#!/usr/bin/env sh
#
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with This file.  If not, see <http://www.gnu.org/licenses/>.

set -e

progname="guix-hook"

usage()
{
    progname="$1"
    printf "Usage: %s <COMMAND>\n\n" "${progname}"

    cat << EOF
Available commands:
    help: print this help
    add_build_users: add build users, required by for running the guix daemon as root.
    remove_build_users: remove build users, required by for running the guix daemon as root.
    fix_etc_guix_acl_permissions: make /etc/guix/acl accessible for reading.
    enable_substitutes: enable substitutes."
    guix_1_5_0_show_notice: show instructions to setup the Guix daemon with Guix 1.5.0.
EOF
}

# We want /etc/guix/acl to be readable by everybody to enable users to
# be able to find out if a given substitute is enabled or not. This is
# in this hook instead of the PKGBUILD as we need to fix the
# permissions, even if a previous /etc/guix/acl file is already there.
guix_fix_etc_guix_acl_permissions()
{
    # Use the same permissions than PureOS as Trisquel and
    # guix-install.sh don't set user/other read permissions on
    # /etc/guix/acl and while on guix system, this file has read
    # permission, it doesn't have any write permissions.
    chmod 644 /etc/guix/acl
}

# Distributions like PureOS or Trisquel do enable substitute servers
# by default.
guix_enable_substitutes()
{
    grep -q \
	 '#8D156F295D24B0D9A86FA5741A840FF2D24F60F7B6C4134814AD55625971B394#' \
	 /etc/guix/acl || \
	guix archive --authorize < /usr/share/guix/ci.guix.gnu.org.pub


    grep -q \
	 '#7D602902D3A2DBB83F8A0FB98602A754C5493B0B778C8D1DD4E0F41DE14DE34F#' \
	 /etc/guix/acl || \
	guix archive --authorize < /usr/share/guix/bordeaux.guix.gnu.org.pub
}

# Adapted from the GNU Guix manual, in the section 2.2.1 ("Build
# Environment Setup").
guix_add_build_users_for_root_daemon()
{
    groupadd --system guixbuild
    for i in $(seq -w 1 10);
    do
        useradd -g guixbuild -G guixbuild           \
                -d /var/empty -s "$(which nologin)" \
                -c "Guix build user $i" --system    \
                guixbuilder"${i}";
    done
}

guix_remove_build_users_for_root_daemon()
{
    for i in $(seq -w 1 10);
    do
        userdel guixbuilder"${i}";
    done
    groupdel guixbuild
}

# In "Migrating to the Unprivileged Daemon" in the GNU Guix manual, in
# the section 2.2.1 ("Build Environment Setup"), we already have the
# useradd command. Because of that the migration has to be either
# fully manual or fully automatic. We keep it manual at first as at
# the time of writing we updated Guix to 1.5.0 and the daemon doesn't
# start.
guix_1_5_0_show_notice()
{
    cat << EOF

The guix-daemon is now running as a separate unprivileged user.

If you just upgraded the Parabola Guix package from 1.4.0 (or earlier)
to 1.5.0, you need to run the official migration instructions[1]
otherwise the Guix daemon will not start. If instead you installed
Guix for the first time you also need to run some commands[2] to allow
the daemon to start.

Once this is done, two alternative services for the daemon are
available:

- guix-daemon: it will use the daemon from the Guix package.
- guix-daemon-latest: After running 'sudo -i guix pull' and restarting
  the guix-daemon-latest services, it will use the updated Guix
  daemon. This enables to have security updates directly from Guix.

For instance to use the guix-daemon from Parabola you could run these
two commands:

    systemctl start guix-daemon.service
    systemctl enable guix-daemon.service

[1]https://guix.gnu.org/manual/1.5.0/en/html_node/Build-Environment-Setup.html#Migrating-to-the-Unprivileged-Daemon
[2]https://guix.gnu.org/manual/1.5.0/en/html_node/Build-Environment-Setup.html#Daemon-Running-Without-Privileges

EOF
}

if [ $# -ne 1 ] ; then
    usage "${progname}"
    exit 64 # EX_USAGE in /usr/include/sysexits.h
fi

case "$1" in
    help)
        usage "${progname}"
	exit 0 ;;

    add_build_users)
        guix_add_build_users_for_root_daemon ;;

    remove_build_users)
        guix_remove_build_users_for_root_daemon ;;

    fix_etc_guix_acl_permissions)
        guix_fix_etc_guix_acl_permissions;;

    enable_substitutes)
        guix_enable_substitutes;;

    guix_1_5_0_show_notice)
	guix_1_5_0_show_notice;;

    *)
        echo "Invalid command ""'$1'""."
        usage "${progname}"
        exit 64 # EX_USAGE
        ;;
esac

exit 0
