#!/bin/bash

get_fingerprint() {
  local keyfile="$1"
  dropbearkey -y -f "${keyfile}" | sed -n '/^Fingerprint:/ {s/Fingerprint: *//; p}'
}

display_fingerprints() {
  local keyfile keytype

  for keytype in rsa ecdsa ed25519; do
    keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
    [ -s "${keyfile}" ] && echo "${keyfile##*/} : $(get_fingerprint "${keyfile}")"
  done
}

use_dropbear_keys() {
  local keytype

  for keytype in rsa ecdsa ed25519; do
    [ -s "/etc/dropbear/dropbear_${keytype}_host_key" ] && return 0
  done

  return 1
}

copy_openssh_keys() {
  local osshkey keytype

  local dbpre="/etc/dropbear/dropbear"

  local return_code=1

  for keytype in rsa ecdsa ed25519; do
    osshkey="/etc/ssh/ssh_host_${keytype}_key"
    [ -s "${osshkey}" ] || continue

    if ! dropbearconvert openssh dropbear "${osshkey}" "${dbpre}_${keytype}_host_key"; then
      error "failed to convert SSH key ${osshkey}"
      return 1
    fi

    return_code=0
  done

  return $return_code
}

generate_keys() {
  local keyfile keytype

  for keytype in rsa ecdsa ed25519; do
    keyfile="/etc/dropbear/dropbear_${keytype}_host_key"
    [ -s "${keyfile}" ] && continue

    if dropbearkey -t "${keytype}" -f "${keyfile}"; then
      echo "Generated ${keytype} host key for dropbear"
    elif [ "${keytype}" = "ed25519" ]; then
      # ed25519 key is not supported by all dropbear versions; don't hard fail
      warning "failed to generate $keytype host key for dropbear"
    else
      error "failed to generate ${keytype} host key for dropbear"
      return 1
    fi
  done
}

build ()
{
  #
  # Begin real processing
  #

  # Are we even needed?
  if [ ! -r "/etc/dropbear/root_key" -o ! -s "/etc/dropbear/root_key" ]; then
    echo "There is no root key in /etc/dropbear/root_key existent; exit"
    return 0
  fi

  # if TMPDIR is set leave it alone otherwise set
  [ -z "$TMPDIR" ] && TMPDIR='/tmp/dropbear_initrd_encrypt'

  # check if TMPDIR exsists if not make it
  [ -d "$TMPDIR" ] || mkdir -p "$TMPDIR"

  [ -d /etc/dropbear ] && mkdir -p /etc/dropbear

  use_dropbear_keys || copy_openssh_keys || generate_keys
  display_fingerprints

  add_checked_modules "/drivers/net/"
  add_binary "rm"
  add_binary "killall"
  add_binary "dropbear"

  add_dir "/root/.ssh"
  cat /etc/dropbear/root_key > "${BUILDROOT}"/root/.ssh/authorized_keys

  add_full_dir "/etc/dropbear"
  add_file "/lib/libnss_files.so.2"
  add_dir "/var/run"
  add_dir "/var/log"
  touch "${BUILDROOT}"/var/log/lastlog

  add_runscript
}

help ()
{
    cat<<HELPEOF
This hook is meant to be used in conjunction with mkinitcpio-netconf and/or
mkinitcpio-ppp. It DOES NOT provide any default shell. It will only install
and start dropbear on early userspace. In the package mkinitcpio-utils you
will find hooks and shells for remote unlocking a luks root partition,
among others.
HELPEOF
}

# vim: softtabstop=2 shiftwidth=2 expandtab