#!/bin/bash
# Gitea SSH Keys AuthorizedKeysCommand - Rick-Infra
# Generated by Ansible Gitea role
#
# This script is called by OpenSSH's AuthorizedKeysCommand to query
# Gitea's database for SSH public keys when the 'git' user connects.
#
# Called by SSH with parameters:
#   %u = username (should be "git")
#   %t = key type (ssh-rsa, ssh-ed25519, ecdsa-sha2-nistp256, etc.)
#   %k = base64 encoded public key content
#
# The script returns authorized_keys format entries that include
# forced commands to execute Gitea's Git server.

set -euo pipefail

# Gitea keys command queries the database and returns authorized_keys format
# If the key is found, it returns a line like:
#   command="/usr/bin/gitea serv key-123",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAA...

exec /usr/bin/gitea keys \
    --config /etc/gitea/app.ini \
    --username "$1" \
    --type "$2" \
    --content "$3"

# Rick-Infra: AuthorizedKeysCommand for Gitea SSH passthrough mode