#!/bin/bash

## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

set -x
set -e
set -o pipefail

## Live ISO:
##   We don't add growfs support for ISO builds. This makes no sense for a
##   live ISO and wouldn't be effective on a system installed by a live ISO.
##   systemd-repart is disabled for live-build builds because it does not
##   work on ISO-based installations. This is because the Kicksecure ISO
##   uses an MBR partition table on BIOS systems; the version of Calamares
##   in bookworm-backports is not capable enough to use GPT on BIOS systems
##   as we would like. systemd-repart requires a GPT partition table. It
##   does not work on MBR systems. Thus, we do not install the systemd-repart
##   configuration files in this scenario.

## Qubes Generally:
##   We also don't enable it for Qubes systems, as Qubes has its own
##   filesystem resize tooling.
##   We also don't enable systemd-repart on Qubes OS templates, since Qubes
##   has its own partition resize tooling.

## Distribution morphing:
##   chroot-scripts are, at the time of writing, not executed during
##   distribution morphing.
##   In case of distribution morphing, we want to skip this. This is because
##   we do not know the partition layout and do not want to touch it.

## Existing builds:
##   We don't enable it on already-installed systems of any kind (VM,
##   physical), because it requires partition table tweaks to actually work
##   and we don't want to do those to people's existing systems to avoid
##   data loss risks.

## New VM builds:
##   We want to enable this for new VM builds only.

## We cannot exclude systems with an existing build_version_file, because
## dist-base-files postinst that creates build_version_file rusn before this
## post chroot-script.
# build_version_file="/var/lib/dist-base-files/build_version"
# if [ -f "$build_version_file" ]; then
#   true "INFO: Skipping $0 because build_version_file $build_version_file already exists."
#   exit 0
# fi

if [ -f '/var/lib/dist-base-files/live_build' ]; then
  true "INFO: Skipping $0 because file /var/lib/dist-base-files/live_build exists."
  exit 0
fi
if [ -f '/usr/share/qubes/marker-vm' ]; then
  true "INFO: Skipping $0 because Qubes has been detected."
  exit 0
fi

temp1="$(mktemp)"
temp2="$(mktemp)"

trap exit_handler EXIT

exit_handler() {
  safe-rm --force --verbose -- "$temp1"
  safe-rm --force --verbose -- "$temp2"
}

true "$0: fstab before:"
cat -- /etc/fstab | tee -- "$temp1"

## Add an `x-systemd.growfs` parameter to the mount options for the root
## partition. This will make systemd grow the filesystem inside in the event
## systemd-repart grew the partition during bootup.
sed -i 's/\(.*by-uuid.*defaults[^ ]*\)/\1,x-systemd.growfs/' /etc/fstab

true "$0: fstab after:"
cat -- /etc/fstab | tee -- "$temp2"

true "$0: fstab diff:"
if diff -- "$temp1" "$temp2" ; then
  true "$0: /etc/fstab has no difference."
else
  true "$0: /etc/fstab changes made."
fi

## NOTE: This is also done in dist-base-files.postinst.
## dist-base-files postinst will only run
## /usr/libexec/derivative-base-files/repart-enable
## in case file /var/lib/kicksecure/status-files/repart-version-1 exists.
/usr/libexec/derivative-base-files/repart-enable

## NOTE: /usr/libexec/derivative-base-files/repart-enable does not re-generate
##       the initramfs using "dracut -f".

mkdir --parents /var/lib/kicksecure/status-files
## Doing this since 17.3.6.5 and above.
touch /var/lib/kicksecure/status-files/repart-version-1
