#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# No bash in the installer environment, only BusyBox.

set -o errexit
set -o nounset
set -o noclobber

# Create a passphrase by pulling only characters in the range '!' to '~' (ASCII 0x21 to 0x7e) from /dev/random.
umask 0077
TMP_PASSPHRASE_FILE=$(mktemp)
readonly TMP_PASSPHRASE_FILE
grep -o '[!-~]' /dev/urandom | tr -d '\n' | head -c64 >> "${TMP_PASSPHRASE_FILE}"

# Create an include file for debian-installer with the passphrase as answers to the questions.
DEB_INSTALLER_CRYPT_INC_FILE=$(mktemp)
readonly DEB_INSTALLER_CRYPT_INC_FILE

# Read the first line (the passphrase) - POSIX-compliant
# IFS= prevents leading/trailing spaces from being truncated,
# -r ensures that backslashes are not interpreted.
IFS= read -r passphrase < "${TMP_PASSPHRASE_FILE}"

# A single printf call with exactly one redirect
# - ShellCheck-compliant and valid in POSIX-sh
printf 'd-i partman-crypto/passphrase string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"

printf 'd-i partman-crypto/passphrase-again string %s\n' "${passphrase}" >> "$DEB_INSTALLER_CRYPT_INC_FILE"

# Echo the file to be included, so debian-installer will do that - assuming this command is being run via 'preseed/include_command'.
# Without file:// will try and fetch from the webserver this preseed was served from.
echo "file://${DEB_INSTALLER_CRYPT_INC_FILE}"

# Add extra commands to the file that should be run using 'preseed/late_command' to ensure the passphrase is included in the new installation.
readonly IN_TARGET_KEY_FILE=/etc/keys/luks-lvm.key

cat - >> /tmp/late-command-script << LATE_EOF
##### BEGIN ADDED BY preseed-crypto-key preseed/include_command

umask 0077

mkdir -p /target$(dirname "${IN_TARGET_KEY_FILE}")

cp "${TMP_PASSPHRASE_FILE}" /target"${IN_TARGET_KEY_FILE}"

# Use /root as /tmp might be noexec

cat - >/target/root/configure-crypt-unlock <<EOF
#!/usr/bin/bash

# Standard bash safety features
set -eufo pipefail

if grep -q UMASK /etc/initramfs-tools/initramfs.conf
then
  sed -i 's-^#\?UMASK.*\\\$-UMASK=0077-' /etc/initramfs-tools/initramfs.conf
else
  echo -e "# Secure initramfs while it contains unlock keys for root filesystem\nUMASK=0077" >>/etc/initramfs-tools/initramfs.conf
fi

# Include keyfile in initramfs
sed -i 's-^#\?KEYFILE_PATTERN=.*\\\$-KEYFILE_PATTERN=$(dirname ${IN_TARGET_KEY_FILE})/*.key-' /etc/cryptsetup-initramfs/conf-hook

# Configure crypt to use keyfile to unlock encrypted partition(s)
sed -i 's#\(UUID=[^ ]\+\) none#\1 ${IN_TARGET_KEY_FILE}#' /etc/crypttab

# Update initramfs with key file
update-initramfs -u
exit 0
EOF

sleep 1

chmod 500 /target/root/configure-crypt-unlock
in-target /root/configure-crypt-unlock
rm /target/root/configure-crypt-unlock

exit 0
##### END ADDED BY preseed-crypto-key preseed/include_command
LATE_EOF

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh