{#
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>

SPDX-License-Identifier: AGPL-3.0-or-later
#}

{% if grains['nodename'] != 'dom0' -%}

{% set mirage_firewall_tag = 'v0.8.6' -%}

include:
  - dev.home-cleanup
  - dotfiles.copy-sh
  - dotfiles.copy-ssh
  - dotfiles.copy-git
  - docker.configure

"{{ slsdotpath }}-opam-completion-and-hooks":
  file.managed:
    - name: /home/user/.config/sh/profile.d/opam.sh
    - source: salt://{{ slsdotpath }}/files/client/profile/opam.sh
    - mode: '0755'
    - user: user
    - group: user
    - makedirs: True

"{{ slsdotpath }}-makedir-src":
  file.directory:
    - name: /home/user/src
    - user: user
    - group: user
    - mode: '0755'
    - makedirs: True

"{{ slsdotpath }}-gnupg-home":
  file.directory:
    - name: /home/user/.gnupg/mirage-firewall
    - user: user
    - group: user
    - mode: '0700'
    - makedirs: True

"{{ slsdotpath }}-keyring-and-trustdb":
  file.managed:
    - user: user
    - group: user
    - mode: '0600'
    - names:
      - /home/user/.gnupg/mirage-firewall/pubring.kbx:
        - source: salt://{{ slsdotpath }}/files/client/keys/pubring.kbx
      - /home/user/.gnupg/mirage-firewall/trustdb.gpg:
        - source: salt://{{ slsdotpath }}/files/client/keys/trustdb.gpg

"{{ slsdotpath }}-git-clone":
  git.latest:
    - name: https://github.com/mirage/qubes-mirage-firewall
    - target: /home/user/src/qubes-mirage-firewall
    - user: user
    - force_fetch: True

## The tag is annotated, using verify-commit instead.
"{{ slsdotpath }}-git-verify-tag":
  cmd.run:
    - require:
      - git: "{{ slsdotpath }}-git-clone"
    - name: GNUPGHOME="$HOME/.gnupg/mirage-firewall" git -c gpg.program=gpg2 verify-commit {{ mirage_firewall_tag }}
    - cwd: /home/user/src/qubes-mirage-firewall
    - runas: user

"{{ slsdotpath }}-git-checkout-tag-{{ mirage_firewall_tag }}":
  cmd.run:
    - name: git checkout {{ mirage_firewall_tag }}
    - require:
      - cmd: "{{ slsdotpath }}-git-verify-tag"
    - cwd: /home/user/src/qubes-mirage-firewall
    - runas: user

"{{ slsdotpath }}-makedir-home-docker":
  file.directory:
    - name: /home/user/docker
    - user: user
    - group: user
    - mode: '0755'
    - makedirs: True

{% if salt['grains.get']('os_family') = 'RedHat' -%}
"{{ slsdotpath }}-file-security-context":
  cmd.run:
    - name: chcon -Rt container_file_t /home/user/docker
    - require:
      - file: "{{ slsdotpath }}-makedir-home-docker"
    - runas: user
{% endif -%}

{% endif -%}