#!/usr/bin/env sh
# Install as /etc/profile.d/pikit-first-login.sh
# Prints a one-time SSH hardening tip after the forced password change.

FLAG="/var/lib/pikit/first-login.notice"
DONE_FILE=".pikit-first-login.done"

case "$-" in
  *i*) interactive=1 ;;
  *) interactive=0 ;;
esac

USER_NAME="$(id -un 2>/dev/null || echo "")"
DONE_PATH="${HOME:-}/$DONE_FILE"

if [ "$interactive" -eq 1 ] && [ -f "$FLAG" ] && [ "$USER_NAME" = "dietpi" ]; then
  if [ -n "${HOME:-}" ] && [ -d "${HOME:-}" ] && [ ! -f "$DONE_PATH" ]; then
    echo ""
    echo "Pi-Kit: For better security, set up an SSH key and disable password auth once working."
    echo "  Run these from your computer (not the Pi):"
    echo "    ssh-keygen -t ed25519"
    echo "    ssh-copy-id dietpi@pikit.local"
    echo ""
    :> "$DONE_PATH" 2>/dev/null || true
  fi
fi