#!/usr/bin/env bash
# 为构建出的 deb 注入 postinst：安装时自动写入 apt 源与公钥。
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"

DIST_ROOT="${DEB_DIST_ROOT:-$REPO_ROOT/dist/linux-deb}"
APT_SOURCE_URL="${APT_SOURCE_URL:-http://80.12.140.29:80/apt}"
APT_SOURCE_SUITE="${APT_SOURCE_SUITE:-v10}"
APT_SOURCE_COMPONENT="${APT_SOURCE_COMPONENT:-main}"
APT_SOURCE_LIST_FILE="${APT_SOURCE_LIST_FILE:-/etc/apt/sources.list.d/zyyun.list}"
APT_KEYRING_PATH="${APT_KEYRING_PATH:-/usr/share/keyrings/zyyun-archive-keyring.gpg}"
APT_BOOTSTRAP_KEY_IN_PKG="${APT_BOOTSTRAP_KEY_IN_PKG:-/usr/share/zyyun/bootstrap/zyyun-archive-keyring.gpg}"
GPG_KEY_ID="${APT_GPG_KEY_ID:-com.jgzy.product}"
AUTO_CREATE_GPG_KEY="${APT_GPG_AUTO_CREATE:-1}"

usage() {
  cat <<EOF
用法:
  $(basename "$0") [项目名...]

环境变量:
  DEB_DIST_ROOT          deb 目录（默认: dist/linux-deb）
  APT_GPG_KEY_ID         签名 Key（默认: com.jgzy.product）
  APT_GPG_AUTO_CREATE    1/0，缺失签名密钥时自动创建（默认: 1）
  APT_SOURCE_URL         更新源地址（默认: http://80.12.140.29:80/apt）
  APT_SOURCE_SUITE       默认: v10
  APT_SOURCE_COMPONENT   默认: main
EOF
}

if (($# > 0)); then
  case "$1" in
    --help|-h)
      usage
      exit 0
      ;;
  esac
fi

if [[ ! -d "$DIST_ROOT" ]]; then
  echo "错误: deb 产物目录不存在: $DIST_ROOT" >&2
  exit 1
fi

if ! command -v gpg >/dev/null 2>&1; then
  echo "错误: 未安装 gpg（注入公钥需要）" >&2
  exit 1
fi

if ! command -v dpkg-deb >/dev/null 2>&1; then
  echo "错误: 未安装 dpkg-deb（deb 重新打包需要）" >&2
  exit 1
fi

ensure_signing_key() {
  local key="$1"
  local quick_gen_cmd=(
    gpg --batch --pinentry-mode loopback --passphrase ""
    --quick-gen-key "$key" rsa4096 sign 5y
  )

  if gpg --list-secret-keys "$key" >/dev/null 2>&1; then
    return 0
  fi

  if [[ "$AUTO_CREATE_GPG_KEY" != "1" ]]; then
    echo "错误: 未找到签名私钥: $key" >&2
    echo "请先执行以下命令创建密钥，或设置 APT_GPG_AUTO_CREATE=1 自动创建：" >&2
    echo "  ${quick_gen_cmd[*]}" >&2
    exit 1
  fi

  echo "==> gpg key not found, generating: $key"
  "${quick_gen_cmd[@]}"
}

PROJECTS=()
if ((${#@} > 0)); then
  PROJECTS=("$@")
else
  shopt -s nullglob
  for p in "$DIST_ROOT"/*; do
    [[ -d "$p" ]] || continue
    PROJECTS+=( "$(basename "$p")" )
  done
  shopt -u nullglob
fi

if ((${#PROJECTS[@]} == 0)); then
  echo "错误: 未发现可注入项目（$DIST_ROOT 为空）" >&2
  exit 1
fi

ensure_signing_key "$GPG_KEY_ID"

tmp_key="$(mktemp)"
cleanup() {
  rm -f "$tmp_key"
}
trap cleanup EXIT

gpg --export "$GPG_KEY_ID" > "$tmp_key"

inject_one_deb() {
  local deb_file="$1"
  local tmp_dir
  tmp_dir="$(mktemp -d)"

  dpkg-deb -R "$deb_file" "$tmp_dir" >/dev/null

  mkdir -p "$tmp_dir/DEBIAN"
  mkdir -p "$tmp_dir$(dirname "$APT_BOOTSTRAP_KEY_IN_PKG")"
  install -m 0644 "$tmp_key" "$tmp_dir$APT_BOOTSTRAP_KEY_IN_PKG"

  cat > "$tmp_dir/DEBIAN/postinst" <<EOF
#!/bin/sh
set -e

KEY_SRC="$APT_BOOTSTRAP_KEY_IN_PKG"
KEY_DST="$APT_KEYRING_PATH"
LIST_FILE="$APT_SOURCE_LIST_FILE"
SOURCE_LINE='deb [signed-by=$APT_KEYRING_PATH] $APT_SOURCE_URL $APT_SOURCE_SUITE $APT_SOURCE_COMPONENT'

if [ ! -f "\$KEY_SRC" ]; then
  echo "warning: bootstrap key file missing: \$KEY_SRC" >&2
else
  install -d "\$(dirname "\$KEY_DST")"
  install -m 0644 "\$KEY_SRC" "\$KEY_DST"
fi

install -d "\$(dirname "\$LIST_FILE")"
printf '%s\n' "\$SOURCE_LINE" > "\$LIST_FILE"

if command -v apt-get >/dev/null 2>&1; then
  apt-get update || true
elif command -v apt >/dev/null 2>&1; then
  apt update || true
fi

exit 0
EOF

  chmod 0755 "$tmp_dir/DEBIAN/postinst"
  dpkg-deb -b "$tmp_dir" "$deb_file" >/dev/null
  rm -rf "$tmp_dir"
}

for project in "${PROJECTS[@]}"; do
  for arch in amd64 arm64; do
    shopt -s nullglob
    debs=( "$DIST_ROOT/$project/$arch"/*.deb )
    shopt -u nullglob
    if (( ${#debs[@]} == 0 )); then
      continue
    fi
    for deb_file in "${debs[@]}"; do
      echo "==> inject bootstrap into $(basename "$deb_file")"
      inject_one_deb "$deb_file"
    done
  done
done

echo "==> deb bootstrap 注入完成"
echo "    source: $APT_SOURCE_URL $APT_SOURCE_SUITE $APT_SOURCE_COMPONENT"
echo "    keyring: $APT_KEYRING_PATH"