#!/bin/sh
set -e

. /usr/share/debconf/confmodule || true

modprobe -v -d/target virtio-rng


#######################################################################
# Configuration SSHd

if [ -d /target/etc/ssh ]; then
    in-target find /etc/ssh -maxdepth 1 -type f -a \
        \( -name "ssh_host_*_key" -o -name "ssh_host_*_key.pub" \) \
        -delete
    in-target ssh-keygen -b 4096 -t rsa     -N '' -C /etc/ssh/ssh_host_rsa_key     -f /etc/ssh/ssh_host_rsa_key
    in-target ssh-keygen         -t ed25519 -N '' -C /etc/ssh/ssh_host_ed25519_key -f /etc/ssh/ssh_host_ed25519_key

    cat >/target/etc/ssh/sshd_config <<- EOF
		# What ports, IPs and protocols we listen for
		Port 22
		# Use these options to restrict which interfaces/protocols sshd will
		# bind to
		#ListenAddress ::
		#ListenAddress 0.0.0.0
		Protocol 2
		# HostKeys for protocol version 2
		HostKey /etc/ssh/ssh_host_rsa_key
		HostKey /etc/ssh/ssh_host_ed25519_key
		#Privilege Separation is turned on for security
		UsePrivilegeSeparation yes

		# Logging
		SyslogFacility AUTH
		LogLevel INFO

		# Authentication:
		LoginGraceTime 120
		PermitRootLogin without-password
		StrictModes yes

		PubkeyAuthentication yes
		#AuthorizedKeysFile %h/.ssh/authorized_keys

		# Change to yes to enable challenge-response passwords (beware issues
		# with
		# some PAM modules and threads)
		ChallengeResponseAuthentication no

		# Change to no to disable tunnelled clear text passwords
		PasswordAuthentication no

		X11Forwarding no
		PrintMotd no
		PrintLastLog yes
		TCPKeepAlive yes

		# Allow client to pass locale environment variables
		AcceptEnv LANG LC_*

		Subsystem sftp /usr/lib/openssh/sftp-server
	EOF

    if [ -f "/cdrom/authorized_keys" ]; then
        authorized_keys="$(mktemp -p "/target/tmp")"
        cat /cdrom/authorized_keys >"$authorized_keys"
        authorized_keys="${authorized_keys#/target}"
        if db_get passwd/username && [ "$RET" ]; then
            username="$RET"
        else
            username="root"
        fi
        in-target sh -c "
            install -m0700 -o $username -g $username --directory      ~$username/.ssh
            install -m0600 -o $username -g $username $authorized_keys ~$username/.ssh/authorized_keys
        "
    fi
fi


#######################################################################
# Configure salt-minion

if [ -d /target/etc/salt ]; then
    in-target sh -c '
        export HOME="$(echo ~root)" # use ~root/.rnd as OpenSSL seed file
        pkidir="/etc/salt/pki/minion"
        mkdir -p -m0700 "$pkidir"

        install -m0400 /dev/null "$pkidir/minion.pem"
        openssl genrsa -rand /dev/urandom -f4 4096 >"$pkidir/minion.pem"

        install -m0644 /dev/null "$pkidir/minion.pub"
        openssl pkey -pubout <"$pkidir/minion.pem" >"$pkidir/minion.pub"

        mkdir -p /etc/salt/minion.d
        install -m0644 /dev/null /etc/salt/minion.d/9999user.conf
    '
    if db_get tdf-postinst/salt_master && [ "$RET" ]; then
        echo "master: $RET" >>/target/etc/salt/minion.d/9999user.conf
    fi
    if db_get tdf-postinst/salt_master_fingerprint && [ "$RET" ]; then
        echo "master_finger: '$RET'" >>/target/etc/salt/minion.d/9999user.conf
    fi
    echo "id: $(hostname).documentfoundation.org" >>/target/etc/salt/minion.d/9999user.conf
fi


#######################################################################
# Start the QEMU Guest Agent and wait until the host tells us to continue

modprobe -v -d/target virtio-console
in-target qemu-ga --daemonize --pidfile=/var/run/qemu-ga.pid
while :; do
    [ -f /target/tmp/tdf-install-continue ] && break
    sleep 1
done
kill `cat /target/var/run/qemu-ga.pid`