#!/usr/bin/env bash
set -euo pipefail
source /root/install/.env || true

log() { echo "[firstboot] $*"; }

log "Starting Secure Boot setup"

if [[ "${SECUREBOOT_ENABLE}" == true ]]; then
  mkdir -p "${SECUREBOOT_KEY_DIR}"
  cd "${SECUREBOOT_KEY_DIR}"

  if ! sbctl status &>/dev/null; then
    log "Initialising sbctl and creating keys"
    sbctl create-keys
  fi

  log "Signing boot binaries"
  sbctl sign -s /boot/EFI/Linux/*.efi || true
  sbctl sign -s /boot/EFI/BOOT/*.efi || true

  log "Verifying signatures"
  sbctl verify
fi

if [[ "${TPM2_ENABLE}" == true ]]; then
  log "Re-enrolling TPM2 after Secure Boot enabled"
  systemd-cryptenroll --tpm2-device=auto /dev/disk/by-partlabel/"Linux LUKS" || true
fi

log "Disabling firstboot service"
systemctl disable firstboot.service

log "Secure boot setup complete"