#!/bin/sh

set -e
set -x

UNAME_MINUS_M=$(uname -m)

if ! [ -r /usr/share/openstack-pkg-tools/pkgos_func ] ; then
	echo "Could not read /usr/share/openstack-pkg-tools/pkgos_func."
	exit 1
fi
. /usr/share/openstack-pkg-tools/pkgos_func

openstack_release=$(cat /etc/oci_openstack_release)
debian_release=$(cat /etc/oci_debian_release)
if [ -r /etc/oci_use_debian_dot_net_backport ] ; then
	use_debian_dot_net_backport=$(cat /etc/oci_use_debian_dot_net_backport)
else
	use_debian_dot_net_backport=no
fi
official_backports_repo_url=$(cat /etc/oci_debian_mirror)
if [ -r /etc/oci_use_debian_official_backports ] ; then
	use_debian_official_backports=$(cat /etc/oci_use_debian_official_backports)
	if [ -r /etc/oci_debian_archived_backports_list ] && [ -r /etc/oci_debian_archive_mirror ] && grep -q $debian_release /etc/oci_debian_archived_backports_list ; then
		official_backports_repo_url=$(cat /etc/oci_debian_archive_mirror)
	fi
else
	use_debian_official_backports=no
fi
if [ -r /etc/oci_use_incoming_build ] ; then
	install_buildd_incoming=$(cat /etc/oci_use_incoming_build)
else
	install_buildd_incoming=no
fi
if [ -r /etc/oci_incoming_buildd_url ] ; then
	debian_incoming_buildd=$(cat /etc/oci_incoming_buildd_url)
else
	debian_incoming_buildd=no
fi
debian_mirror=$(cat /etc/oci_debian_mirror)

if [ -r /etc/oci/production_system_setup_backports_repo ] ; then
	production_system_setup_backports_repo=$(cat /etc/oci/production_system_setup_backports_repo)
else
	production_system_setup_backports_repo=no
fi

if [ -r /etc/oci/production_system_setup_nonfree_repo ] ; then
	production_system_setup_nonfree_repo=$(cat /etc/oci/production_system_setup_nonfree_repo)
else
	production_system_setup_nonfree_repo=no
fi

if [ -r /etc/oci/production_system_install_nonfree_firmware_from_backports ] ; then
	production_system_install_nonfree_firmware_from_backports=$(cat /etc/oci/production_system_install_nonfree_firmware_from_backports)
else
	production_system_install_nonfree_firmware_from_backports=no
fi

if [ -r /etc/oci/production_system_install_firmware_from_backports_list ] ; then
	production_system_install_firmware_from_backports_list=$(cat /etc/oci/production_system_install_firmware_from_backports_list)
else
	production_system_install_firmware_from_backports_list=""
fi

# Ceph backport stuff
# Should we do ceph pinning?
if [ -r /etc/oci_ceph_from_stable_backports ] ; then
	ceph_from_stable_backports=$(cat /etc/oci_ceph_from_stable_backports)
else
	ceph_from_stable_backports=no
fi

# Should we install osbpo for Ceph?
if [ -r /etc/oci_ceph_use_osbpo ] ; then
	ceph_use_osbpo=$(cat /etc/oci_ceph_use_osbpo)
else
	ceph_use_osbpo=no
fi

# What release?
if [ -r /etc/oci_ceph_osbpo_release ] ; then
	ceph_osbpo_release=$(cat /etc/oci_ceph_osbpo_release)
else
	ceph_osbpo_release=""
fi

# Should we use upstream Ceph repo?
if [ -r /etc/oci_install_ceph_upstream_repo ] ; then
	install_ceph_upstream_repo=$(cat /etc/oci_install_ceph_upstream_repo)
else
	install_ceph_upstream_repo=no
fi
# What is its URL?
debian_mirror_ceph=$(cat /etc/oci_debian_mirror_ceph)

# This script writes rc.local in the HDD of installed OS
# so that it can inform the PXE server that the OS is up.

mkdir -p ${BODI_CHROOT_PATH}/etc/oci
cp /etc/oci/pxe-server-ip ${BODI_CHROOT_PATH}/etc/oci/pxe-server-ip

# If we see an already prepared hosts file, copy it to the chroot
if [ -e /oci-hosts-file ] ; then
	cat /oci-hosts-file >${BODI_CHROOT_PATH}/etc/hosts
fi

if [ -r /puppet-master-host ] ; then
	MY_HOSTNAME=$(cat /puppet-master-host)
else
	MY_HOSTNAME=$(hostname --fqdn)
fi

# Configure the puppet agent to talk to the puppet master
if [ -e ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf ] ; then
	if ! cat ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf | grep '\[main\]' ; then
		echo '[main]' >>${BODI_CHROOT_PATH}/etc/puppet/puppet.conf
	fi
	. /usr/share/openstack-pkg-tools/pkgos_func
	pkgos_add_directive ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf main server=example.com "#puppet master address"
	pkgos_inifile set ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf main server ${MY_HOSTNAME}

	# Default is 512, which is not enough, we had a warning about 665 top level facts.
	pkgos_add_directive ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf main top_level_facts_soft_limit=81920 "#Default is 512, which is not enough, we had a warning about 2382 top level facts."
	pkgos_inifile set ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf main top_level_facts_soft_limit 81920

	pkgos_add_directive ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf main fact_value_length_soft_limit=40960 "#With a lot of VMs in a compute, there is a fact with all interfaces in one line, so it is huge."
	pkgos_inifile set ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf main fact_value_length_soft_limit 40960

	pkgos_add_directive ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf main number_of_facts_soft_limit=40960 "#With a lot of VMs in a compute (hundreds), there is also too many facts."
	pkgos_inifile set ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf main number_of_facts_soft_limit 40960

	# On controllers, the default 1h is not enough on first run.
	pkgos_add_directive ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf main runtimeout=7200 "#On controllers, the default 1h is not enough on first run."
	pkgos_inifile set ${BODI_CHROOT_PATH}/etc/puppet/puppet.conf main runtimeout 7200
fi

# Copy the http_proxy_addr file to provisionned hosts.
if [ -e /etc/oci/http_proxy_addr ] ; then
	mkdir -p ${BODI_CHROOT_PATH}/etc/oci
	cp /etc/oci/http_proxy_addr ${BODI_CHROOT_PATH}/etc/oci
fi

# Copy files under /oci-in-target to the root of the target
if [ -d /oci-in-target ] ; then
	CWD=$(pwd)
	cd /oci-in-target
	if [ -d usr/bin ] ; then
		chmod +x usr/bin/*
		chown root:root usr/bin/*
	fi
	if [ -d etc/oci ] ; then
		chown -R root:root etc/oci
	fi
	cp -axf * ${BODI_CHROOT_PATH}
	cd ${CWD}
	# Make sure we have correct rights for /root/.ssh
	mkdir -p ${BODI_CHROOT_PATH}/root
	if [ -e ${BODI_CHROOT_PATH}/root/.ssh ] ; then
		chmod 0700 ${BODI_CHROOT_PATH}/root/.ssh
	fi
	chmod 0700 ${BODI_CHROOT_PATH}/root
	chown -R root:root ${BODI_CHROOT_PATH}/root
	if [ -e ${BODI_CHROOT_PATH}/root/.ssh/id_rsa.pub ] ; then
		cat ${BODI_CHROOT_PATH}/root/.ssh/id_rsa.pub >> ${BODI_CHROOT_PATH}/root/.ssh/authorized_keys
	fi
	if [ -e ${BODI_CHROOT_PATH}/etc ] ; then
		chown root:root ${BODI_CHROOT_PATH}/etc || true
		chown root:root ${BODI_CHROOT_PATH}/etc/motd || true
		if [ -e ${BODI_CHROOT_PATH}/etc/facter ] ; then
			chown root:root ${BODI_CHROOT_PATH}/etc/facter
			if [ -e ${BODI_CHROOT_PATH}/etc/facter/facts.d ] ; then
				chown root:root ${BODI_CHROOT_PATH}/etc/facter/facts.d
				if [ -e ${BODI_CHROOT_PATH}/etc/facter/facts.d/swift_blockdevs_names_to_uuid.sh ] ; then
					chown root:root ${BODI_CHROOT_PATH}/etc/facter/facts.d/swift_blockdevs_names_to_uuid.sh
					chmod +x ${BODI_CHROOT_PATH}/etc/facter/facts.d/swift_blockdevs_names_to_uuid.sh
				fi
				if [ -e ${BODI_CHROOT_PATH}/etc/facter/facts.d/swift_fstab_dev_list.sh ] ; then
					chown root:root ${BODI_CHROOT_PATH}/etc/facter/facts.d/swift_fstab_dev_list.sh
					chmod +x ${BODI_CHROOT_PATH}/etc/facter/facts.d/swift_fstab_dev_list.sh
				fi
			fi
		fi
	fi
	# Make sure we have correct rights for /etc/cron.weekly scripts
	chown -R root:root ${BODI_CHROOT_PATH}/etc/cron.weekly || true
	if [ -e ${BODI_CHROOT_PATH}/etc/cron.weekly/oci-fernet-keys-rotate ] ; then
		chmod +x ${BODI_CHROOT_PATH}/etc/cron.weekly/oci-fernet-keys-rotate
	fi
	chown -R root:root ${BODI_CHROOT_PATH}/etc/cron.hourly || true
	if [ -e ${BODI_CHROOT_PATH}/etc/cron.hourly/oci-glance-image-rsync ] ; then
		chmod +x ${BODI_CHROOT_PATH}/etc/cron.hourly/oci-glance-image-rsync
	fi
fi

# Add osbpo.debian.net backport repo
if [ "${use_debian_dot_net_backport}" = "yes" ] ; then
	mkdir -p ${BODI_CHROOT_PATH}/etc/apt/sources.list.d
	echo "Types: deb deb-src
URIs: http://osbpo.debian.net/debian
Suites: ${debian_release}-${openstack_release}-backports ${debian_release}-${openstack_release}-backports-nochange
Components: main
Signed-By: /etc/oci/oci-repository-key.asc" >${BODI_CHROOT_PATH}/etc/apt/sources.list.d/osbpo.debian.net.sources
	mkdir -p ${BODI_CHROOT_PATH}/etc/oci
	cp /etc/oci/oci-repository-key.asc ${BODI_CHROOT_PATH}/etc/oci/
	chroot ${BODI_CHROOT_PATH} apt-get update
	chroot ${BODI_CHROOT_PATH} apt-get -y -o Dpkg::Options::="--force-confnew" dist-upgrade
fi

if [ "${use_debian_official_backports}" = "yes" ] || [ "${production_system_setup_backports_repo}" = "yes" ] ; then
	if [ "${production_system_setup_nonfree_repo}" = "yes" ] ; then
		BPO_NON_FREE_CONTRIB=" contrib non-free"
	else
		BPO_NON_FREE_CONTRIB=""
	fi
	mkdir -p ${BODI_CHROOT_PATH}/etc/apt/sources.list.d
	echo "deb ${official_backports_repo_url} ${debian_release}-backports main${BPO_NON_FREE_CONTRIB}
deb-src ${official_backports_repo_url} ${debian_release}-backports main${BPO_NON_FREE_CONTRIB}" >${BODI_CHROOT_PATH}/etc/apt/sources.list.d/${debian_release}-backports.list
	chroot ${BODI_CHROOT_PATH} apt-get update
	if [ "${production_system_install_nonfree_firmware_from_backports}" = "yes" ] ; then
		chroot ${BODI_CHROOT_PATH} apt-get install -t ${debian_release}-backports -y ${production_system_install_firmware_from_backports_list} || true
	fi
fi

# Setup ceph-<RELEASE> osbpo repo
if [ "${ceph_use_osbpo}" = "yes" ] ; then
	mkdir -p ${BODI_CHROOT_PATH}/etc/apt/sources.list.d
	echo "Types: deb deb-src
URIs: http://osbpo.debian.net/debian
Suites: ${ceph_osbpo_release}
Components: main
Signed-By: /etc/oci/oci-repository-key.asc" >${ceph_osbpo_release}.sources
fi

# Setup Ceph pinning
if [ "${ceph_from_stable_backports}" = "yes" ] ; then
	mkdir -p ${BODI_CHROOT_PATH}/etc/apt/preferences.d
	if [ "${debian_release}" = "buster" ] ; then
		# Pacific list:
		CEPH_PKG_LIST="ceph ceph-base ceph-base-dbg ceph-common ceph-common-dbg ceph-fuse ceph-grafana-dashboards ceph-immutable-object-cache ceph-immutable-object-cache-dbg ceph-mds ceph-mds-dbg ceph-mgr ceph-mgr-cephadm ceph-mgr-dashboard ceph-mgr-dbg ceph-mgr-diskprediction-local ceph-mgr-diskprediction-cloud ceph-mgr-k8sevents ceph-mgr-modules-core ceph-mgr-rook ceph-mgr-k8sevents ceph-mgr-ssh ceph-mon ceph-mon-dbg ceph-osd ceph-osd-dbg ceph-prometheus-alerts ceph-resource-agents ceph-test cephadm cephfs-mirror cephfs-mirror-dbg cephfs-shell cephfs-top libcephfs-dev libcephfs-java libcephfs-jni libcephfs2 libcephfs2-dbg librados-dev librados2 librados2-dbg libradospp-dev libradosstriper-dev libradosstriper1 libradosstriper1-dbg librbd-dev librbd1 librbd1-dbg librgw-dev librgw2 librgw2-dbg libsqlite3-mod-ceph libsqlite3-mod-ceph-dbg libsqlite3-mod-ceph-dev python3-ceph python3-ceph-argparse python3-ceph-common python3-cephfs python3-rados python3-rbd python3-rgw rados-objclass-dev radosgw radosgw-dbg rbd-fuse rbd-fuse-dbg rbd-mirror rbd-mirror-dbg rbd-nbd rbd-nbd-dbg smartmontools"
	elif [ "${debian_release}" = "bookworm" ] ; then
		# Reef list:
		CEPH_PKG_LIST="ceph ceph-base ceph-base-dbg ceph-common ceph-common-dbg ceph-grafana-dashboards ceph-immutable-object-cache ceph-immutable-object-cache-dbg ceph-mds ceph-mds-dbg ceph-mgr ceph-mgr-cephadm ceph-mgr-dashboard ceph-mgr-dbg ceph-mgr-k8sevents ceph-mgr-modules-core ceph-mgr-rook ceph-mon ceph-mon-dbg ceph-osd ceph-osd-dbg ceph-prometheus-alerts ceph-resource-agents ceph-test ceph-test-dbg ceph-volume cephadm cephfs-mirror cephfs-mirror-dbg cephfs-shell cephfs-top libboost-all-dev libboost-atomic-dev libboost-atomic1.83-dev libboost-atomic1.83.0 libboost-atomic1.83.0-dbgsym libboost-chrono-dev libboost-chrono1.83-dev libboost-chrono1.83.0t64 libboost-chrono1.83.0t64-dbgsym libboost-container-dev libboost-container1.83-dev libboost-container1.83.0 libboost-container1.83.0-dbgsym libboost-context-dev libboost-context1.83-dev libboost-context1.83.0 libboost-context1.83.0-dbgsym libboost-contract-dev libboost-contract1.83-dev libboost-contract1.83.0 libboost-contract1.83.0-dbgsym libboost-coroutine-dev libboost-coroutine1.83-dev libboost-coroutine1.83.0 libboost-coroutine1.83.0-dbgsym libboost-date-time-dev libboost-date-time1.83-dev libboost-date-time1.83.0 libboost-date-time1.83.0-dbgsym libboost-dev libboost-doc libboost-exception-dev libboost-exception1.83-dev libboost-fiber-dev libboost-fiber1.83-dev libboost-fiber1.83.0 libboost-fiber1.83.0-dbgsym libboost-filesystem-dev libboost-filesystem1.83-dev libboost-filesystem1.83.0 libboost-filesystem1.83.0-dbgsym libboost-graph-dev libboost-graph-parallel-dev libboost-graph-parallel1.83-dev libboost-graph-parallel1.83.0 libboost-graph-parallel1.83.0-dbgsym libboost-graph1.83-dev libboost-graph1.83.0 libboost-graph1.83.0-dbgsym libboost-iostreams-dev libboost-iostreams1.83-dev libboost-iostreams1.83.0 libboost-iostreams1.83.0-dbgsym libboost-json-dev libboost-json1.83-dev libboost-json1.83.0 libboost-json1.83.0-dbgsym libboost-locale-dev libboost-locale1.83-dev libboost-locale1.83.0 libboost-locale1.83.0-dbgsym libboost-log-dev libboost-log1.83-dev libboost-log1.83.0 libboost-log1.83.0-dbgsym libboost-math-dev libboost-math1.83-dev libboost-math1.83.0 libboost-math1.83.0-dbgsym libboost-mpi-dev libboost-mpi-python-dev libboost-mpi-python1.83-dev libboost-mpi-python1.83.0 libboost-mpi-python1.83.0-dbgsym libboost-mpi1.83-dev libboost-mpi1.83.0 libboost-mpi1.83.0-dbgsym libboost-nowide-dev libboost-nowide1.83-dev libboost-nowide1.83.0 libboost-nowide1.83.0-dbgsym libboost-numpy-dev libboost-numpy1.83-dev libboost-numpy1.83.0 libboost-numpy1.83.0-dbgsym libboost-program-options-dev libboost-program-options1.83-dev libboost-program-options1.83.0 libboost-program-options1.83.0-dbgsym libboost-python-dev libboost-python1.83-dev libboost-python1.83.0 libboost-python1.83.0-dbgsym libboost-random-dev libboost-random1.83-dev libboost-random1.83.0 libboost-random1.83.0-dbgsym libboost-regex-dev libboost-regex1.83-dev libboost-regex1.83.0 libboost-regex1.83.0-dbgsym libboost-serialization-dev libboost-serialization1.83-dev libboost-serialization1.83.0 libboost-serialization1.83.0-dbgsym libboost-stacktrace-dev libboost-stacktrace1.83-dev libboost-stacktrace1.83.0 libboost-stacktrace1.83.0-dbgsym libboost-system-dev libboost-system1.83-dev libboost-system1.83.0 libboost-system1.83.0-dbgsym libboost-test-dev libboost-test1.83-dev libboost-test1.83.0 libboost-test1.83.0-dbgsym libboost-thread-dev libboost-thread1.83-dev libboost-thread1.83.0 libboost-thread1.83.0-dbgsym libboost-timer-dev libboost-timer1.83-dev libboost-timer1.83.0 libboost-timer1.83.0-dbgsym libboost-tools-dev libboost-type-erasure-dev libboost-type-erasure1.83-dev libboost-type-erasure1.83.0 libboost-type-erasure1.83.0-dbgsym libboost-url-dev libboost-url1.83-dev libboost-url1.83.0 libboost-url1.83.0-dbgsym libboost-wave-dev libboost-wave1.83-dev libboost-wave1.83.0 libboost-wave1.83.0-dbgsym libboost1.83-all-dev libboost1.83-dev libboost1.83-doc libboost1.83-tools-dev libboost1.83-tools-dev-dbgsym libcephfs-dev libcephfs-java libcephfs-jni libcephfs-jni-dbgsym libcephfs2 libcephfs2-dbg librados-dev librados-dev-dbgsym librados2 librados2-dbg libradospp-dev libradosstriper-dev libradosstriper1 libradosstriper1-dbg librbd-dev librbd1 librbd1-dbg librgw-dev librgw2 librgw2-dbg libsqlite3-mod-ceph libsqlite3-mod-ceph-dbg libsqlite3-mod-ceph-dev liburing-dev liburing2 liburing2-dbgsym python3-ceph python3-ceph-argparse python3-ceph-common python3-cephfs python3-cephfs-dbgsym python3-rados python3-rados-dbgsym python3-rbd python3-rbd-dbgsym python3-rgw python3-rgw-dbgsym rados-objclass-dev radosgw radosgw-dbg rbd-fuse rbd-fuse-dbg rbd-mirror rbd-mirror-dbg rbd-nbd rbd-nbd-dbg"
	else
		echo "Except for buster and bookworm, I do not know how to pin Ceph. Please contribute."
		exit 1
	fi

	if [ "${ceph_use_osbpo}" = "yes" ] ; then
		CEPH_BPO_REL_NAME="o=osbpo"
			echo "Package: *
Pin: release o=osbpo
Pin-Priority: 900
">>${BODI_CHROOT_PATH}/etc/apt/preferences.d/99ceph-from-debian-backports
	else
		CEPH_BPO_REL_NAME="a=${debian_release}-backports"
		for PKG in ${CEPH_PKG_LIST} ; do
			echo "Package: ${PKG}
Pin: release a=${debian_release}-backports
Pin-Priority: 900
">>${BODI_CHROOT_PATH}/etc/apt/preferences.d/99ceph-from-debian-backports
		done
	fi

	chroot ${BODI_CHROOT_PATH} apt-get update
fi

# Add buildd_incoming repo, so we can do quick tests with Sid
if [ "${install_buildd_incoming}" = "yes" ] ; then
	echo "deb ${debian_incoming_buildd} buildd-sid main
deb-src ${debian_incoming_buildd} buildd-sid main
" >${BODI_CHROOT_PATH}/etc/apt/sources.list.d/incoming-buildd.list
	chroot ${BODI_CHROOT_PATH} apt-get update
	chroot ${BODI_CHROOT_PATH} apt-get -y -o Dpkg::Options::="--force-confnew" dist-upgrade
fi

# Add the Ceph upstream repo
if [ "${install_ceph_upstream_repo}" = "yes" ] ; then
	echo "-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQINBFX4hgkBEADLqn6O+UFp+ZuwccNldwvh5PzEwKUPlXKPLjQfXlQRig1flpCH
E0HJ5wgGlCtYd3Ol9f9+qU24kDNzfbs5bud58BeE7zFaZ4s0JMOMuVm7p8JhsvkU
C/Lo/7NFh25e4kgJpjvnwua7c2YrA44ggRb1QT19ueOZLK5wCQ1mR+0GdrcHRCLr
7Sdw1d7aLxMT+5nvqfzsmbDullsWOD6RnMdcqhOxZZvpay8OeuK+yb8FVQ4sOIzB
FiNi5cNOFFHg+8dZQoDrK3BpwNxYdGHsYIwU9u6DWWqXybBnB9jd2pve9PlzQUbO
eHEa4Z+jPqxY829f4ldaql7ig8e6BaInTfs2wPnHJ+606g2UH86QUmrVAjVzlLCm
nqoGymoAPGA4ObHu9X3kO8viMBId9FzooVqR8a9En7ZE0Dm9O7puzXR7A1f5sHoz
JdYHnr32I+B8iOixhDUtxIY4GA8biGATNaPd8XR2Ca1hPuZRVuIiGG9HDqUEtXhV
fY5qjTjaThIVKtYgEkWMT+Wet3DPPiWT3ftNOE907e6EWEBCHgsEuuZnAbku1GgD
LBH4/a/yo9bNvGZKRaTUM/1TXhM5XgVKjd07B4cChgKypAVHvef3HKfCG2U/DkyA
LjteHt/V807MtSlQyYaXUTGtDCrQPSlMK5TjmqUnDwy6Qdq8dtWN3DtBWQARAQAB
tCpDZXBoLmNvbSAocmVsZWFzZSBrZXkpIDxzZWN1cml0eUBjZXBoLmNvbT6JAjgE
EwECACIFAlX4hgkCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOhKwsBG
DzmUXdIQAI8YPcZMBWdv489q8CzxlfRIRZ3Gv/G/8CH+EOExcmkVZ89mVHngCdAP
DOYCl8twWXC1lwJuLDBtkUOHXNuR5+Jcl5zFOUyldq1Hv8u03vjnGT7lLJkJoqpG
l9QD8nBqRvBU7EM+CU7kP8+09b+088pULil+8x46PwgXkvOQwfVKSOr740Q4J4nm
/nUOyTNtToYntmt2fAVWDTIuyPpAqA6jcqSOC7Xoz9cYxkVWnYMLBUySXmSS0uxl
3p+wK0lMG0my/gb+alke5PAQjcE5dtXYzCn+8Lj0uSfCk8Gy0ZOK2oiUjaCGYN6D
u72qDRFBnR3jaoFqi03bGBIMnglGuAPyBZiI7LJgzuT9xumjKTJW3kN4YJxMNYu1
FzmIyFZpyvZ7930vB2UpCOiIaRdZiX4Z6ZN2frD3a/vBxBNqiNh/BO+Dex+PDfI4
TqwF8zlcjt4XZ2teQ8nNMR/D8oiYTUW8hwR4laEmDy7ASxe0p5aijmUApWq5UTsF
+s/QbwugccU0iR5orksM5u9MZH4J/mFGKzOltfGXNLYI6D5Mtwrnyi0BsF5eY0u6
vkdivtdqrq2DXY+ftuqLOQ7b+t1RctbcMHGPptlxFuN9ufP5TiTWSpfqDwmHCLsT
k2vFiMwcHdLpQ1IH8ORVRgPPsiBnBOJ/kIiXG2SxPUTjjEGOVgeA
=/Tod
-----END PGP PUBLIC KEY BLOCK-----
" >${BODI_CHROOT_PATH}/root/ceph-repo.asc
	chroot ${BODI_CHROOT_PATH} apt-key add /root/ceph-repo.asc
	rm ${BODI_CHROOT_PATH}/root/ceph-repo.asc
	echo "deb ${debian_mirror_ceph} ${debian_release} main
deb-src ${debian_mirror_ceph} ${debian_release} main
" >${BODI_CHROOT_PATH}/etc/apt/sources.list.d/ceph.list
	chroot ${BODI_CHROOT_PATH} apt-get update
fi


# This has to be installed *after* the debootstrap, otherwise debootstrap will fail
# and libxml-xpath-perl is a dependency of oci-fixup-compute-node
if [ -x ${BODI_CHROOT_PATH}/usr/bin/oci-fixup-compute-node ] ; then
	chroot ${BODI_CHROOT_PATH} apt-get install libxml-xpath-perl -y -o Dpkg::Options::="--force-confnew"
fi

if [ -e /self-signed-api-cert ] ; then
	OCI_PKI_CA_CERT="OS_CACERT=/etc/ssl/certs/oci-pki-oci-ca-chain.pem"
	mkdir -p ${BODI_CHROOT_PATH}/etc/oci/self-signed-api-cert
else
	OCI_PKI_CA_CERT=""
fi

# Customize /root/.screenrc
echo "startup_message off
defscrollback 5000
caption always \"%{= kw}%-w%{= BW}%n %t%{-}%+w %-= @%H  -  %d.%m.%Y  - %c\"
termcapinfo xterm 'Co#256:AB=\E[48;5;%dm:AF=\E[38;5;%dm'
defbce on
term screen-256color
termcapinfo konsole-256color ti@:te@" >${BODI_CHROOT_PATH}/root/.screenrc

# Setup /root/.bashrc
echo "# ~/.bashrc: executed by bash(1) for non-login shells.

export LS_OPTIONS='--color=auto'
eval \"\$(dircolors)\"
alias ls='ls \${LS_OPTIONS}'

SYSTEM_SERIAL_NUM=\$(cat /etc/serial_number)

   RED=\"\\[\\033[1;31m\\]\"
 LGRAY=\"\\[\\033[0;37m\\]\"
  TEAL=\"\\[\\033[38;5;6m\\]\"
  BLUE=\"\\[\\033[1;34m\\]\"
NO_COL=\"\\[\\033[0m\\]\"
 LBLUE=\"\\[\\033[1;36m\\]\"

export PS1=\${RED}'\\u'\${LGRAY}@\${TEAL}\${SYSTEM_SERIAL_NUM}\${LGRAY}-\${BLUE}'\\h'\${LGRAY}'>_'\${NO_COL}' \\w # '

alias ssh='ssh -A -X'

if [ -f /etc/bash_completion ]; then
        . /etc/bash_completion
fi

export PAGER=most
" > ${BODI_CHROOT_PATH}/root/.bashrc

# No backup for joe
if [ -e ${BODI_CHROOT_PATH}/etc/joe/joerc ] ; then
	sed -i "s/^ -nobackups/-nobackups/" ${BODI_CHROOT_PATH}/etc/joe/joerc
fi

TARGET_SYSTEM_VENDOR_REPO_LIST=$(cat /etc/oci/target_system_vendor_repo_list)
for VENDOR in $(echo ${TARGET_SYSTEM_VENDOR_REPO_LIST} | sed 's/,/ /g') ; do
	V_R=/etc/oci/vendor-repos/${VENDOR}
	VENDOR_SUITE=osversion
	VENDOR_SUPPORTED_ARCH=x86_64
	VENDOR_CHECK_CMD="/bin/true"
	VENDOR_CHECK_VALS=""
	VENDOR_PKG_LIST=""
	if [ -f $V_R/repo.conf ] ; then
		pkgos_inifile get /etc/oci/vendor-repos/${VENDOR}/repo.conf DEFAULT suites
		if [ "${RET}" != "NOT_FOUND" ] && [ -n "${RET}" ]; then
			VENDOR_SUITE=${RET}
		fi
		pkgos_inifile get /etc/oci/vendor-repos/${VENDOR}/repo.conf DEFAULT supported_arch
		if [ "${RET}" != "NOT_FOUND" ] && [ -n "${RET}" ]; then
			VENDOR_SUPPORTED_ARCH=$(echo ${RET} | sed 's/,/ /g')
		fi
		pkgos_inifile get /etc/oci/vendor-repos/${VENDOR}/repo.conf DEFAULT target_hardware_vendor_cmd_check
		if [ "${RET}" != "NOT_FOUND" ] && [ -n "${RET}" ]; then
			VENDOR_CHECK_CMD=$(echo "${RET}" | sed 's/^"//; s/"$//')
		fi
		pkgos_inifile get /etc/oci/vendor-repos/${VENDOR}/repo.conf DEFAULT target_hardware_vendor_value
		if [ "${RET}" != "NOT_FOUND" ] && [ -n "${RET}" ]; then
			VENDOR_CHECK_VALS=$(echo "${RET}" | sed 's/^"//; s/"$//')
		fi
		pkgos_inifile get /etc/oci/vendor-repos/${VENDOR}/repo.conf DEFAULT target_package_list
		if [ "${RET}" != "NOT_FOUND" ] && [ -n "${RET}" ]; then
			VENDOR_PKG_LIST=$(echo ${RET} | sed 's/,/ /g')
		fi
	fi

	ARCH=$(uname -m)
	found_arch=no
	for a in $VENDOR_SUPPORTED_ARCH; do
		if [ "$a" = "$ARCH" ]; then
			found_arch=yes
			break
		fi
	done
	if [ "${found_arch}" = "yes" ] ; then
		found_system=no
		if [ "${VENDOR_CHECK_CMD}" = "/bin/true" ] ; then
			found_system=yes
		fi
		if [ "${found_system}" = "no" ] ; then
			RESULT=$(${VENDOR_CHECK_CMD} 2>/dev/null | sed 's/ /_/g' || echo "")
			for v in $(echo "$VENDOR_CHECK_VALS" | sed 's/ /_/g' | tr ',' ' '); do
				if [ "$RESULT" = "$v" ]; then
					found_system=yes
					break
				fi
			done
		fi
		if [ "${found_system}" = "yes" ] ; then
			mkdir -p ${BODI_CHROOT_PATH}/etc/apt/sources.list.d
			mkdir -p ${BODI_CHROOT_PATH}/etc/apt/keyrings
			cp /etc/oci/vendor-repos/${VENDOR}/repo.sources \
				${BODI_CHROOT_PATH}/etc/apt/sources.list.d/oci-vendor-${VENDOR}.sources
			if [ "${VENDOR_SUITE}" = "osversion" ]; then
				SOURCES_FILE="${BODI_CHROOT_PATH}/etc/apt/sources.list.d/oci-vendor-${VENDOR}.sources"
				if grep -q '%%OS_VERSION%%' "${SOURCES_FILE}"; then
					sed -i "s#%%OS_VERSION%%#${debian_release}#g" "${SOURCES_FILE}"
				else
					sed -i "s#^Suites: .*#Suites: ${debian_release}#" "${SOURCES_FILE}"
				fi
			fi
			cp /etc/oci/vendor-repos/${VENDOR}/key.asc \
				${BODI_CHROOT_PATH}/etc/apt/keyrings/oci-vendor-${VENDOR}.asc
			if [ -e /etc/oci/vendor-repos/${VENDOR}/repo.pref ] ; then
				cp /etc/oci/vendor-repos/${VENDOR}/repo.pref \
					${BODI_CHROOT_PATH}/etc/apt/preferences.d/oci-vendor-${VENDOR}.pref
			fi
			# Do the actual package install
			chroot ${BODI_CHROOT_PATH} apt-get update
			chroot ${BODI_CHROOT_PATH} apt-get install -y -o Dpkg::Options::="--force-confnew" ${VENDOR_PKG_LIST}
		fi
	fi
done

TARGET_SYSTEM_VENDOR_PACKAGE_LIST=$(cat /etc/oci/target_system_vendor_package_list | sed 's/,/ /g')
if [ -n ${TARGET_SYSTEM_VENDOR_PACKAGE_LIST} ] ; then
	chroot ${BODI_CHROOT_PATH} apt-get update
	chroot ${BODI_CHROOT_PATH} env DEBIAN_FRONTEND=noninteractive apt-get install -y -o Dpkg::Options::="--force-confnew" ${TARGET_SYSTEM_VENDOR_PACKAGE_LIST}
fi

# Add chassis serial number in /etc
#CHASSIS_SERIAL_NUMBER=$(dmidecode -s chassis-serial-number)
SYSTEM_SERIAL_NUMBER=$(dmidecode -s system-serial-number)
echo ${SYSTEM_SERIAL_NUMBER} > ${BODI_CHROOT_PATH}/etc/serialnumber
echo ${SYSTEM_SERIAL_NUMBER} > ${BODI_CHROOT_PATH}/etc/serial_number
chmod 0400 ${BODI_CHROOT_PATH}/etc/serialnumber ${BODI_CHROOT_PATH}/etc/serial_number

MY_HOST=$(cat ${BODI_CHROOT_PATH}/etc/hostname)

#########################################
### Install puppet client certificate ###
#########################################
if [ -r /puppet-private-key.pem ] && [ -r /puppet-public-key.pem ] && [ -r /puppet-ca.pem ] && [ -r /puppet-signed-cert.pem ] ; then
        # Install puppet so we have the puppet:puppet user
        chroot ${BODI_CHROOT_PATH} apt-get install -y -o Dpkg::Options::="--force-confnew" puppet

        # Private key
        mkdir -p ${BODI_CHROOT_PATH}/var/lib/puppet/ssl/private_keys
        chroot ${BODI_CHROOT_PATH} chown puppet:puppet /var/lib/puppet/ssl/private_keys
        cp /puppet-private-key.pem ${BODI_CHROOT_PATH}/var/lib/puppet/ssl/private_keys/${MY_HOST}.pem
        chmod 640 ${BODI_CHROOT_PATH}/var/lib/puppet/ssl/private_keys/${MY_HOST}.pem
        chroot ${BODI_CHROOT_PATH} chown puppet:puppet /var/lib/puppet/ssl/private_keys/${MY_HOST}.pem

        # Public key
        mkdir -p ${BODI_CHROOT_PATH}/var/lib/puppet/ssl/public_keys
        chroot ${BODI_CHROOT_PATH} chown puppet:puppet /var/lib/puppet/ssl/public_keys
        cp /puppet-public-key.pem ${BODI_CHROOT_PATH}/var/lib/puppet/ssl/public_keys/${MY_HOST}.pem
        chmod 644 ${BODI_CHROOT_PATH}/var/lib/puppet/ssl/public_keys/${MY_HOST}.pem
        chroot ${BODI_CHROOT_PATH} chown puppet:puppet /var/lib/puppet/ssl/public_keys/${MY_HOST}.pem

        # ca.pem + cert
        mkdir -p ${BODI_CHROOT_PATH}/var/lib/puppet/ssl/certs
        chroot ${BODI_CHROOT_PATH} chown puppet:puppet /var/lib/puppet/ssl/certs

        cp /puppet-ca.pem ${BODI_CHROOT_PATH}/var/lib/puppet/ssl/certs/ca.pem
        chmod 644 ${BODI_CHROOT_PATH}/var/lib/puppet/ssl/certs/ca.pem
        chroot ${BODI_CHROOT_PATH} chown puppet:puppet /var/lib/puppet/ssl/certs/ca.pem

        cp /puppet-signed-cert.pem ${BODI_CHROOT_PATH}/var/lib/puppet/ssl/certs/${MY_HOST}.pem
        chmod 644 ${BODI_CHROOT_PATH}/var/lib/puppet/ssl/certs/${MY_HOST}.pem
        chroot ${BODI_CHROOT_PATH} chown puppet:puppet /var/lib/puppet/ssl/certs/${MY_HOST}.pem
        touch ${BODI_CHROOT_PATH}/var/lib/oci-first-boot

        # This is needed by puppet-openstack
        mkdir -p ${BODI_CHROOT_PATH}/etc/facter/facts.d
        echo "os_service_default=<SERVICE DEFAULT>" >${BODI_CHROOT_PATH}/etc/facter/facts.d/os_service_default.txt
        echo "os_immutable=<SERVICE DEFAULT>" >${BODI_CHROOT_PATH}/etc/facter/facts.d/os_immutable.txt

        # We need puppet to start with OCI's generated root CA cert knowledge. That's the
        # Environment=OS_CACERT=/etc/ssl/certs/oci-pki-oci-ca-chain.pem
        # that will do this.
        # We can't do that if the cert isn't just self-signed: this breaks the setup of
        # keystone's admin role in puppet.
        if [ -e /self-signed-api-cert ] ; then
	        mkdir -p ${BODI_CHROOT_PATH}/etc/systemd/system/puppet.service.d/
	        echo "[Service]
Environment=OS_CACERT=/etc/ssl/certs/oci-pki-oci-ca-chain.pem
" >${BODI_CHROOT_PATH}/etc/systemd/system/puppet.service.d/oci-ca-cert.conf
	fi
fi

# Overrides epmd.socket file to have it bind on all IPs
# not just on localhost.
mkdir -p ${BODI_CHROOT_PATH}/etc/systemd/system
echo "[Unit]
Description=Erlang Port Mapper Daemon Activation Socket

[Socket]
ListenStream=4369
BindIPv6Only=both
Accept=false

[Install]
WantedBy=sockets.target
" >${BODI_CHROOT_PATH}/etc/systemd/system/epmd.socket

#########################################################
### Fix the unix rights of the SSH (signed) host keys ###
#########################################################
SSH_KEYS=$(ls ${BODI_CHROOT_PATH}/etc/ssh/ssh_host_*_key 2>/dev/null)
if [ -n "${SSH_KEYS}" ] ; then
	for i in ${SSH_KEYS} ; do
		chown root:root $i $i.pub
		chmod 0600 $i
		chmod 0644 $i.pub
	done
fi
SSH_KEYS_CERTS=$(ls ${BODI_CHROOT_PATH}/etc/ssh/ssh_host_*_key.pub 2>/dev/null)
if [ -n "${SSH_KEYS_CERTS}" ] ; then
	for i in ${SSH_KEYS_CERTS} ; do
		chown root:root $i
		chmod 0600 $i
		CERT=$(basename $i)
		echo "HostCertificate /etc/ssh/${CERT}" >>${BODI_CHROOT_PATH}/etc/ssh/sshd_config
	done
fi
if [ -e ${BODI_CHROOT_PATH}/etc/ssh/ssh_known_hosts ] ; then
	chown root:root ${BODI_CHROOT_PATH}/etc/ssh/ssh_known_hosts
fi
if [ -e ${BODI_CHROOT_PATH}/etc/ssh ] ; then
	chown root:root ${BODI_CHROOT_PATH}/etc/ssh
fi

##############################################################################
### Install an eventual x509 PKI, used so OpenStack nodes trust each other ###
##############################################################################
# These are the CA certificates
if ls /oci-pki* >/dev/null 2>&1 ; then
        mkdir -p ${BODI_CHROOT_PATH}/etc/ssl/certs
        cp /oci-pki* ${BODI_CHROOT_PATH}/etc/ssl/certs
        chroot ${BODI_CHROOT_PATH} /usr/sbin/update-ca-certificates -f
fi
# These are the node's SSL keys
if [ -r "/${MY_HOST}.key" ] && [ -r "/${MY_HOST}.crt" ] ; then
        mkdir -p ${BODI_CHROOT_PATH}/etc/ssl/private/
        cp /${MY_HOST}.key ${BODI_CHROOT_PATH}/etc/ssl/private/ssl-cert-snakeoil.key
        mkdir -p ${BODI_CHROOT_PATH}/etc/ssl/certs
        cp /${MY_HOST}.crt ${BODI_CHROOT_PATH}/etc/ssl/certs/ssl-cert-snakeoil.pem
        chroot ${BODI_CHROOT_PATH} /usr/sbin/update-ca-certificates -f
fi

# These are the swiftproxy SSL keys
if [ -r "/oci-pki-swiftproxy.key" ] && [ -r "/oci-pki-swiftproxy.crt" ] ; then
	mkdir -p ${BODI_CHROOT_PATH}/etc/ssl/private/
	cp /oci-pki-swiftproxy.key ${BODI_CHROOT_PATH}/etc/ssl/private/oci-pki-swiftproxy.key
	mkdir -p ${BODI_CHROOT_PATH}/etc/ssl/certs
	cp /oci-pki-swiftproxy.crt ${BODI_CHROOT_PATH}/etc/ssl/certs/oci-pki-swiftproxy.crt
	cp /oci-pki-swiftproxy.pem ${BODI_CHROOT_PATH}/etc/ssl/private/oci-pki-swiftproxy.pem
	chroot ${BODI_CHROOT_PATH} /usr/sbin/update-ca-certificates -f
fi

# These are the OpenStack public API SSL keys
if [ -r /oci-pki-api.crt ] ; then
        cp /oci-pki-api.crt ${BODI_CHROOT_PATH}/etc/ssl/certs/oci-pki-api.crt
        chroot ${BODI_CHROOT_PATH} /usr/sbin/update-ca-certificates -f
fi
if [ -r /oci-pki-api.pem ] ; then
        cp /oci-pki-api.pem ${BODI_CHROOT_PATH}/etc/ssl/private/oci-pki-api.pem
        chroot ${BODI_CHROOT_PATH} /usr/sbin/update-ca-certificates -f
fi
if [ -r /oci-pki-api.key ] ; then
        cp /oci-pki-api.key ${BODI_CHROOT_PATH}/etc/ssl/private/oci-pki-api.key
fi

# Add the nf_conntrack module by default.
if ! grep -q nf_conntrack ${BODI_CHROOT_PATH}/etc/modules ; then echo nf_conntrack >>${BODI_CHROOT_PATH}/etc/modules ; fi

#########################
### Install OCI utils ###
#########################
chroot ${BODI_CHROOT_PATH} apt-get install -y -o Dpkg::Options::="--force-confnew" openstack-cluster-installer-utils
chroot ${BODI_CHROOT_PATH} systemctl enable oci-report-status.service
chroot ${BODI_CHROOT_PATH} systemctl enable oci-first-boot.service
