set -ex -o pipefail

mkdir -p $out/init.repart.d $out/final.repart.d $out/boot
pushd $out

# Don't seem to work just to create a symlink to rootfs derivation?
# ln -sf $rootfs rootfs
mkdir rootfs
cp -prP $rootfs/* rootfs/
find rootfs/ -type d -exec chmod 755 {} \;

# set default target to multi-user
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target

# enable dbus
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket

# enable network services
ln -sf ../systemd-networkd.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-networkd.service
ln -sf ../systemd-resolved.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-resolved.service
ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.target.wants/systemd-timesyncd.service
# enable default network config
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network

# enable confext/sysext services
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service

# Initial partitioning
cat <<EOF > init.repart.d/10-root.conf
[Partition]
Type=root
Format=erofs
Minimize=best
CopyFiles=/rootfs:/
Verity=data
VerityMatchKey=root
SplitName=root
EOF

cat <<EOF > init.repart.d/20-root-verity.conf
[Partition]
Type=root-verity
Verity=hash
VerityMatchKey=root
Minimize=best
SplitName=verity
EOF

#TODO: Add verity signature partition

$systemd/usr/bin/systemd-repart \
  --no-pager \
  --empty=create \
  --size=auto \
  --definitions=./init.repart.d \
  --split=true \
  --json=pretty \
  --root=$out \
  patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw

roothash=$(jq -r '.[0].roothash' init-repart-output.json)
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
rootUuid=$(jq -r '.[0].uuid' init-repart-output.json)

verityPart=$(jq -r '.[1].split_path' init-repart-output.json)
verityUuid=$(jq -r '.[1].uuid' init-repart-output.json)

$systemd/usr/bin/ukify build \
  --linux $kernel/bzImage \
  --initrd $initrd/initrd.xz \
  --os-release @rootfs/etc/os-release \
  --cmdline "$kernelCmdLine roothash=$roothash" \
  -o patos_${version}.efi

cat <<EOF > reset-os-release
NAME=PatOS
PRETTY_NAME=PatOS Factory Reset
IMAGE_ID=patos
ID=patos
IMAGE_VERSION=${version}
VERSION=${version}
VERSION_ID=patos
EOF

$systemd/usr/bin/ukify build \
  --linux $kernel/bzImage \
  --initrd $initrd/initrd.xz \
  --os-release @./reset-os-release \
  --cmdline "$kernelCmdLine roothash=$roothash systemd.factory_reset=yes" \
  -o patos_factory_reset.efi

# Secure boot
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem -subj "/CN=patagia-signing"

SYSTEMD_RELAX_ESP_CHECKS=1 $systemd/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
  --secure-boot-auto-enroll=true --certificate=./cert.pem --private-key=./key.pem

# install UKIs
cp patos_${version}.efi rootfs/boot/EFI/Linux
cp patos_factory_reset.efi rootfs/boot/EFI/Linux

# sign EFIs
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
  rootfs/boot/EFI/BOOT/BOOTX64.EFI  --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI

$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
  rootfs/boot/EFI/Linux/patos_0.0.1.efi --output=rootfs/boot/EFI/Linux/patos_0.0.1.efi

$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
  rootfs/boot/EFI/Linux/patos_factory_reset.efi --output=rootfs/boot/EFI/Linux/patos_factory_reset.efi

echo "timeout 2" > rootfs/boot/loader/loader.conf
echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf

# Final partitioning
cat <<EOF > final.repart.d/10-esp.conf
[Partition]
Type=esp
Format=vfat
SizeMinBytes=160M
SizeMaxBytes=160M
CopyFiles=/rootfs/boot:/
EOF

cat <<EOF > final.repart.d/20-root.conf
[Partition]
Type=root
Label=root-${version}
CopyBlocks=/${rootPart}
UUID=${rootUuid}
SizeMinBytes=256M
SizeMaxBytes=256M
ReadOnly=1
EOF

cat <<EOF > final.repart.d/22-root-verity.conf
[Partition]
Type=root-verity
Label=verity-${version}
CopyBlocks=/${verityPart}
UUID=${verityUuid}
SizeMinBytes=10M
SizeMaxBytes=10M
ReadOnly=1
EOF

# finalize image ready for boot
$systemd/usr/bin/systemd-repart \
  --no-pager \
  --empty=create \
  --size=auto \
  --definitions=./final.repart.d \
  --root=$out \
  patos-$version.raw > final-repart-output.json

rm -rf rootfs

popd