#!/bin/bash
set -ex -uo pipefail

enroll=
for o in $(< /proc/cmdline); do
    case $o in
        patos.secureboot=*)
            enroll=${o#*=}
            ;;
    esac
done

if [ -z "$enroll" ]; then
  echo 'No patos.secureboot= parameter on the kernel command line' >&2
  exit 0
fi

SETUP_MODE=$(sbctl status --json | jq -r '.setup_mode')

[ "$SETUP_MODE" = "false" -o "$enroll" != "true" ] && exit 0

cat <<EOL> /run/sbctl.yml
---
keydir: /sysroot/boot/sbctl/keys
guid: /sysroot/boot/sbctl/GUID
EOL

ESP=$(blkid --label ESP)

mount $ESP /sysroot/boot && \
  sbctl --config /run/sbctl.yml create-keys && \
  sbctl --config /run/sbctl.yml enroll-keys --yolo && \
  # Sign EFIs
  find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}

umount /sysroot/boot && \
  systemctl reboot -f