#!/bin/bash

# SPDX-License-Identifier: Unlicense

load_modules() {
  cat /load_modules.sh | bash
}

create_mounts() {
    mount -t proc proc /proc -o nosuid,noexec,nodev
    mount -t sysfs sys /sys -o nosuid,noexec,nodev
    mount -t devtmpfs dev /dev -o mode=0755,nosuid
    mount -t tmpfs run /run -o nosuid,nodev,mode=0755
    mkdir -m755 /run/initramfs

    if [ -e /sys/firmware/efi ]; then
        mount -t efivarfs efivarfs /sys/firmware/efi/efivars -o nosuid,nodev,noexec
    fi

    # Setup /dev symlinks
    if [ -e /proc/kcore ]; then
        ln -sfT /proc/kcore /dev/core
    fi
    ln -sfT /proc/self/fd /dev/fd
    ln -sfT /proc/self/fd/0 /dev/stdin
    ln -sfT /proc/self/fd/1 /dev/stdout
    ln -sfT /proc/self/fd/2 /dev/stderr
}

create_certs() {
  cert_dir="/tmp/certs"
  key="$cert_dir/dtrfs_api.key"
  cert="$cert_dir/dtrfs_api.crt"
  subject="/C=W3/O=DeTEE/OU=COCO/CN=dtrfs-api"
  mkdir -p "$cert_dir"
  openssl genpkey -algorithm RSA -out "$key" \
    -pkeyopt rsa_keygen_bits:4096 2>/dev/null
  openssl req -x509 -new \
    -key "$key" -out "$cert" \
    -addext "subjectAltName=DNS:dtrfs-api" \
    -days 365 -subj "$subject" 2>/dev/null
}

setup_network_device() {
  local device="$1" settings="$2" ip_addr='' mask='' cidr='' gateway=''
  [[ -z "$settings" ]] && return 0
  ip_addr="$( echo ${settings} | cut -d '_' -f1 )"
  mask="$( echo ${settings} | cut -d '_' -f2 )"
  cidr="${ip_addr}/${mask}"
  gateway="$( echo ${settings} | cut -d '_' -f3 )"

  ip addr add $cidr dev $device
  ip link set $device up
  sysctl -w net.ipv6.conf.$device.accept_ra=0
  ip route add default via $gateway
  sleep 2
  ping -c 2 $gateway
}

# Expects kernel param in this format: detee_net=192.168.122.140_24_192.168.122.1_1.1.1.1
# In case the interface name is not specified, it defaults to eth0
# Supports manual device, for example: detee_net_eth1
# TODO: test if it is required to specify mac instead of device name
setup_network() {
  local device_eth0_cfg='' device_cfg='' device_configs=''
  sysctl -w net.ipv6.conf.all.accept_ra=0
  sysctl -w net.ipv6.conf.default.accept_ra=0
  # handle the default: detee_net=...
  device_eth0_cfg=$(cat /proc/cmdline | grep -oE "detee_net=[0-9a-f\_\:\.]+" | cut -d '=' -f2)
  [[ -z "$device_eth0_cfg" ]] || setup_network_device eth0 $device_eth0_cfg

  # handle extra devices: detee_net_eth1=...
  device_configs=$(cat /proc/cmdline| grep -oE "detee_net_[a-z0-9]*=[0-9a-f\_\:\.]+")
  while read -r device_cfg; do
    setup_network_device \
      $(echo $device_cfg | cut -d '=' -f1 | cut -d '_' -f3) \
      $(echo $device_cfg | cut -d '=' -f2)
  done <<< "$( echo "$device_configs" )"

  echo nameserver 1.1.1.1 >> /etc/resolv.conf
  echo nameserver 1.0.0.1 >> /etc/resolv.conf
  echo nameserver 2606:4700:4700::1111 >> /etc/resolv.conf
  echo nameserver 2606:4700:4700::1001 >> /etc/resolv.conf
}


# detee_ghu stands for GitHub user and expects format detee_ghu=ghe0
github_ssh_key() {
  local key=''
  github_user=$(cat /proc/cmdline | grep -oE 'detee_ghu=[0-9a-zA-Z\_\.\-]+' | cut -d '=' -f2)
  [[ -z "$github_user" ]] && return 0
  mkdir -p /mnt/root/.ssh
  cd /mnt/root/.ssh
  touch authorized_keys
  key="$(wget -O - https://github.com/${github_user}.keys)"
  grep -F "$( echo $key | awk '{ print $2 }' )" authorized_keys > /dev/null || {
    echo "$key" >> authorized_keys
    chmod 600 authorized_keys
  }
}