#!/usr/bin/env dash
# Deploy system-level configs from etc/ to /etc/.
# chezmoi re-runs this script whenever any file under etc/ changes.
# etc/ content hash: {{ output "sh" "-c" (printf "cd %q && find etc -type f ! -name .ignore -exec sha256sum {} + | LC_ALL=C sort" .chezmoi.sourceDir) | sha256sum }}
# luks root uuid: {{ output "lsblk" "-dno" "UUID" (printf "/dev/%s" .luksRootPartition) | trim }}
set -eu

cd "$CHEZMOI_SOURCE_DIR"
find etc -type f ! -name .ignore | while IFS= read -r src; do
  case "$src" in
    *.tmpl)
      dest="/${src%.tmpl}"
      tmp=$(mktemp)
      chezmoi execute-template <"$src" >"$tmp"
      sudo install -D -m 0644 -o root -g root "$tmp" "$dest"
      rm -f "$tmp"
      ;;
    etc/sudoers-rs)
      sudo install -D -m 0440 -o root -g root "$src" "/${src}"
      ;;
    etc/systemd/system-sleep/*)
      sudo install -D -m 0755 -o root -g root "$src" "/${src}"
      ;;
    *)
      sudo install -D -m 0644 -o root -g root "$src" "/${src}"
      ;;
  esac
done

if [ -d etc/udev/rules.d ]; then
  sudo udevadm control --reload
  sudo udevadm trigger --subsystem-match=usb
  sudo udevadm trigger --subsystem-match=hidraw
fi

# sudo-rs: /etc/pam.d/sudo-i is a symlink to /etc/pam.d/sudo
sudo ln -sfT sudo /etc/pam.d/sudo-i

# Clean up sleep-target masks from the earlier hardened-suspend
# workaround. Now that mem_sleep_default=s2idle resolves the wake hang,
# suspend is enabled again. Remove any leftover /dev/null symlinks.
for target in sleep.target suspend.target hibernate.target \
  hybrid-sleep.target suspend-then-hibernate.target; do
  link="/etc/systemd/system/$target"
  if [ -L "$link" ] && [ "$(readlink "$link")" = "/dev/null" ]; then
    sudo rm -f "$link"
  fi
done
sudo systemctl daemon-reload

# Reload systemd-logind so changes under /etc/systemd/logind.conf.d/
# (e.g. HandlePowerKey overrides) take effect without dropping sessions.
sudo systemctl kill -s HUP systemd-logind

# Old sudo-rs migration used /usr/local/bin to shadow classic sudo globally.
# Current policy keeps those shims user-scoped via ~/.local/bin/symlink_*.
for link in /usr/local/bin/sudoedit /usr/local/bin/su /usr/local/bin/visudo; do
  target=$(readlink "$link" 2>/dev/null || true)
  case "$target" in
    /usr/bin/sudo-rs|/usr/bin/su-rs|/usr/bin/visudo-rs) sudo rm -f "$link" ;;
  esac
done
target=$(readlink /usr/local/bin/sudo 2>/dev/null || true)
if [ "$target" = /usr/bin/sudo-rs ]; then
  sudo rm -f /usr/local/bin/sudo
fi