{ pkgs, ... }:

pkgs.writeShellScriptBin "rclone-torbox-setup" ''
  set -euo pipefail

  # Default values
  RBW_ENTRY="''${1:-torbox}"
  ENV_FILE="''${2:-/etc/rclone/torbox.env}"

  usage() {
    echo "Usage: rclone-torbox-setup [rbw-entry] [env-file]"
    echo ""
    echo "Sets up rclone credentials for TorBox WebDAV mount."
    echo "Retrieves password from rbw (Bitwarden), obscures it for rclone,"
    echo "and writes it to the environment file for the systemd service."
    echo ""
    echo "Arguments:"
    echo "  rbw-entry  Name of the Bitwarden entry containing the password (default: torbox)"
    echo "  env-file   Path to write the environment file (default: /etc/rclone/torbox.env)"
    echo ""
    echo "The Bitwarden entry should contain your TorBox password as the password field."
    echo ""
    echo "Example:"
    echo "  rclone-torbox-setup torbox-password /etc/rclone/torbox.env"
    exit 1
  }

  if [[ "''${1:-}" == "-h" ]] || [[ "''${1:-}" == "--help" ]]; then
    usage
  fi

  echo "rclone TorBox credential setup"
  echo "=============================="
  echo ""

  # Check if rbw is available
  if ! command -v rbw &> /dev/null; then
    echo "Error: rbw is not available. Please ensure rbw is installed and configured."
    exit 1
  fi

  # Check if rclone is available
  if ! command -v rclone &> /dev/null; then
    echo "Error: rclone is not available. Please ensure rclone is installed."
    exit 1
  fi

  echo "Retrieving password from rbw entry: $RBW_ENTRY"

  # Retrieve password from Bitwarden
  if ! TORBOX_PASS=$(rbw get "$RBW_ENTRY" 2>/dev/null); then
    echo ""
    echo "Error: Failed to retrieve password from rbw entry '$RBW_ENTRY'"
    echo ""
    echo "Please ensure:"
    echo "  1. The entry '$RBW_ENTRY' exists in Bitwarden"
    echo "  2. rbw is unlocked: rbw unlock"
    echo "  3. rbw is synced: rbw sync"
    echo ""
    echo "To create the entry in Bitwarden:"
    echo "  - Name: $RBW_ENTRY"
    echo "  - Password: Your TorBox password"
    exit 1
  fi

  echo "Password retrieved successfully"

  # Obscure the password for rclone
  echo "Obscuring password for rclone..."
  if ! OBSCURED_PASS=$(echo -n "$TORBOX_PASS" | rclone obscure -); then
    echo "Error: Failed to obscure password with rclone"
    exit 1
  fi

  # Create the directory if needed (requires sudo)
  ENV_DIR=$(dirname "$ENV_FILE")
  if [[ ! -d "$ENV_DIR" ]]; then
    echo "Creating directory $ENV_DIR (requires sudo)..."
    sudo mkdir -p "$ENV_DIR"
  fi

  # Write the environment file
  echo "Writing environment file to $ENV_FILE (requires sudo)..."
  echo "RCLONE_WEBDAV_PASS=$OBSCURED_PASS" | sudo tee "$ENV_FILE" > /dev/null
  sudo chmod 600 "$ENV_FILE"

  echo ""
  echo "Setup complete!"
  echo ""
  echo "The environment file has been created at: $ENV_FILE"
  echo "The rclone-mount-torbox systemd service will use this file."
  echo ""
  echo "To activate the mount after NixOS rebuild:"
  echo "  sudo systemctl start rclone-mount-torbox"
  echo ""
  echo "To check status:"
  echo "  sudo systemctl status rclone-mount-torbox"
''