.0.1
    Port $TUNNEL_PORT
    User <本机用户名>
    ProxyJump $JUMP_USER@$JUMP_HOST

之后笔电直接 ssh $TUNNEL_NAME 就连到本机了

------ 常用命令 ------
查看状态: systemctl status $TUNNEL_NAME
查看日志: journalctl -u $TUNNEL_NAME -f
重启隧道: systemctl restart $TUNNEL_NAME
卸载:    systemctl disable --now $TUNNEL_NAME && rm $SERVICE_FILE

==========================================================
EOF