#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail

printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"

SOPS_VER="v3.11.0"
ARCH="$(dpkg --print-architecture)"
case "${ARCH}" in
  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
  arm64)  SOPS_FILE="sops-${SOPS_VER}.linux.arm64" ;;
  *)  echo "Unsupported arch: ${ARCH}" >&2; exit 1 ;;
esac

cd /tmp

curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/${SOPS_FILE}"
curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.txt"
curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.pem"
curl -fsSLO "https://github.com/getsops/sops/releases/download/${SOPS_VER}/sops-${SOPS_VER}.checksums.sig"

cosign verify-blob "sops-${SOPS_VER}.checksums.txt" \
  --certificate    "sops-${SOPS_VER}.checksums.pem" \
  --signature      "sops-${SOPS_VER}.checksums.sig" \
  --certificate-identity-regexp="https://github.com/getsops" \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com"

sha256sum -c "sops-${SOPS_VER}.checksums.txt" --ignore-missing

install -m 0755 "${SOPS_FILE}" /usr/local/bin/sops
sops --version --check-for-updates
age --version

rm -f "/tmp/${SOPS_FILE}"
rm -f "/tmp/sops-${SOPS_VER}.checksums.txt"
rm -f "/tmp/sops-${SOPS_VER}.checksums.pem"
rm -f "/tmp/sops-${SOPS_VER}.checksums.sig"

umask 0077

mkdir -p /root/.config/sops/age

cat << 'EOF' >| /root/.config/sops/age/keys.txt
{{ secrets.CISS_PHYS_AGE }}
EOF

chmod 0400 /root/.config/sops/age/keys.txt

printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh