#!/bin/bash
# Post-installation script (run on USER'S system after installing the
# main rEFInd package)

set -e

if [ -f /usr/share/debconf/confmodule ] ; then
    . /usr/share/debconf/confmodule
fi

install_to_esp() {
    BootCurrent=$(efibootmgr | grep BootCurrent | cut -d " " -f 2)
    # BootShimFile will hold the Shim/PreLoader filename *IF* it was used for
    # the current boot; it will be null otherwise
    BootShimFile=$(efibootmgr -v | grep Boot$BootCurrent | cut -f 2- -d '\' | cut -f 1 -d ')' | grep -i 'shim\|preloader' || true)

    cd /usr/share/refind

    if [[ -f /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c ]] ; then
        IsSecureBoot=$(od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c | awk '{print substr($0,length,1)}')
    elif [[ -f /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data ]] ; then
        IsSecureBoot=$(od -An -t u1 /sys/firmware/efi/vars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c/data | tr -d '[:space:]')
    fi
    # Note: Two find operations for ShimFile favors shim over PreLoader -- if both are
    # present, the script uses shim rather than PreLoader.
    declare ShimFile=`find /boot -name shim\.efi -o -name shimx64\.efi -o -name PreLoader\.efi 2> /dev/null | head -n 1`
    if [[ ! -n $ShimFile ]] ; then
        declare ShimFile=`find /boot -name PreLoader\.efi 2> /dev/null | head -n 1`
    fi
    declare SBSign=`which sbsign 2> /dev/null`
    declare OpenSSL=`which openssl 2> /dev/null`

    # Run the rEFInd installation script. Do so with the --shim option if
    # Secure Boot mode is suspected, if a shim program can be found, and if
    # Shim was used for the current boot; or without it if not. If a shim
    # installation is attempted and the sbsign and openssl programs can be
    # found, do the install using a local signing key. Note that this option
    # is undesirable for a distribution, since it would then require the user
    # to enroll an extra MOK. I'm including it here because I'm NOT a
    # distribution maintainer, and I want to encourage users to use their own
    # local keys.
    if [[ $IsSecureBoot == "1" && -n $ShimFile && -n "$BootShimFile" ]] ; then
        if [[ -n $SBSign && -n $OpenSSL ]] ; then
            ./refind-install --shim $ShimFile --localkeys --yes > /dev/null
        else
            ./refind-install --shim $ShimFile --yes > /dev/null
        fi
    else
        if [[ -n $SBSign && -n $OpenSSL ]] ; then
            ./refind-install --localkeys --yes > /dev/null
        else
            ./refind-install --yes > /dev/null
        fi
    fi
} # install_to_esp()

#
# Main part of script begins
#

case "$1" in
    configure)
        db_get refind/install_to_esp || true;
        if [ x"$RET" = x"true" ]; then
            echo "Installing rEFInd to the ESP..."
            install_to_esp
        else
            echo "** Not installing rEFInd to the ESP! **"
            echo "If you want rEFInd to control the boot process, you can do so by runing:"
            echo ""
            echo "dpkg-reconfigure refind"
            echo ""
        fi
    ;;

    reconfigure)
        db_get refind/install_to_esp || true;
        if [ x"$RET" = x"true" ]; then
            echo "Installing rEFInd to the ESP..."
            install_to_esp
        else
            echo "If rEFInd was previously configured to be your primary boot manager, you must"
            echo "use efibootmgr to set the computer to boot with something else."
        fi
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
        exit 0
    ;;

    *)
        echo "postinst called with unknown argument \`$1'" >&2
        exit 0
    ;;
esac