#!/bin/bash

set -euo pipefail

RemoteRepo="gitolite@git.immae.eu:perso/Immae/Prive/Password_store/Sites"
MAKEFILE_DIR="$( cd "$( dirname $( dirname "${BASH_SOURCE[0]}" ))" >/dev/null 2>&1 && pwd )"

if ! which nix 2>/dev/null >/dev/null; then
  cat <<-EOF
	nix is needed, please install it:
	> curl https://nixos.org/nix/install | sh
	(or any other way handled by your distribution)
	EOF
  exit 1
fi

if [ "${NIX_STORE:-/nix/store}" != "/nix/store" ]; then
  cat <<-EOF
	Nix store outside of /nix/store is not supported
	EOF
  exit 1
fi

if [ -z "$NIXOPS_CONFIG_PASS_SUBTREE_REMOTE" \
    -o -z "$NIXOPS_CONFIG_PASS_SUBTREE_PATH" ]; then
  cat <<-EOF
	Two environment variables are needed to setup the password store:
	NIXOPS_CONFIG_PASS_SUBTREE_PATH : path where the subtree will be imported
	NIXOPS_CONFIG_PASS_SUBTREE_REMOTE : remote name to give to the repository
	EOF
  exit 1
fi

if ! pass $NIXOPS_CONFIG_PASS_SUBTREE_PATH > /dev/null 2>/dev/null; then
  cat <<-EOF
	/!\ This will modify your password store to add and import a subtree
	with the specific passwords files. Choose a path that doesn’t exist
	yet in your password store.
	> pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
	> pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
	Later, you can use pull_environment and push_environment scripts to
	update the passwords when needed
	Continue? [y/N]
	EOF
  read y
  if [ "$y" = "y" -o "$y" = "Y" ]; then
    pass git remote add $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE $RemoteRepo
    pass git subtree add --prefix=$NIXOPS_CONFIG_PASS_SUBTREE_PATH $NIXOPS_CONFIG_PASS_SUBTREE_REMOTE master
  else
    echo "Aborting"
    exit 1
  fi
fi

# Repull it before adding keys, just in case
make -C $MAKEFILE_DIR pull_environment

gpg_keys=$(pass ls $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys | sed -e "1d" | cut -d" " -f2)
for key in $gpg_keys; do
  content=$(pass show $NIXOPS_CONFIG_PASS_SUBTREE_PATH/Nixops/GPGKeys/$key)
  fpr=$(echo "$content" | gpg --import-options show-only --import --with-colons | grep -e "^pub" | cut -d':' -f5)
  gpg --list-key "$fpr" >/dev/null 2>/dev/null && imported=yes || imported=no
  # /usr/share/doc/gnupg/DETAILS field 2
  (echo "$content" | gpg --import-options show-only --import --with-colons |
      grep -E '^pub:' |
      cut -d':' -f2 |
      grep -q '[fu]') && signed=yes || signed=no
  if [ "$signed" = no -o "$imported" = no ] ; then
    echo "The key for $key needs to be imported and signed (a local signature is enough)"
    echo "$content" | gpg --import-options show-only --import
    echo "Continue? [y/N]"
    read y
    if [ "$y" = "y" -o "$y" = "Y" ]; then
      echo "$content" | gpg --import
      gpg --expert --edit-key "$fpr" lsign quit
    else
      echo "Aborting"
      exit 1
    fi
  fi
done

if nix show-config --json | jq -e '.sandbox.value == "true"' >/dev/null; then
  cat <<-EOF
	There used to be some impure derivations (grep __noChroot), you may need
	  sandbox = "relaxed"
	in /etc/nix/nix.conf
	you may also want to add
	  keep-outputs = true
	  keep-derivations = true
	to prevent garbage collector from deleting build dependencies (they take a lot of time to build)
        and
	  allow-import-from-derivation = false
	as an attempt to avoid having build-time derivations (doesn’t work for all packages)
	press key to continue
	EOF
  read y
fi

if ! make -C $MAKEFILE_DIR deployment_is_set 2>/dev/null >/dev/null; then
  cat <<-EOF
	Importing deployment file into nixops:
	Continue? [y/N]
	EOF
  read y
  if [ "$y" = "y" -o "$y" = "Y" ]; then
    make -C $MAKEFILE_DIR pull_deployment
  else
    echo "Aborting"
    exit 1
  fi
fi

cat <<-EOF
	All set up.
	Please make sure you’re using make commands when deploying
	EOF