#!/bin/sh

: "${HOSTNAME:=$(hostname -f || uname -n)}"
: "${DESTDIR=/host}"
: "${KEYSERV_URL:=https://keyserv.pyrocufflink.blue}"
: "${SSH_CERT:=${DESTDIR}/etc/ssh/ssh_host_ed25519_key-cert.pub}"
: "${SSH_KEY:=${SSH_CERT%-cert.pub}}"
: "${GIT_URL:=https://git.pyrocufflink.net/infra/cfg.git}"
: "${GIT_BRANCH:=master}"

printf 'Applying configuration policy for %s ...\n' "${HOSTNAME}"

cd "$(mktemp -d)" || exit

git clone --depth 1 "${GIT_URL}" -b "${GIT_BRANCH}" . || exit

if [ -f host/"${HOSTNAME}".pre.sh ]; then
    . host/"${HOSTNAME}".pre.sh
fi

curl -fsSL \
    "${KEYSERV_URL}"/keys \
    -H "Authorization: $(cat "${SSH_CERT}")" \
    -o keys.age
age -d -i "${SSH_KEY}" -o keys.txt keys.age

if [ -f host/"${HOSTNAME}".cue ] && [ -f instructions/"${HOSTNAME}".cue ]; then
    cue export host/"${HOSTNAME}".cue -o values.json || exit
    cue export instructions/"${HOSTNAME}".cue -o instructions.json || exit
    tmpl instructions.json values.json -d "${DESTDIR}" || exit
fi

if [ -f host/"${HOSTNAME}".post.sh ]; then
    . host/"${HOSTNAME}".post.sh
fi