#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail

printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

#######################################
# Generates '/etc/default/ciss-xdg-profile'
# Globals:
#   None
# Arguments:
#   None
# Returns:
#   0: on success
#######################################
generate_ciss_xdg_profile() {
  cat << 'EOF' >> /etc/default/ciss-xdg-profile
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# Default toggles for ciss-xdg-profile
# 1 = enable, 0 = disable

ENABLE_XDG_BASH_HISTORY=1
ENABLE_XDG_LESS_HISTORY=1
ENABLE_XDG_ZSH_HISTORY=1

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf

EOF

  chmod 0644 /etc/default/ciss-xdg-profile

  return 0
}

#######################################
# Generates '/etc/profile.d/ciss-xdg.sh'
# Globals:
#   None
# Arguments:
#   None
# Returns:
#   0: on success
#######################################
generate_ciss_xdg_sh() {
  cat << 'EOF' >> /etc/profile.d/ciss-xdg.sh
#!/bin/sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# shellcheck shell=sh

# This file is sourced by login shells via '/etc/profile'. Keep POSIX sh compatible.

### XDG variables (do not override if already set).
export XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
export XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
export XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
export XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
export XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
export XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"

### XDG_RUNTIME_DIR is provided by systemd-logind; do not set a persistent path.
# shellcheck disable=SC2312
if [ -z "${XDG_RUNTIME_DIR:-}" ] && [ -d "/run/user/$(id -u)" ]; then
  # shellcheck disable=SC2155
  export XDG_RUNTIME_DIR="/run/user/$(id -u)"
fi

### Create canonical directories idempotently with 0700.
_xdg_umask="$(umask)"
umask 077
[ -d "${XDG_CONFIG_HOME}"     ] || install -d -m 0700 -- "${XDG_CONFIG_HOME}"
[ -d "${XDG_DATA_HOME}"       ] || install -d -m 0700 -- "${XDG_DATA_HOME}"
[ -d "${XDG_CACHE_HOME}"      ] || install -d -m 0700 -- "${XDG_CACHE_HOME}"
[ -d "${XDG_STATE_HOME}"      ] || install -d -m 0700 -- "${XDG_STATE_HOME}"
umask "${_xdg_umask}"
unset _xdg_umask

### Optional migrations (controlled via /'etc/default/ciss-xdg-profile').
[ -f /etc/default/ciss-xdg-profile ] && . /etc/default/ciss-xdg-profile

### Bash history -> XDG_STATE_HOME (only if running bash).
if [ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ] && [ -n "${BASH_VERSION:-}" ]; then
  [ -d "${XDG_STATE_HOME}/bash" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/bash"
  export HISTFILE="${XDG_STATE_HOME}/bash/history"
fi

### Zsh history -> XDG_STATE_HOME (best-effort; zsh might not read /etc/profile)
if [ "${ENABLE_XDG_ZSH_HISTORY:-1}" = "1" ] && [ -n "${ZSH_VERSION:-}" ]; then
  [ -d "${XDG_STATE_HOME}/zsh" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/zsh"
  export HISTFILE="${XDG_STATE_HOME}/zsh/history"
fi

### Less history -> XDG_STATE_HOME
if [ "${ENABLE_XDG_LESS_HISTORY:-1}" = "1" ]; then
  [ -d "${XDG_STATE_HOME}/less" ] || install -d -m 0700 -- "${XDG_STATE_HOME}/less"
  export LESSHISTFILE="${XDG_STATE_HOME}/less/history"
fi

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF

  chmod 0755 /etc/profile.d/ciss-xdg.sh

  return 0
}

#######################################
# Generates '/root/ciss_xdg_tmp.sh'
# Globals:
#   None
# Arguments:
#   None
# Returns:
#   0: on success
#######################################
generate_ciss_xdg_tmp_sh() {
  cat << 'EOF' >> /root/ciss_xdg_tmp.sh
  #!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu

### XDG variables (do not override if already set).

set -a

# shellcheck disable=SC2034
XDG_CONFIG_HOME="${XDG_CONFIG_HOME:-${HOME}/.config}"
# shellcheck disable=SC2034
XDG_DATA_HOME="${XDG_DATA_HOME:-${HOME}/.local/share}"
# shellcheck disable=SC2034
XDG_CACHE_HOME="${XDG_CACHE_HOME:-${HOME}/.cache}"
# shellcheck disable=SC2034
XDG_STATE_HOME="${XDG_STATE_HOME:-${HOME}/.local/state}"
# shellcheck disable=SC2034
XDG_CONFIG_DIRS="${XDG_CONFIG_DIRS:-/etc/xdg}"
# shellcheck disable=SC2034
XDG_DATA_DIRS="${XDG_DATA_DIRS:-/usr/local/share:/usr/share}"

### Optional migrations (controlled via /etc/default/ciss-xdg-profile).
[[ -f /etc/default/ciss-xdg-profile ]] && . /etc/default/ciss-xdg-profile

### Bash history -> XDG_STATE_HOME (only if running bash).
if [[ "${ENABLE_XDG_BASH_HISTORY:-1}" = "1" ]] && [[ -n "${BASH_VERSION:-}" ]]; then
  HISTFILE="${XDG_STATE_HOME}/bash/history"
fi

set +a

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
  chmod 0700 /root/ciss_xdg_tmp.sh

  return 0
}

generate_ciss_xdg_profile
generate_ciss_xdg_sh
generate_ciss_xdg_tmp_sh

[[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
export DEBIAN_FRONTEND="noninteractive"
apt-get update -qq
apt-get install -y --no-install-suggests libpam-systemd

mkdir -p /root/.ciss/dlb/{backup,log}
chmod 0700 /root/.ciss/dlb/{backup,log}

mkdir -p /root/git
chmod 0700 /root/git

printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh