#!/bin/sh

set -ue

ARCH=$(dpkg-architecture -qDEB_TARGET_ARCH)
DIST="./dist"
RSYNC_HOST="ftp.de.debian.org"
unset DEBIAN_VERSION

HELP_MESSAGE="$(cat <<-EOF
	Download Debian stable's netinst ISO image and verify its integrity
	Usage $0 [OPTIONS]
	    --arch=ARCH                 target architecture (default: "$ARCH")
	    --dist-dir=DIR              build directory (default: "$DIST")
	    --rsync-host=HOSTNAME       remote rsync(1) hostname (default: "$RSYNC_HOST")
	    --debian-version=VERSION    Debian version to install (default: current stable)
	    --help, -?                  this help
EOF
)"

[ $(id -u) -ne 0 ] || echo "WARN: unecessary privileged network access" >&2

usage() {
    [ ${1+x} ] && echo "Unknown option '$1'" >&2
    echo "Usage: $0 [OPTIONS] OUTPUT" >&2
    echo "       $0 --help" >&2
    exit 1
}

while [ $# -gt 0 ]; do
    case "$1" in
        --arch)   ARCH="$2"; shift;;
        --arch=*) ARCH="${1#--arch=}";;
        --dist-dir)   DIST="$2"; shift;;
        --dist-dir=*) DIST="${1#--dist-dir=}";;
        --rsync-host)   RSYNC_HOST="$2"; shift;;
        --rsync-host=*) RSYNC_HOST="${1#--rsync-host=}";;
        --debian-version)   DEBIAN_VERSION="$2"; shift;;
        --debian-version=*) DEBIAN_VERSION="${1#--debian-version=}";;
        --help|-\?) printf '%s\n' "$HELP_MESSAGE"; exit;;
        -*) usage "$1";;
        *) break;;
    esac
    shift
done
[ $# -eq 0 ] || usage

# Get current Debian stable version (incl. point release)
RSYNC="rsync --no-motd --info=NAME --inplace"
[ ${DEBIAN_VERSION+x} ] || DEBIAN_VERSION="$(
    dir="$(mktemp --tmpdir --directory)"
    rsync -lq "$RSYNC_HOST::debian-cd/current" "$dir"
    readlink "$dir/current"
    rm -f "$dir/current"
    rmdir "$dir"
)"
ISO_FILENAME="debian-$DEBIAN_VERSION-$ARCH-netinst.iso"


#######################################################################
# Download netinst ISO image and verify its integrity
#
mkdir -pv "$DIST"
$RSYNC -t --files-from=- "$RSYNC_HOST::debian-cd/$DEBIAN_VERSION/$ARCH/iso-cd/" "$DIST" <<-EOF
	/$ISO_FILENAME
	/SHA512SUMS
	/SHA512SUMS.sign
EOF

echo "Verifying integrity (OpenPGP signature on SHA-512 manifest)..." >&2
gpgv --keyring './signing-key.gpg' "$DIST/SHA512SUMS.sign" "$DIST/SHA512SUMS"

echo -n "Verifying integrity (SHA-512 checksum)... " >&2
if ( cd "$DIST" && sha512sum -c SHA512SUMS 2>/dev/null ) | grep -Fxq "$ISO_FILENAME: OK" ; then
    echo OK >&2
else
    echo 'Failed!' >&2
    exit 1
fi

echo "$DIST/$ISO_FILENAME"