import os, sys, paramiko
HOST = "207.57.129.228"
PORT = 19717
USER = "root"
PW = os.environ.get("REMOTE_PASS", "")
PUB = os.path.expanduser("~/.ssh/id_rsa.pub")
if not PW:
    print("REMOTE_PASS not set", file=sys.stderr); sys.exit(2)

c = paramiko.SSHClient()
c.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
    c.connect(HOST, port=PORT, username=USER, password=PW, timeout=15, allow_agent=False, look_for_keys=False)
except Exception as e:
    print("CONNECT FAIL:", e, file=sys.stderr); sys.exit(1)

def run(cmd, check=False):
    si, so, se = c.exec_command(cmd, timeout=15)
    out = so.read().decode("utf-8", "replace")
    err = se.read().decode("utf-8", "replace")
    if out: print(out, end="")
    if err: print("[err]", err, end="", file=sys.stderr)
    if check and (so.channel.recv_exit_status() != 0):
        raise SystemExit(f"cmd failed: {cmd}")

run("mkdir -p /root/.ssh && chmod 700 /root/.ssh")
run("touch /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys")

pub = open(PUB, encoding="utf-8").read().strip()
marker = "news-deploy-key"
if marker not in pub:
    pub = pub + " " + marker

# 用 sftp 写文件(避免 shell 转义)
sftp = c.open_sftp()
ak_path = "/root/.ssh/authorized_keys"
existing = ""
try:
    with sftp.open(ak_path, "r") as f:
        existing = f.read().decode("utf-8", "replace")
except IOError:
    pass

if marker in existing:
    print("[ok] public key already present, skip")
else:
    with sftp.open(ak_path, "a") as f:
        f.write(pub + "\n")
    print("[ok] appended public key to", ak_path)

sftp.close()
run("ls -la /root/.ssh/ && echo '---' && wc -l /root/.ssh/authorized_keys")
c.close()
print("DONE")