#!/bin/sh

exec < /dev/console >/dev/console 2>&1
type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh

# get systemd credential
# https://systemd.io/CREDENTIALS/
get_credential()
{
	local var="${1:?}"
	local name="${2:?}"
	[ -n "$CREDENTIALS_DIRECTORY" ] || return 1
	[ -e "$CREDENTIALS_DIRECTORY/$name" ] || return 1
	read -r "$var" < "$CREDENTIALS_DIRECTORY/$name" || [ -n "${!var}" ]
}

get_credentials()
{
	local var="${1:?}"
	local name="${2:?}"
	[ -n "$CREDENTIALS_DIRECTORY" ] || return 1
	[ -e "$CREDENTIALS_DIRECTORY/$name" ] || return 1
	readarray -t "$var" < "$CREDENTIALS_DIRECTORY/$name" || [ -n "${!var}" ]
}

clean_growpart_flag()
{
	local dev="$1"
	local fstab_dev real_dev
	for mnt in $(findmnt --tab-file /sysroot/etc/fstab --options x-growpart.grow --output TARGET --noheadings); do
		fstab_dev="$(findmnt --tab-file /sysroot/etc/fstab --target "$mnt" --output SOURCE --noheadings)"
		real_dev="$(findmnt --tab-file /sysroot/etc/fstab --target "$mnt" --evaluate --real --output SOURCE --noheadings)"
		[ "$dev" = "$real_dev" ] && break
		fstab_dev=
	done
	if [ -n "$fstab_dev" ]; then
		mount -o remount,rw /sysroot
		sed -i -E "/^${fstab_dev}/s/,x-growpart.grow|x-growpart.grow,//g" /sysroot/etc/fstab
		mount -o remount,ro /sysroot
	fi
}

encrypt=
if get_credential encrypt disk-encryption-tool-dracut.encrypt && [ "$encrypt" = "no" ]; then
	exit 0
fi

# check whether encryption was explicitly turned off
if ! getargbool 1 rd.encrypt; then
	exit 0
fi

# XXX: this is so dirty
systemctl start sysroot.mount
mount --target-prefix /sysroot --fstab /sysroot/etc/fstab /var
if [ ! -e /sysroot/var/lib/YaST2/reconfig_system ] && [ "$encrypt" != "force" ]; then
	echo "system already configured, no encryption"
	umount /sysroot/var
	exit 0
fi
umount /sysroot/var

# silence systemd
kill -SIGRTMIN+21 1
inhibitor=
if [ "$encrypt" != "force" ]; then
	echo -ne '\n\n\a'
	read -n1 -s -r -t 10 -p "*** Press ESC to prevent encrypting the disk" inhibitor
	echo
fi
if [ "$inhibitor" != $'\e' ]; then
	root_device="$(findmnt -nvo SOURCE /sysroot)"
	root_cr_name="cr_root"
	root_options="auto"
	if get_credentials partitions disk-encryption-tool-dracut.partitions; then
		for line in "${partitions[@]}"; do
			read -r cr_name device options <<<"$line"
			[ "$device" = "$root_device" ] && root_cr_name="$cr_name" && root_options="$options" && continue
			echo "Encrypt $device"
			/usr/bin/disk-encryption-tool --keyring cryptenroll --options "${options:-auto}" --root /sysroot "$device" "$cr_name" || die "Encryption failed"
			clean_growpart_flag "$device"
		done
	fi
	if [ "$root_options" != "skip" ]; then
		echo "Encrypt /sysroot"
		/usr/bin/disk-encryption-tool --keyring cryptenroll --options "${root_options:-auto}" "/sysroot" "$root_cr_name" || die "Encryption failed"
		clean_growpart_flag "$root_device"
	fi
fi
# turn messages on again
kill -SIGRTMIN+20 1
