#!/usr/bin/bash

set -e

system_fips=/etc/system-fips
dracut_cfg_d=/etc/dracut.conf.d
dracut_cfg=$dracut_cfg_d/40-fips.conf

is_ostree_system=0

create_system_fips_file () {
	echo "# FIPS module installation complete" >$system_fips
};

if test -f /run/ostree-booted -o -d /ostree; then
    is_ostree_system=1
fi

if test x"$1" != x--complete && test x"$1" != x--undo ; then
	echo "Complete / undo the installation of FIPS modules."
	echo "Not to be used directly, see fips-mode-setup(8)."
	echo "usage: $0 --complete|--undo (unsupported)"
	exit 2
fi

if [ $(id -u) != 0 ]; then
	echo "You must be root to run $(basename $0)"
	exit 1
fi

umask 022

if test "$is_ostree_system" = 1; then
	if test x"$1" == x--complete; then
		create_system_fips_file
	fi
	if test x"$1" == x--undo ; then
		rm -f $system_fips
	fi
fi

if test ! -d $dracut_cfg_d -o ! -d /boot -o "$is_ostree_system" = 1 ; then
	# No dracut configuration or boot directory present, do not try to modify it.
	# Also, on OSTree systems, we currently rely on the initrd already including
	# the FIPS module.
	exit 0
fi

if test x"$1" == x--complete; then
	trap "rm -f $dracut_cfg $system_fips" ERR
	create_system_fips_file
	cat >$dracut_cfg <<EOF
# turn on fips module

add_dracutmodules+=" fips "
EOF
elif test x"$1" == x--undo; then
	rm -f $dracut_cfg $system_fips
fi

echo "Kernel initramdisks are being regenerated. This might take some time."

dracut -f --regenerate-all

# This is supposed to be a fast and safe operation that's always good to run.
# Regenerating an initrd and skipping it might render the system unbootable
# (RHBZ#2013195).
if test x"$(uname -m)" = xs390x; then
	if command -v zipl >/dev/null; then
		zipl
	else
		echo '`zipl` execution has been skipped: `zipl` not found.'
	fi
fi