#!/bin/sh
# mkosi postinst: enable the vetting-agent service and generate the
# initrd. The binary lands in the image via mkosi.extra/ (staged by the
# live-image Makefile from ../bin/vetting-agent.linux-amd64); the
# service unit lands via mkosi.skeleton/.
set -eu

mkdir -p "$BUILDROOT/etc/systemd/system/multi-user.target.wants"
ln -sf /etc/systemd/system/vetting-agent.service \
    "$BUILDROOT/etc/systemd/system/multi-user.target.wants/vetting-agent.service"

# Mask systemd-firstboot.service so the image never prompts for
# locale/timezone/root-password on boot, regardless of kernel cmdline.
# mkosi ships /etc/machine-id empty, which is what triggers the
# wizard; without this mask the service blocks sysinit.target
# indefinitely and nothing downstream (agent, ssh, network-online)
# ever starts. Kernel-cmdline systemd.firstboot=off is belt; this
# is braces.
ln -sf /dev/null "$BUILDROOT/etc/systemd/system/systemd-firstboot.service"

# Bootable=no means mkosi won't run update-initramfs for us, and the
# deferred initramfs-tools trigger inside the chroot doesn't actually
# generate /boot/initrd.img-<kver>. Do it explicitly so the top-level
# Makefile's cp of live-image/build/initrd.img has something to copy.
kver=$(ls "$BUILDROOT/lib/modules/" | head -n1)
chroot "$BUILDROOT" update-initramfs -c -k "$kver"

# linux-image-amd64 creates /vmlinuz -> boot/vmlinuz-<kver>, but the
# corresponding /initrd.img symlink only gets created by an
# initramfs-tools postinst hook that relies on the kernel package's
# "postinst_hook" infrastructure — which doesn't fire when we invoke
# update-initramfs ourselves. Create it to mirror /vmlinuz.
ln -sf "boot/initrd.img-${kver}" "$BUILDROOT/initrd.img"