#! /usr/bin/env bash

# More info at:
# - https://github.com/elitak/nixos-infect
# - https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-infect

: "${API_TOKEN:?API_TOKEN variable is not set}"
: "${DOMAIN:?DOMAIN variable is not set}"
: "${LUSER:?LUSER variable is not set}"
: "${HOSTNAME:?HOSTNAME variable is not set}"
: "${PROVIDER:?PROVIDER variable is not set}"
: "${DNS_PROVIDER_TYPE:?DNS_PROVIDER_TYPE variable is not set}"
: "${STAGING_ACME:?STAGING_ACME variable is not set}"
: "${CF_TOKEN:?CF_TOKEN variable is not set}"
: "${DB_PASSWORD:?DB_PASSWORD variable is not set}"
: "${USER_PASS:?USER_PASS variable is not set}"
: "${NIX_VERSION:?NIX_VERSION variable is not set}"
: "${NIXOS_CONFIG_NAME:?NIXOS_CONFIG_NAME variable is not set}"
: "${CONFIG_URL:?CONFIG_URL variable is not set}"
: "${SSH_AUTHORIZED_KEY:=}"

readonly LOCAL_FLAKE_DIR="/etc/nixos"
readonly SECRETS_FILEPATH="/etc/selfprivacy/secrets.json"

genOptionalSsh() {
  [ -n "${SSH_AUTHORIZED_KEY}" ] && cat << EOF
"ssh": { "rootKeys": [ "${SSH_AUTHORIZED_KEY}" ] },
EOF
}

# Merge original userdata.json with deployment specific fields and print result.
genUserdata() {
  local HASHED_PASSWORD userdata_infect
  HASHED_PASSWORD="$(mkpasswd -m sha-512 "$USER_PASS")"

  userdata_infect=$(cat << EOF
{
    $(genOptionalSsh)
    "dns": {
        "provider": "$DNS_PROVIDER_TYPE",
        "useStagingACME": $STAGING_ACME
    },
    "server": {
        "provider": "$PROVIDER"
    },
    "domain": "$DOMAIN",
    "hashedMasterPassword": "$HASHED_PASSWORD",
    "hostname": "$HOSTNAME",
    "username": "$LUSER"
}
EOF
)

  jq -s '.[0] * .[1]' \
  "${1:?no userdata.json given to merge with}" <(printf "%s" "$userdata_infect")
}

genSecrets() {
  cat << EOF
{
    "api": {
        "token": "$API_TOKEN",
        "skippedMigrations": ["migrate_to_selfprivacy_channel", "mount_volume"]
    },
    "databasePassword": "$DB_PASSWORD",
    "dns": {
        "apiKey": "$CF_TOKEN"
    },
    "modules": {
        "nextcloud": {
            "adminPassword": "$USER_PASS",
            "databasePassword": "$USER_PASS"
        }
    },
    "resticPassword": "$USER_PASS"
}
EOF
}

genHardwareConfiguration() {
  local bootcfg
  if ((isEFI)); then
    bootcfg=$(cat << EOF
  boot.loader.grub = {
    efiSupport = true;
    efiInstallAsRemovable = true;
    device = "nodev";
  };
  fileSystems."/boot" = { device = "$ESP"; fsType = "vfat"; };
EOF
)
  else
    bootcfg=$(cat << EOF
  boot.loader.grub.device = "$GRUBDEV";
EOF
)
  fi

  cat << EOF
{ modulesPath, ... }:
{
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
$bootcfg
  boot.initrd.kernelModules = [ "nvme" ];
  fileSystems."/" = { device = "$ROOTFSDEV"; fsType = "$ROOTFSTYPE"; };
}
EOF
}

setupConf() {
  mkdir -p ${LOCAL_FLAKE_DIR}
  if ! curl "${CONFIG_URL}" \
  | tar -xz -C ${LOCAL_FLAKE_DIR} --strip-components=1 --exclude=".*"
  then
      echo "Error downloading/extracting top level flake configuration!"
      exit 1
  fi

  # generate and write hardware-configuration.nix
  genHardwareConfiguration > ${LOCAL_FLAKE_DIR}/hardware-configuration.nix

  # generate infected userdata based on original
  local userdataInfected
  userdataInfected="$(genUserdata ${LOCAL_FLAKE_DIR}/userdata.json)"
  printf "%s" "$userdataInfected" > ${LOCAL_FLAKE_DIR}/userdata.json

  # generate and write secrets
  local secrets
  secrets="$(genSecrets)"
  install -m0600 <(printf "%s" "$secrets") -DT ${SECRETS_FILEPATH}
}

makeSwap() {
  # TODO check currently available swapspace first
  swapFile=$(mktemp /tmp/nixos-infect.XXXXX.swp)
  dd if=/dev/zero "of=$swapFile" bs=1M count=$((1*1024))
  chmod 0600 "$swapFile"
  mkswap "$swapFile"
  swapon -v "$swapFile"
}

removeSwap() {
  swapoff -a
  rm -vf /tmp/nixos-infect.*.swp
}

findESP() {
  local esp
  for d in /boot/EFI /boot/efi /boot; do
    [[ ! -d "$d" ]] && continue
    [[ "$d" == "$(df "$d" --output=target | sed 1d)" ]] \
      && esp="$(df "$d" --output=source | sed 1d)" \
      && break
  done
  [[ -z "$esp" ]] && { echo "ERROR: No ESP mount point found"; return 1; }
  for uuid in /dev/disk/by-uuid/*; do
    [[ $(readlink -f "$uuid") == "$esp" ]] && echo "$uuid" && return 0
  done
}

prepareEnv() {
  isEFI=0
  [ -d /sys/firmware/efi ] && isEFI=1

  if ((isEFI)); then
    ESP="$(findESP)"
  else
    for GRUBDEV in /dev/vda /dev/sda /dev/nvme0n1; do
        [[ -e $GRUBDEV ]] && break;
    done
  fi

  # Retrieve root fs block device
  #                   (get root mount)  (get partition or logical volume)
  ROOTFSDEV=$(mount | grep "on / type" | awk '{print $1;}')
  ROOTFSTYPE=$(df "$ROOTFSDEV" --output=fstype | sed 1d)

  # DigitalOcean doesn't seem to set USER while running user data
  export USER="root"
  export HOME="/root"

  # Nix installer tries to use sudo regardless of whether we're already uid 0
  #which sudo || { sudo() { eval "$@"; }; export -f sudo; }
  # shellcheck disable=SC2174
  mkdir -p -m 0755 /nix
}

fakeCurlUsingWget() {
  # Use adapted wget if curl is missing
  which wget && { \
    curl() {
      eval "wget $(
        (local isStdout=1
        for arg in "$@"; do
          case "$arg" in
            "-o")
              echo "-O";
              isStdout=0
              ;;
            "-O")
              isStdout=0
              ;;
            "-L")
              ;;
            *)
              echo "$arg"
              ;;
          esac
        done;
        [[ $isStdout -eq 1 ]] && echo "-O-"
        )| tr '\n' ' '
      )"
    }; export -f curl; }
}

req() {
  type "$1" > /dev/null 2>&1 || which "$1" > /dev/null 2>&1
}

checkEnv() {
  [[ "$(whoami)" == "root" ]] || { echo "ERROR: Must run as root"; return 1; }

  # Perform some easy fixups before checking
  # TODO prevent multiple calls to apt-get update
  (which dnf && dnf install -y perl-Digest-SHA) || true # Fedora 24
  which xzcat || (which yum && yum install -y xz-utils) \
              || (which apt-get && apt-get update && apt-get install -y xz-utils) \
              || true
  which curl  || fakeCurlUsingWget \
              || (which apt-get && apt-get update && apt-get install -y curl) \
              || true

  req curl || req wget || { echo "ERROR: Missing both curl and wget";  return 1; }
  req xzcat            || { echo "ERROR: Missing xzcat";               return 1; }
  req awk              || { echo "ERROR: Missing awk";                 return 1; }
  req cut || req df    || { echo "ERROR: Missing coreutils (cut, df)"; return 1; }
}

# Download and execute the nix installer script.
installNix() {
  local nixReleaseBase='https://releases.nixos.org'
  local installURL="${nixReleaseBase}/nix/nix-${NIX_VERSION}/install"
  local shaURL="${installURL}.sha256"
  local sha tmpNixInstall

  # temporary destination for install script
  tmpNixInstall="$(mktemp -t nix-install-XXXXXXXXXX)"
  if [[ ! -f "${tmpNixInstall}" ]]; then
      echo "Failed creating a temporary file for Nix install script!"
      return 1
  fi

  echo "Downloading install script from ${installURL}..."
  if ! curl "${installURL}" -o "${tmpNixInstall}" &>/dev/null; then
      echo "Failure while downloading Nix install script!"
      return 1
  fi

  if ! sha="$(curl "${shaURL}")"; then
      echo "Failure while downloading Nix install script sha!"
      return 1
  fi

  echo "Validating Nix install script checksum..."
  if ! echo "${sha}  ${tmpNixInstall}" | sha256sum -c; then
      echo "Checksum validation failed!"
      return 1
  fi

  echo "Running nix installer..."
  if $SHELL "${tmpNixInstall}" \
    --daemon --no-channel-add --daemon-user-count 4; then
      echo "Nix is installed"
      rm "${tmpNixInstall}"
  else
      echo "Nix installation script failed!"
      return 1
  fi
}

infect() {
  # install multiuser (system-wide with nix-daemon) Nix in the current system
  if ! installNix; then
      echo "Nix installation failed!"
      exit 1
  fi

  # this is needed solely for accepting the sp-module subflake
  # see https://github.com/NixOS/nix/issues/3978#issuecomment-952418478
  /root/.nix-profile/bin/nix flake lock ${LOCAL_FLAKE_DIR} \
  --extra-experimental-features "nix-command flakes" \
  --update-input sp-modules

  echo "nix build the configuration flake..."
  if ! /root/.nix-profile/bin/nix build \
  --extra-experimental-features "nix-command flakes" \
  --profile /nix/var/nix/profiles/system \
  ${LOCAL_FLAKE_DIR}/#nixosConfigurations.sp-nixos.config.system.build.toplevel
  then
      echo "Failed!"
      exit 1
  fi

  # Reify resolv.conf (???)
  [[ -L /etc/resolv.conf ]] && mv -v /etc/resolv.conf /etc/resolv.conf.lnk && cat /etc/resolv.conf.lnk > /etc/resolv.conf

  # Stage the Nix coup d'état
  touch /etc/NIXOS
  echo etc/nixos            > /etc/NIXOS_LUSTRATE
  echo etc/resolv.conf     >> /etc/NIXOS_LUSTRATE
  echo ${SECRETS_FILEPATH} >> /etc/NIXOS_LUSTRATE

  rm -rf /boot.bak
  ((isEFI)) && umount "$ESP"
  mv -v /boot /boot.bak
  if ((isEFI)); then
    mkdir /boot
    mount "$ESP" /boot
    find /boot -depth ! -path /boot -exec rm -rf {} +
  fi

  echo "make configuration boot by default..."
  if ! /nix/var/nix/profiles/system/bin/switch-to-configuration boot; then
      echo "Failed!"; exit 1
  fi

  # Remove nix installed by the "install" script.
  rm -fv /nix/var/nix/profiles/default*
  /nix/var/nix/profiles/system/sw/bin/nix-collect-garbage
}

set -o pipefail
set -o nounset
set -o xtrace
set -o errexit

apt update
apt install -y git tar curl jq
checkEnv
prepareEnv
makeSwap # smallest (512MB) droplet needs extra memory!
setupConf
infect
removeSwap

if [[ -z "${NO_REBOOT+x}" ]]; then
  reboot
fi