#! /bin/sh
#
# Tell the user that the machine is ready to slurp the key for full disk
# encryption.
#
# Copyright 2013 Guilhem Moulin <guilhem@fripost.org>
#
# Licensed under the GNU GPL version 3 or higher.

set -ue

cd /target/etc/

chroot /target/ service ssh start; sleep 1
sed -i 's/^DenyUsers \*$/AllowGroups ssh/' ./ssh/sshd_config

# Busybox's sed doesn't support address '0,/../'
user="$(sed -rn 's/^([^:]*):[^:]*:1000:.*/\1/p' ./passwd)"
home="/target/$(sed -rn 's/^[^:]*:[^:]*:1000:[^:]*:[^:]*:([^:]*):.*/\1/p' ./passwd)"

. /usr/share/debconf/confmodule

ipv4="$(ip addr show eth0 | sed -nr 's/^\s+inet\s([0-9.]{4,32}).*/\1/p')"
template=$(mktemp)

cat > "$template" <<EOF
Template: post-install/title
Type: note
Description: Installation complete

Template: post-install/text
Type: note
Description: Press 'continue' to reboot
 After the reboot, you will be able to log in to this new Debian GNU/Linux
 system:
 .
     ssh -p 22 -l $user $ipv4
 .
 To defeat MiTM-attacks, please ensure that the server fingerprint matches
 .
     $(ssh-keygen -lf ./ssh/ssh_host_rsa_key)
 .
 Key(s) that are currently granted access have the following fingerprint:
 .
EOF
while read pk; do
	# ssh-keygen can't read from STDIN, and ash doesn't have the '<<<'
	# construct, so we save each pubkey in a temporary file
	pkf=$(mktemp)
	echo "$pk" > "$pkf"
	echo "   - $(ssh-keygen -lf $pkf)" >> "$template"
	rm "$pkf"
done < "$home/.ssh/authorized_keys"
# TODO: key granted access to the initramfs
# TODO: copy the previous keys?

debconf-loadtemplate post-install "$template"
db_settitle post-install/title
db_input critical post-install/text
db_go