#!/bin/sh
set -e

# Detect if running on a Live system where service start should be skipped
is_live_system() {
    # Check common Live system indicators
    grep -q 'boot=live' /proc/cmdline 2>/dev/null && return 0
    grep -q 'rd.live' /proc/cmdline 2>/dev/null && return 0
    [ -d /run/live ] && return 0
    [ -f /.live-installer ] && return 0
    # Check if running in a container (dracut/systemd-nspawn)
    systemd-detect-virt -c -q 2>/dev/null && return 0
    return 1
}

# Determine if SELinux policy for himmelblaud is loaded.
# Returns success if SELinux is disabled or the policy is already loaded.
selinux_policy_loaded() {
    if ! command -v selinuxenabled >/dev/null 2>&1; then
        return 0
    fi

    if ! selinuxenabled; then
        return 0
    fi

    # If the policy sources are not installed, don't block service start.
    if [ ! -d /usr/share/selinux/packages/himmelblaud ]; then
        return 0
    fi

    if ! command -v semodule >/dev/null 2>&1; then
        return 1
    fi

    semodule -l 2>/dev/null | awk '{print $1}' | grep -qx himmelblaud
}

skip_start=0
if ! selinux_policy_loaded; then
    skip_start=1
fi

# Ensure cache directory is created with correct permissions
systemd-tmpfiles --create /usr/lib/tmpfiles.d/himmelblau-policies.conf 2>/dev/null || true

# Ensure private data directory is created with correct permissions
systemd-tmpfiles --create /usr/lib/tmpfiles.d/himmelblaud.conf 2>/dev/null || true

# Remove old service files from /etc/systemd/system/ that were installed by v1.4.x
# These take precedence over the new files in /usr/lib/systemd/system/ and lack
# the LoadCredentialEncrypted directive needed for HSM pin handling.
# In order to avoid removing user overrides, check against the hashes of known old
# files shipped by the package.
for OLD_FILE in \
    "/etc/systemd/system/himmelblaud.service" \
    "/etc/systemd/system/himmelblaud-tasks.service" \
    "/etc/systemd/system/gdm3.service.d/override.conf"; do
    if [ -f "$OLD_FILE" ]; then
        hash="$(md5sum "$OLD_FILE" 2>/dev/null | awk '{print $1}')"
        for KNOWN_HASH in \
            "e3b66fe76769d64610a353adf3dbc595" \
            "7b0f82a49b6be1c285de8549e611ab66" \
            "ed238618354f885a2b0c697278ea33e8" \
            "65b026cc5d5f0f4d600184b6190b8cb3" \
            "a40d5ca8aedba32f9399acc7e5fdd03d" \
            "7473a7bee9c4ebde099a658522f21203" \
            "5e0b319ec558849d4cd08e2d5eaf90e3" \
            "60ad28a9039e527aa709137fe1f3db00" \
            "95c442df9bd7c7d94d94292cdda14513" \
            "73b676e55c6979c601b6c2d93257410f" \
            "85ab21f2ac8b5c4b60451fa6540771db" \
            "15501a8e5db36b92eac8a965d544bae8" \
            "73fa66e462ff429076107e346d5ddbe8" \
            "f794aaa11243213f8de06f1416f16682" \
            "bde93199f6dc7b28d5e4e1d67504601b" \
            "d7e2800688c23d570230296e17b0e6c2" \
            "db8132b5813a3413b4647529cf7ea8f3" \
            "8cffb12270663febb99c61e5d013926f" \
            "ca442221291feb739fb0b078e036f6c9" \
            "b18d0e9861fc161aa3a4c093f140bdf1" \
            "337e41fad21375f4ee614caf3b07a2de" \
            ; do
            if [ "$hash" = "$KNOWN_HASH" ]; then
                echo "Removing old service file: $OLD_FILE"
                rm -f "$OLD_FILE"
            fi
        done
    fi
done

if command -v deb-systemd-helper >/dev/null 2>&1; then
    if [ "$1" != "configure" ]; then
        exit 0
    fi

    # The following line should be removed in trixie or trixie+1
    deb-systemd-helper unmask himmelblaud.service himmelblaud-tasks.service himmelblau-hsm-pin-init.service >/dev/null || true

    # was-enabled defaults to true, so new installations run enable.
    if deb-systemd-helper --quiet was-enabled himmelblaud.service himmelblaud-tasks.service himmelblau-hsm-pin-init.service; then
        # Enables the unit on first installation, creates new
        # symlinks on upgrades if the unit file has changed.
        deb-systemd-helper enable himmelblaud.service himmelblaud-tasks.service himmelblau-hsm-pin-init.service >/dev/null || true
    else
        # Update the statefile to add new symlinks (if any), which need to be
        # cleaned up on purge. Also remove old symlinks.
        deb-systemd-helper update-state himmelblaud.service himmelblaud-tasks.service himmelblau-hsm-pin-init.service >/dev/null || true
    fi

    if [ -z "$DPKG_ROOT" ] && [ -d /run/systemd/system ] && ! is_live_system; then
        deb-systemd-invoke daemon-reload --system >/dev/null || true
        if [ "$skip_start" -eq 1 ]; then
            echo "SELinux enabled but himmelblaud policy not loaded yet; deferring service start"
        else
            deb-systemd-invoke restart himmelblaud.service himmelblaud-tasks.service >/dev/null || true
        fi
    fi
elif command -v systemctl >/dev/null 2>&1; then
    # Reload systemd to pick up the new service files from /usr/lib/systemd/system/
    systemctl daemon-reload || true
fi

# Enable and start Himmelblau daemons if systemd is available
# On Live systems, skip service start - the HSM PIN will be generated at first boot
# via the himmelblau-hsm-pin-init.service oneshot when deployed to real hardware.
if command -v systemctl >/dev/null 2>&1; then
    if is_live_system; then
        echo "Live system detected - skipping service start (HSM PIN will be initialized at first boot)"
        # Only enable services so they start on first real boot
        systemctl enable himmelblaud.service himmelblaud-tasks.service 2>/dev/null || true
        # Enable HSM PIN init service separately (may not exist on older systemd)
        systemctl enable himmelblau-hsm-pin-init.service 2>/dev/null || true
    else
        echo "Enabling and starting Himmelblau services..."
        systemctl enable himmelblaud.service himmelblaud-tasks.service 2>/dev/null || true
        # Enable HSM PIN init service separately (may not exist on older systemd)
        systemctl enable himmelblau-hsm-pin-init.service 2>/dev/null || true
        if [ "$skip_start" -eq 1 ]; then
            echo "SELinux enabled but himmelblaud policy not loaded yet; deferring service start"
        else
            systemctl restart himmelblaud.service himmelblaud-tasks.service 2>/dev/null || true
        fi
    fi
fi
