#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-06; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

set -Ceuo pipefail
umask 0077

install -d -m 0755 /run/lock
exec 9> /run/lock/9999-cdi-starter.lock
flock -n 9 || { echo "9999-cdi-starter already running. Exiting."; exit 0; }

#######################################
# Wait for network connectivity by looping.
# Arguments:
#   None
#######################################
net_wait() {
  declare -i i=1
  for i in {1..30}; do
    getent hosts git.coresecret.dev >/dev/null && break
    sleep 1
  done
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f net_wait

#######################################
# Wrapper for loading CISS hardened Kernel Parameters.
# Arguments:
#   None
#######################################
sysp() {
  sysctl -p /etc/sysctl.d/99_local.hardened
  # shellcheck disable=SC2312
  sysctl -a | grep -E 'kernel|vm|net' >| /var/log/sysctl_check"$(date +"%Y-%m-%d_%H:%M:%S")".log
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f sysp

#######################################
# Main autostart function.
# Arguments:
#   none
#######################################
main() {
  declare -r repo_url="https://git.coresecret.dev/msw/CISS.debian.installer.git"
  declare -r repo_dir="/root/git/CISS.debian.installer"

  sleep 8

  sysp

  install -d -m 0700 /root/.ciss/cdi/log
  # shellcheck disable=SC2155
  declare -r log="/root/.ciss/cdi/log/9999-cdi-starter_$(date +'%F_%H-%M-%S').log"
  # shellcheck disable=SC2312
  exec > >(tee -a "${log}") 2>&1

  printf "CISS.debian.installer Master V8.13.192.2025.10.18 is up! \n" >| /root/.ciss/cdi/log/auto_start_begin_"$(date +"%Y-%m-%d_%H-%M-%S")".log

  net_wait

  cd /root/git

  [[ -d "${repo_dir}" ]] && rm -rf "${repo_dir}"

  git clone --depth 1 "${repo_url}" "${repo_dir}"

  chmod 0700 "${repo_dir}/ciss_debian_installer.sh"

  cd "${repo_dir}"

  #./ciss_debian_installer.sh \
#  --autoinstall \
#  --debug XTRACE \
#  --log debug \
#  --reionice-priority 1 0 \
#  --renice-priority "-19"

  printf "CISS.debian.installer Master V8.13.192.2025.10.18 successfully executed! \n" >| /root/.ciss/cdi/log/auto_start_finished_"$(date +"%Y-%m-%d_%H-%M-%S")".log

  exit 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f main

main "$@"

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh