# Windows initial setup script
# Run as Administrator: powershell -ExecutionPolicy Bypass -File setup.ps1

# packages
$packages = @(
    "Microsoft.WindowsTerminal"
    "Microsoft.PowerShell"
    "Microsoft.OpenSSH.Beta"
    "Microsoft.VisualStudioCode"
    "Microsoft.WSL"
    "Microsoft.PowerToys"
    "Git.Git"
    "Vim.Vim"
    "Nvidia.CUDA"
    "Mozilla.Firefox"
    "Python.Python.3.13"
    "jqlang.jq"
    "Anthropic.ClaudeCode"
)

foreach ($pkg in $packages) {
    Write-Host "Installing $pkg ..." -ForegroundColor Cyan
    winget install --id $pkg --accept-source-agreements --accept-package-agreements -e
}

# enable and start sshd
Write-Host "Setting up OpenSSH Server ..." -ForegroundColor Cyan
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 2>$null
Set-Service -Name sshd -StartupType Automatic
Start-Service sshd
New-NetFirewallRule -Name "OpenSSH-Server" -DisplayName "OpenSSH Server" -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 2>$null

# configure sshd
Write-Host "Configuring sshd ..." -ForegroundColor Cyan
$sshdConfig = "C:\ProgramData\ssh\sshd_config"
if (Test-Path $sshdConfig) {
    $content = Get-Content $sshdConfig -Raw
    # disable password auth, enable empty passwords, disable admin authorized_keys override
    if ($content -notmatch "(?m)^PasswordAuthentication no") {
        Add-Content $sshdConfig "`nPasswordAuthentication no"
    }
    if ($content -notmatch "(?m)^PermitEmptyPasswords yes") {
        Add-Content $sshdConfig "PermitEmptyPasswords yes"
    }
    # comment out Match Group administrators if not already
    (Get-Content $sshdConfig) | ForEach-Object {
        if ($_ -match "^Match Group administrators") { "#$_" } else { $_ }
    } | Set-Content $sshdConfig
    Restart-Service sshd
    Write-Host "sshd configured" -ForegroundColor Green
}

# set default shell to pwsh for ssh
# NOTE: if pwsh path is wrong, ssh auth will fail with "Permission denied"
# verify path with: (Get-Command pwsh).Source
$pwshPath = (Get-Command pwsh -ErrorAction SilentlyContinue).Source
if ($pwshPath) {
    New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value $pwshPath -PropertyType String -Force
    Write-Host "Default SSH shell: $pwshPath" -ForegroundColor Green
}

# pin packages to exclude from upgrade --all
winget pin add --id EpicGames.EpicGamesLauncher 2>$null

Write-Host "Done" -ForegroundColor Green