#!/usr/bin/bash
set -eo pipefail

# Must be root inside dom0 to run this script
if [ "$EUID" -ne 0 ]; then
    echo "[ERROR]: must be superuser"
    exit 1
fi
if [ ! "$HOSTNAME" = "dom0" ]; then
    echo "[ERROR]: must be in dom0"
    exit 1
fi

# Set up the defaults
: "${RELIANT_PROFILING=false}"
: "${RELIANT_PARANOID=false}"
: "${RELIANT_BIN_DIR:=/usr/local/bin}"
: "${RELIANT_SBIN_DIR:=/usr/local/sbin}"
: "${RELIANT_SHARE_DIR:=/usr/local/share/scripts}"
: "${RELIANT_RW_DOMAINS:=sys-net sys-whonix}"
: "${RELIANT_DRACUT_DIR:=/usr/lib/dracut/modules.d/99reliant}"
: "${RELIANT_SYSTEM_ROOT:=/home/$SUDO_USER/reliant-system}"
: "${RELIANT_SKIP_CHECKSUM:=}"
: "${RELIANT_SPARSE_SAMPLES:=512}"
: "${RELIANT_BOOTSTRAP_QUBE:=bootstrap}"
: "${RELIANT_KERNEL_VERSION:=$(qvm-run --pass-io "$RELIANT_BOOTSTRAP_QUBE" 'uname -r')}"

# Validate configuration values
if [ -z "$RELIANT_SECURE_DEVICE" ]; then
    echo "[ERROR]: RELIANT_SECURE_DEVICE: required value"
    exit 1
fi

# No more variable checks needed
set -u

# Used block devices must be present
if [ ! -b "$RELIANT_SECURE_DEVICE" ]; then
    echo "[ERROR]: RELIANT_SECURE_DEVICE: $RELIANT_SECURE_DEVICE is not a valid block device"
    exit 1
fi
IFS=' '
for device in $RELIANT_SKIP_CHECKSUM; do
    if [ ! -b "$device" ]; then
	echo "[ERROR]: RELIANT_SKIP_CHECKSUM: $device is not a valid block device"
	exit 1
    fi
done

# RELIANT_PARANOID must be a boolean value
case "$RELIANT_PARANOID" in
    "true")  ;;
    "false") ;;
    *)	     echo "[ERROR]: RELIANT_PARANOID: $RELIANT_PARANOID is not a valid boolean value"
	     exit 1 ;;
esac

# RELIANT_PROFILING must be a boolean value
case "$RELIANT_PROFILING" in
    "true")  ;;
    "false") ;;
    *)	     echo "[ERROR]: RELIANT_PROFILING: $RELIANT_PROFILING is not a valid boolean value"
	     exit 1 ;;
esac

# RELIANT_SPARSE_SAMPLES must be an integer
if ! [ "$RELIANT_SPARSE_SAMPLES" -eq "$RELIANT_SPARSE_SAMPLES" ] 2>/dev/null; then
    echo "[ERROR]: RELIANT_SPARSE_SAMPLES: $RELIANT_SPARSE_SAMPLES is not a valid integer"
fi

# Copies $1 from the bootstrap qube into dom0 with filename $2, permissions $3, owner $4 and group $5
reliant_install_file() {
    # Verify the number of arguments
    if [ "$#" -ne 5 ]; then
	echo "[ERROR]: reliant_install_file: expected 5 arguments, got $#"
    fi

    # Report the operation
    echo "[INFO]: reliant_install_file: $1 $2 $3 $4 $5"

    # Install the file into dom0
    qvm-run --pass-io "$RELIANT_BOOTSTRAP_QUBE" "cat $RELIANT_SYSTEM_ROOT/$1" | install -D -m "$3" -o "$4" -g "$5" /dev/stdin "$2"
}

# Shorthand functions
reliant_install_bin() {
    reliant_install_file "$1" "$RELIANT_BIN_DIR/$2" "$3" "$4" "$5"
}
reliant_install_sbin() {
    reliant_install_file "$1" "$RELIANT_SBIN_DIR/$2" "$3" "$4" "$5"
}
reliant_install_share() {
    reliant_install_file "$1" "$RELIANT_SHARE_DIR/$2" "$3" "$4" "$5"
}
reliant_install_dracut() {
    reliant_install_file "$1" "$RELIANT_DRACUT_DIR/$2" "$3" "$4" "$5"
}

# Run the build script inside of the bootstrap qube
echo "[INFO]: Building $RELIANT_BOOTSTRAP_QUBE:$RELIANT_SYSTEM_ROOT for kernel $RELIANT_KERNEL_VERSION..."
qvm-run --pass-io "$RELIANT_BOOTSTRAP_QUBE" "sh -c 'cd $RELIANT_SYSTEM_ROOT && ./build.sh'"

# Begin the installation process
echo "[INFO]: Installing reliant-system from $RELIANT_BOOTSTRAP_QUBE:$RELIANT_SYSTEM_ROOT..."

# reliant-system/common
reliant_install_share common/reliant-common.sh reliant-common.sh 0644 root root

# reliant-system/extra
reliant_install_file  extra/overlay.conf                  /etc/dracut.conf.d/overlay.conf            0644 root root
reliant_install_file  extra/grub.systemd-volatile-overlay /etc/default/grub.systemd-volatile-overlay 0644 root root
reliant_install_file  extra/shufflecake-close.service  /etc/systemd/system/shufflecake-close.service 0644 root root
reliant_install_share extra/shufflecake-close.sh          shufflecake-close.sh                       0744 root root

# reliant-system/tools
reliant_install_sbin tools/reliant-hash    reliant-hash    0744 root root
reliant_install_sbin tools/reliant-seal    reliant-seal    0744 root root
reliant_install_sbin tools/reliant-mount   reliant-mount   0744 root root
reliant_install_sbin tools/reliant-unseal  reliant-unseal  0744 root root
reliant_install_sbin tools/reliant-status  reliant-status  0744 root root
reliant_install_sbin tools/surgeon-suture  surgeon-suture  0744 root root
reliant_install_sbin tools/surgeon-dissect surgeon-dissect 0744 root root
reliant_install_sbin tools/reliant-security     reliant-security     0744 root root
reliant_install_sbin tools/reliant-snapshot-rw  reliant-snapshot-rw  0744 root root
reliant_install_bin  tools/reliant-print-config reliant-print-config 0755 root root
reliant_install_sbin tools/reliant-profiling-patch-systemd reliant-profiling-patch-systemd 0744 root root

# reliant-system/dracut
reliant_install_dracut dracut/99reliant/module-setup.sh              module-setup.sh              0744 root root
reliant_install_dracut dracut/99reliant/reliant.service              reliant.service              0644 root root
reliant_install_dracut dracut/99reliant/scripts/readonly.sh          scripts/readonly.sh          0744 root root
reliant_install_dracut dracut/99reliant/scripts/reliant-initramfs.sh scripts/reliant-initramfs.sh 0744 root root
reliant_install_dracut dracut/99reliant/patches/create-snapshot.sh   patches/create-snapshot.sh   0755 root root

# reliant-system/qubes-sflc
reliant_install_file qubes-sflc/dm-sflc.ko "/usr/lib/modules/$RELIANT_KERNEL_VERSION/extra/dm-sflc.ko" 0644 root root
reliant_install_sbin qubes-sflc/shufflecake shufflecake 0744 root root

echo "[INFO]: Successfully copied files to dom0."
echo "[INFO]: Running post-installation commands..."

# reliant-system/common
reliant_write_config() {
    echo "[INFO]: Writing new configuration to /etc/reliant.conf..."
    cat > /etc/reliant.conf << EOF
RELIANT_PARANOID=$RELIANT_PARANOID
RELIANT_RW_DOMAINS=$RELIANT_RW_DOMAINS
RELIANT_SECURE_DEVICE=$RELIANT_SECURE_DEVICE
RELIANT_SKIP_CHECKSUM=$RELIANT_SKIP_CHECKSUM
RELIANT_SPARSE_SAMPLES=$RELIANT_SPARSE_SAMPLES
EOF
}
if [ -f /etc/reliant.conf ]; then
    read -rp "[WARN]: /etc/reliant.conf exists. Overwrite? [Y/N]: "
    case "$REPLY" in
	[Yy]* ) reliant_write_config    ;;
	[Nn]* ) echo "[INFO]: Aborted." ;;
	*)      echo "[INFO]: Aborted." ;;
    esac
else
    reliant_write_config
fi

# reliant-system/extra
if ! grep -xq ". /etc/default/grub.systemd-volatile-overlay" /etc/default/grub; then
    echo ". /etc/default/grub.systemd-volatile-overlay" >> /etc/default/grub
fi
grub2-mkconfig -o /boot/grub2/grub.cfg
systemctl daemon-reload
systemctl enable shufflecake-close.service

# reliant-system/tools
surgeon-dissect -t varlibqubes
reliant-snapshot-rw

# reliant-system/qubes-sflc
depmod -a "$RELIANT_KERNEL_VERSION"

# reliant-system/dracut
dracut --force --regenerate-all
if [ "$RELIANT_PROFILING" = "true" ]; then
    # Perform the patch
    reliant-profiling-patch-systemd
    old=/usr/lib/systemd/systemd-volatile-root
    new=/usr/lib/systemd/systemd-volatile-root.reliant-profiling
    
    # Switch
    tmpname="/tmp/reliant.$(uuidgen)"
    mv "$old" "$tmpname"
    mv "$new" "$old"
    
    # Build
    dracut --force "/boot/initramfs-$RELIANT_KERNEL_VERSION.reliant-profiling.img"

    # Switch back
    rm "$old"
    mv "$tmpname" "$old"
    rm "$tmpname"
fi

# Report successful installation
echo "[INFO]: Installation complete. Reboot to enter Protected Mode."