#!/bin/sh
#(c) 2017 BIT


fatal() {
    echo "$*"
    exit 127
}


if [ "$1" != "--force" -a -x /usr/sbin/cfagent ]; then
    echo "CFEngine is installed on this box. Refusing to run. Run with --force to force."
    exit 127
fi


umask 077
export LANG="en_US.UTF-8"
export LANGUAGE="en_US:en"
export PATH="/bin:/usr/bin:/sbin:/usr/sbin"


ssh_dir="$HOME/.ssh"
bit_keys_dir="${ssh_dir}/bit-keys/"
auth_file="${ssh_dir}/authorized_keys2"


mkdir -p ${bit_keys_dir}
cd ${bit_keys_dir}
rm -f bit-keys.tar bit-keys.tar.sig


rm -f ${ssh_dir}/bitkeys.tar
rm -f ${ssh_dir}/bitkeys.tar.*


wget -t 20 -qO bit-keys.tar     https://bitkeys.bit.nl/bit-keys/bit-keys.tar
wget -t 20 -qO bit-keys.tar.sig https://bitkeys.bit.nl/bit-keys/bit-keys.tar.sig
[ -f bit-keys.tar -a -f bit-keys.tar.sig ] || fatal "Downloading bit-keys failed?"


gpg -q --list-key 75E44E736E5F299E >/dev/null 2>&1
rval=$?
if [ $rval != 0 ]; then
       gpg -q --import >/dev/null 2>&1 <<EOT
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQGiBEEc3BURBADGZyv4VdUE5+ZWrotxqf1JMqC0hdEHyOQMUq/CqnzwMZbDP7Q2
/QEyzlxb9GYAcl3vqGhd/JNj5jWmOmJlEKZfVm1YYnrSlEy5OrD+aQ+vB6gr3xbG
b1D3vVpNxBvI9SL0FimxUGuU7PjaPiouyp5wbbTn00QGo0cIkFyWXhmJbwCg4vWA
xp2QRNTz4BXELnfU7D3ZfJMD/2UcsGeYX65SxBdiwmNZlPKw/65Sid+Rqe9dXUk6
cxXtXazH++NepvX8xaDAy6Rsb/k9Nh0W2QEmTriB8/s1jZEd39mC2FuFeArbzjhL
DarqxTJ+QjgZ8sh15qu6gOBpz8Id0wOIu62BOhq1Pbn4rTtCk/OalBdADbi+AOqg
Rk95A/48zNFDOd/NYfw9MDZA+TeJAVudESgvE+rXzHzpNzAbslayOhXgMDbxmHd6
8wECwKfkYja6nBNaxsy/NKTkxz4MmVEfUtqJluCTymVngOssHFs0mkn1vsvi5w7S
Nhkizs3irOfV9+WaVubRLscdwnEuZQ7PBLn6LHE9a6orWDHKTrRLQklUIEVuZ2lu
ZWVyaW5nIChLZXkgdXNlZCB0byBzaWduIGJpdGtleXMgYW5kIGJpdGtleXMudGFy
KSA8Yml0a2V5c0BiaXQubmw+iEYEExECAAYFAkEc3i8ACgkQogGQ6K0ZJOYGpACg
2PAPdL7NzNYfWitv6+TJ6PUWUcwAnjkn4deh7q8NBZG6wm5wa3VX0YLQiF4EExEC
AB4FAkEc3BUCGwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQdeROc25fKZ4D0QCa
A2ISgPVDGRXQNhX6WTqMi48E8MMAnjhc/ME7KggRW+/LA23oNwjjGCM1uQINBEEc
3DcQCACndibKVaxZTHn5QAC7ApeiLNUubty3IM5bkIPmU0r25OuXh8WmERshNdsl
gEuAEamoLte/TAUlFaAvPoGYxNTIlq4Eep8RwnYOZ2pBKikbehEFDQup2KJX+PvT
n/p5WfR8EPUcpq3p3cghfcIfW4RAsO++YpgsFcKdgckPN5YyEvPnfIwspfmI87RE
/MMuat80Zrtff0KdvyBPN3K1fKbgIAyRbJOHzIya9cx1yyWXhdLdp0T5GNAiOLJz
kG/Jmp+LbuT4rlJRrVi44cq6tJT3HmEdR71ZdnHo2GvNthIQgWHktS4t0jpHmnX2
s9JOnEMzNbXxkLfZ+39aoo7Fd1hDAAMGCAChFnKdO6MOHncAIx5jEoIdsGnVU6eB
/m/NEqFpyiaqde0T85ZwrSQ/WuoMPURsMG7kKhkSpX6havgZlwVW7KNw3Grpl6y6
YuZrvMFdl5xXgWmGEfZ5gBuFQ2y3dkFBN5S2egVCVCxmyrnn3aOBWSVKJwRgFqaH
4Mgj9zx0pN3WSGK70VQkFufWuWUhHru6f7TwQHbl52APIqWBWWS2I4ajVLYysJqY
KctkvrGBksjnOyDQ5fF78B3XfYJ0t4QODG+lKGguEV++6tWAJ2gCUb4rkXzxUxBg
wKH7E3sVv+Km+rNcB38NipVbIxn6wPD9JdLbi34TCl9fUKR7r6H21Z0fiEkEGBEC
AAkFAkEc3DcCGwwACgkQdeROc25fKZ5nhwCggDRBtukHl8Ts/AH9e5YPsajDQMcA
oIN3UtqNWIN2rENPLYe2Qb6dQVLy
=MuyX
-----END PGP PUBLIC KEY BLOCK-----
EOT
        rval=$?
        [ $rval = 0 ] || fatal "GPG public key import failed?"
        echo "The GPG public key was imported."
fi


gpg --quiet --verify bit-keys.tar.sig bit-keys.tar >/dev/null 2>&1
rval=$?
case "$rval" in
    0)
        # sig verified
        ;;

    1)
        # sig invalid
        fatal "Invalid GPG signature for this tarball. Bailing!"
        ;;

    2)
        # key not found
        fatal "The GPG public key was not found. Bailing!"
        exit 0
        ;;

    *)
        # unhandled GPG error state
        fatal "Unhandled GPG error state '$rval'. Bailing!"
        ;;
esac


tar xf bit-keys.tar
[ $rval = 0 ] || fatal "Untar failed?"


rm -f      ${auth_file}
touch      ${auth_file}
chmod 0640 ${auth_file}
cat >>${auth_file} <<EOT
# Updated: $(date -R)
#
# DO NOT CHANGE THIS FILE - IT IS MANAGED BY BIT-KEYS!
# ADD YOUR LOCAL SSH PUBLIC KEYS TO A FILE NAMED
# authorized_keys.local OR authorized_keys2.local
# AND IT WILL BE INCLUDED IN THIS FILE BY BIT-KEYS!
#
EOT


for aklf in authorized_keys.local authorized_keys2.local
do
    if [ -e ${ssh_dir}/${aklf} ]; then
        echo "Added keys from ${ssh_dir}/${aklf}"
        cat ${ssh_dir}/${aklf} >> ${auth_file}
    fi
done


find . -maxdepth 1 -type f -iname 'id_*.pub.*' | while read idfile
do
    idname=`echo "$idfile" | rev | cut -d"." -f1 | rev`
    cat $idfile >> ${auth_file}
    echo "Added key: ${idname}"
done


rm -f -- identity.pub.* 
rm -f -- id_*.pub.*
