infra/Justfile

_DEFAULT_VERSION_TMPL:
	echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix"

_DEFAULT_VERSION:
	echo "{{invocation_directory()}}/nix/variables/versions.nix"

_usage:
	just -l

# Re-render the default versions
update-default-versions:
	#!/usr/bin/env bash
	template="$(just _DEFAULT_VERSION_TMPL)"
	outfile="$(just _DEFAULT_VERSION)"
	esh -o ${outfile} ${template}

_get_nix_path versionsPath:
	echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath  {{versionsPath}})

_device recipe dir +moreargs="":
	#!/usr/bin/env bash
	set -ex
	source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix)
	$(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}})

_render_templates:
	#!/usr/bin/env bash
	set -ex
	if ! ip route get 1.1.1.1; then
		echo No route to WAN. Skipping template rendering...
	else
		source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
		nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
	fi

_rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates
	#!/usr/bin/env bash
	set -ex
	just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}}

rebuild-remote-device device target rebuildarg="dry-activate" :
	#!/usr/bin/env bash
	set -ex
	just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'"

# Rebuild this device's NixOS
rebuild-this-device rebuildarg="dry-activate":
	#!/usr/bin/env bash
	set -e

	function parse_hm_rebuildarg() {
		case $1 in
			switch)
				echo switch
				;;
			*)
				echo build
				;;
		esac
	}

	export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log
	export HOMEREBUILD_LOG=.$(hostname -s)_homerebuild.log

	echo Rebuilding system in {{rebuildarg}}-mode...
	if just -v _rebuild-device nix/os/devices/$(hostname -s) {{rebuildarg}} > ${SYSREBUILD_LOG} 2>&1 ; then
		echo System rebuild successful
	else
		cat ${SYSREBUILD_LOG}
		echo ERROR: system rebuild failed
		exit 1
	fi

	if type home-manager > /dev/null 2>&1; then
		echo Rebuilding home in $(parse_hm_rebuildarg {{rebuildarg}})-mode...
		source $(just -v _get_nix_path {{invocation_directory()}}/nix/os/devices/$(hostname -s)/versions.nix)
		if home-manager -v $(parse_hm_rebuildarg {{rebuildarg}}) > ${HOMEREBUILD_LOG} 2>&1 ; then
			echo Home rebuild successful
		else
			cat ${HOMEREBUILD_LOG}
			echo ERROR: home rebuild failed
			exit 1
		fi
	fi

# Re-render the versions of a remote device and rebuild its environment
update-remote-device devicename target rebuildmode='switch':
	#!/usr/bin/env bash
	set -e

	template=nix/os/devices/{{ devicename }}/versions.tmpl.nix
	outfile=nix/os/devices/{{ devicename }}/versions.nix
	
	if ! test -e ${template}; then
		template="$(just _DEFAULT_VERSION_TMPL)"
	fi

	esh -o ${outfile} ${template}
	if ! test "$(git diff ${outfile})"; then
		echo Already on latest versions
		exit 0
	fi

	just -v rebuild-remote-device {{ devicename }} {{target}} dry-activate || {
		echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile}
		exit 1
	}

	just -v rebuild-remote-device {{ devicename }} {{ target }} {{ rebuildmode }} || {
		echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile}
		exit 1
	}

	git commit -v ${outfile} -m "nix/os/devices/{{ devicename }}: bump versions"

# Re-render the versions of the current device and rebuild its environment
update-this-device rebuild-mode='switch':
	#!/usr/bin/env bash
	set -e

	template=nix/os/devices/$(hostname -s)/versions.tmpl.nix
	outfile=nix/os/devices/$(hostname -s)/versions.nix

	if ! test -e ${template}; then
		template="$(just _DEFAULT_VERSION_TMPL)"
	fi

	esh -o ${outfile} ${template}
	if ! test "$(git diff ${outfile})"; then
		echo Already on latest versions
		exit 0
	fi

	export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log
	just -v rebuild-this-device dry-activate || {
		echo ERROR: Update failed, reverting ${outfile}...
		exit 1
	}

	just -v rebuild-this-device {{rebuild-mode}} || {
		echo ERROR: Rebuilding in {{rebuild-mode}}-mode failed
		exit 1
	}

	git commit -v ${outfile} -m "nix/os/devices/$(hostname -s): bump versions"

# Rebuild an offline system
rebuild-disk device:
	#!/usr/bin/env bash
	set -xe

	just -v disk-mount {{device}}
	trap "set +e; just -v disk-umount {{device}}" EXIT
	just -v disk-install {{device}}

# Re-render the versions of the given offline system and reinstall it in offline-mode
update-disk dir:
	#!/usr/bin/env bash
	set -exuo pipefail

	dir={{dir}}

	template={{dir}}/versions.tmpl.nix
	outfile={{dir}}/versions.nix

	if ! test -e ${template}; then
		template="$(just _DEFAULT_VERSION_TMPL)"
	fi

	esh -o ${outfile} ${template}
	if ! test "$(git diff ${outfile})"; then
		echo Already on latest versions
		exit 0
	fi

	export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log
	just -v rebuild-disk {{dir}} || {
		echo ERROR: Update of {{dir}} failed, reverting ${outfile}...
		exit 1
	}

	git commit -v ${outfile} -m "${dir}: bump versions"

# Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L)
hm-iterate-qtile:
	#!/usr/bin/env bash
	set -xe
	home-manager switch || just -v rebuild-this-device switch
	Xephyr -ac -br -resizeable :1 &
	XEPHYR_PID=$!
	echo ${XEPHYR_PID}
	DISPLAY=:1 $(grep qtile ~/.xsession) &
	echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L"
	wait $!
	kill ${XEPHYR_PID}

# !!! DANGERIOUS !!! This wipes the disk which is configured for the given device.
disk-prepare dir:
	just -v _device diskPrepare {{dir}}

disk-relabel dir previous:
	just -v _device diskRelabel {{dir}} --argstr previousDiskId {{previous}}

# Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'
disk-mount dir:
	just -v _device diskMount {{dir}}
# Unmount target disk, specified by device configuration directory
disk-umount dir:
	just -v _device diskUmount {{dir}}

# Perform an offline installation on the mounted target disk, specified by device configuration directory
disk-install dir: _render_templates
	just -v _device diskInstall {{dir}}


verify-n-unlock sshserver attempts="10":
	#!/usr/bin/env bash
	set -e
	env \
	  GETPW="just _get_pass_entry Infrastructure/VPS/{{sshserver}} DRIVE_PW" \
	  SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} SSHOPTS)" \
	  VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCSOCK)" \
	  VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}}  VNCPW)" \
	  \
	  just _verify-n-unlock {{sshserver}} {{attempts}}

_verify-n-unlock sshserver attempts:
	#!/usr/bin/env bash
	set -e
	: ${VNCSOCK:?VNCSOCK must be set}
	: ${VNCPW:?VNCPW must be set}

	export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535"
	export TESS_ARGS="-c debug_file=/dev/null --psm 4"

	function send() {
		local what="${1:?need something to send}"
		ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null
	}

	function expect() {
		local what="${1:?need something to expect}"
		vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp
		convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff
		tesseract ${TESS_ARGS} screenshot.tiff screenshot
		grep --quiet "${what}" screenshot.txt
	}

	function send_and_expect() {
		local send="${1:?need something to send}"
		local expect="${2:?need something to expect}"
		if ! send "${send}"; then
			echo warning: cannot send > /dev/stderr
			return -1
		fi
		expect "${expect}"
	}

	trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT

	for i in `seq 1 {{attempts}}`; do
		echo Attempt $i...
		expect="$(pwgen -0 12)"
		send="'\0033\0143'${expect}"
		if send_and_expect "${send}" "${expect}"; then
			pipe=$(mktemp -u)
			mkfifo ${pipe}
			exec 3<>${pipe}
			rm ${pipe}

			echo Verification succeeded at attempt $i. Unlocking remote drive...
			ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null &
			eval ${GETPW} | head -n1 >&3

			for j in `seq 1 120`; do
				sleep 0.5
				if expect '— success'; then
					echo Unlock successful.
					exit 0
				fi
			done

			echo Unlock failed...
			exit 1
		fi
	done
	echo Verification failed {{attempts}} times. Giving up...
	exit 1

_get_pass_entry path key:
	pass show {{path}}| grep -E "^{{key}}:" | sed -E 's/^[^:]+: *//g'

run-with-channels +cmds:
	#!/usr/bin/env bash
	source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix)
	{{cmds}}

install-config config root:
	sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd

# Switch between gpg-card capable devices which have a copy of the same key
switch-gpg-card:
	#!/usr/bin/env bash
	#
	# Derived from https://github.com/drduh/YubiKey-Guide/issues/19.
	#
	# Connect the new device and then run this script to make it known to gnupg.
	#
	set -xe
	KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}')

	# export pubkey and ownertrust
	gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}"
	# if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}`
	gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust

	# delete the key
	gpg --yes --delete-secret-and-public-keys "${KEY_ID}"

	# import pubkey and ownertrust back and cleanup
	gpg2 --import "${KEY_ID}".pubkey
	gpg2 --import-ownertrust < "${KEY_ID}".ownertrust
	rm "${KEY_ID}".{pubkey,ownertrust}

	# refresh the gpg agent
	gpg-connect-agent "scd serialno" "learn --force" /bye
	gpg --card-status

# Connect to `remote` UUID, and turn it into a short name
uuid-to-device-name remote:
	#!/usr/bin/env bash
	set -e -o pipefail
	ssh {{remote}} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}'