#!/usr/bin/env sh
# SPDX-FileCopyrightText: Daniel Pätzold
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# Will Get IPA- Vault- Entry for local File Encryption and mout the data- Directory in your Home

# If no IPA-Server is available (e.g. if no internet is available) it will Prompt the User to Enter the Key manually. ATTENTION: The Key MUST NOT BE STORED plaintext on this PC, this would be very insecure!

# If no encryption has been setup so far, it will create a new wallet and Store the Encryption to the IPA Vault.
#source $(dirname "$0")/setup_system.inc.sh
EXECDIR=$(pwd)

#Check if Directory is alread mounted
grep ${DECRYPTEDDATADIR} /etc/mtab >/dev/null
if [ $? -eq 0 ]; then
    #Directory is already mounted
    echo "It looks like the directory is already mounted. Not mounting again."
    echo "If you want to unmount it, use: fusermount -u ${DECRYPTEDDATADIR}"
    exit 0
fi

if [ ${IPAVAULTUSE} == "false" ]; then
    #No encryption configured, will warn, but will continue
    echo
    mkdir -p ${DECRYPTEDDATADIR}
    RETNO=$?
    if [ ${RETNO} -eq 0 ]; then
        echo "Private Directory set to ${DECRYPTEDDATADIR}"
        echo "Warning: Encryption is turned off by configuration (IPAVAULTUSE is set to false)!"
        echo "This makes your private data readable by anyone having access to the harddrive. Will continue, but this is not safe!"
    else
        echo "Error setting up Directory ${DECRYPTEDDATADIR}"
    fi
    ENCKEY=""
    exit ${RETNO}
fi

#Test for connectivity
curl -I https://${SERVERFQDN_IPA}/ipa/session/json >/dev/null 2>&1
if [ $? -ne 0 ]; then
    # Server is offline
    if [ -d "${ENCRYPTEDDATADIR}" ]; then
        echo "The encrypted Directory ${ENCRYPTEDDATADIR} exists."
        read -p "To mount it with your Key, that you noticed when installing that PC, enter the Key now or press CTRL+C to abort: " ENCKEY
        echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
    else
        echo "The Server ${SERVERFQDN_IPA} is offline and no Directory ${ENCRYPTEDDATADIR} exists. Cannot continue."
        echo "Please check your Connection/Server and retry."
        exit 1
    fi
else
    # Server is online
    #Get the Token from IPA
    echo Getting the Vault ${IPAVAULTNAME}
    ipa vault-retrieve ${IPAVAULTNAME} --out ${XDG_RUNTIME_DIR}/IPAVAULTKEY >/dev/null
    if [ $? -ne 0 ]; then
        echo "No Key found. Will try to Setup a new one."
        ENCKEY=$( openssl rand -base64 24 )
        echo ${ENCKEY} > ${XDG_RUNTIME_DIR}/IPAVAULTKEY
        ipa vault-add "${IPAVAULTNAME}" --desc "Key for Fileencrytption of ${HOSTNM}" --type=standard && ipa vault-archive "${IPAVAULTNAME}" --in ${XDG_RUNTIME_DIR}/IPAVAULTKEY
        if [ $? -eq 0 ]; then
            echo
            echo "Your Key has been sucessfully stored to the Vault ${IPAVAULTNAME}"
            echo
            echo "The Value is: ${ENCKEY}"
            echo
            echo "PLEASE NOTE THAT KEY IN A SECRET PLACE NOW !!!"
            echo
            echo "Without that Key and in case, that the IPA- Vault is not accassible any more, all private Data will be lost!"
            echo
            read -n 1 -s -r -p "Press any key AFTER YOU WROTE YOUR KEY DOWN to continue"
            echo
        else
            echo "Failed to create the Vault. Please check the Errors and try again."
            ENCKEY=""
        fi
    else
        ENCKEY=$( cat ${XDG_RUNTIME_DIR}/IPAVAULTKEY )
#        echo "The Key is: ${ENCKEY}"
    fi
fi
if [ "${ENCKEY}." == "." ]; then
    echo "Some Error while fetching your IPA Vault Key. This should not happen. Quit."
    rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
    exit 2
fi
echo "Sucessfuly obtained IPA vault fileencryption key."

#Setup and use encrypted filesystem
if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs.conf" ]; then
    #Key has been obtained, but no Directory was created till know
    echo "First Setup of encryption: Creating new Directories now"
    mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
    gocryptfs -init -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
fi
systemd-run --user --unit=gocryptfs-home \
    --property="ExecStop=/usr/bin/fusermount -u ${DECRYPTEDDATADIR}" \
    --property=KillMode=none \
    --property=TimeoutStopSec=30 \
    gocryptfs -fg -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
RETVAL=$?
# Service starts asynchronously - wait for the FUSE mount to appear before removing
# the passfile, otherwise gocryptfs may not have read it yet
_t=0
while [ "${_t}" -lt 10 ] && ! grep -q "${DECRYPTEDDATADIR}" /proc/mounts 2>/dev/null; do
    sleep 1
    _t=$((_t + 1))
done
rm -f ${XDG_RUNTIME_DIR}/IPAVAULTKEY
cd ${EXECDIR}
if [ ${RETVAL} -eq 0 ]; then
    echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"
    exit 0
else
    echo "Errorcode ${RETVAL}"
    exit 1
fi