#!/bin/sh

PREREQ=""

prereqs() {
    echo "$PREREQ"
}

case "$1" in
    prereqs)
        prereqs
        exit 0
    ;;
esac

. /usr/share/initramfs-tools/hook-functions

dropbear_warn() {
    echo "dropbear: WARNING:" "$@" >&2
}

copy_exec /usr/sbin/dropbear /sbin
LIBC_DIR=$(ldd /usr/sbin/dropbear | sed -nr 's#.* => (/lib.*)/libc\.so\.[0-9.-]+ \(0x[[:xdigit:]]+\)$#\1#p')
find -L "$LIBC_DIR" -maxdepth 1 -name 'libnss_files.*' -type f | while read so; do
    copy_exec "$so"
done

home=$(mktemp -d "$DESTDIR/root-XXXXXX")
chmod 0700 "$home"
for x in passwd group; do echo "$x: files"; done >"$DESTDIR/etc/nsswitch.conf"
echo "root:*:0:0::${home#$DESTDIR}:/bin/sh" >"$DESTDIR/etc/passwd"
echo "root:!:0:" >"$DESTDIR/etc/group"

# Copy config and host keys
mkdir -p "$DESTDIR/etc/dropbear"
if [ -e /etc/dropbear-initramfs/config ]; then
    cp -p "/etc/dropbear-initramfs/config" "$DESTDIR/etc/dropbear/"
fi
for keytype in dss rsa ecdsa; do
    hostkey="/etc/dropbear-initramfs/dropbear_${keytype}_host_key"
    [ -f "$hostkey" ] && cp -p "$hostkey" "$DESTDIR/etc/dropbear/"
done

if [ -z "$(find "$DESTDIR/etc/dropbear" -maxdepth 1 -name 'dropbear_*_host_key')" ]; then
    dropbear_warn "Missing host keys, remote unlocking of cryptroot via SSH won't work!"
fi

# Copy authorized_keys
mkdir -m0700 "$home/.ssh"
if [ -e /etc/dropbear-initramfs/authorized_keys ]; then
    cat /etc/dropbear-initramfs/authorized_keys
else
    for keytype in dsa rsa ecdsa; do
        pubkey="/etc/dropbear-initramfs/id_${keytype}.pub"
        [ -e "$pubkey" ] && cat "$pubkey"
    done
fi >"$home/.ssh/authorized_keys"

if ! grep -qE '^([^#]+ )?(ssh-(dss|rsa)|ecdsa-sha2-nistp(256|384|521)) ' "$home/.ssh/authorized_keys"; then
    dropbear_warn "Invalid authorized_keys file, remote unlocking of cryptroot via SSH won't work!"
fi
