#!/bin/bash -p

set -euo pipefail

if [ "$EUID" -ne 0 ]
  then echo "Please run as root"
  exit
fi

# sanitize environment
YKFDE_SLOT=2
YKFDE_SALT_LENGTH=16
YKFDE_SALT=""
YKFDE_CHALLENGE=""
YKFDE_RESPONSE=""
YKFDE_SLOT_CHECK=""
YKFDE_KEY_LENGTH=512
YKFDE_ITERATIONS=1000000
YKFDE_STORAGE=/boot/crypt-storage/default


YKFDE_SLOT_CHECK="$(ykinfo -q -"$YKFDE_SLOT")"
printf '%s\n' " > YubiKey slot status 'ykinfo -q -$YKFDE_SLOT': $YKFDE_SLOT_CHECK"

if [ "$(ykinfo -q -"$YKFDE_SLOT")" != 1 ]; then
  printf '%s\n' "ERROR: Chosen YubiKey slot '$YKFDE_SLOT' isn't configured. Please insert a YubiKey with the slot configured for 'HMAC-SHA1 Challenge-Response'."
fi

while [ "$(ykinfo -q -$YKFDE_SLOT)" != 1 ]
do
  sleep 1
done

rbtohex() {
    ( od -An -vtx1 | tr -d ' \n' )
}

YKFDE_SALT="$(dd if=/dev/random bs=1 count=$YKFDE_SALT_LENGTH 2>/dev/null | rbtohex)"
if [ -f "$YKFDE_STORAGE" ]; then
    YKFDE_SALT="$(head -1 $YKFDE_STORAGE)"
    echo "Using current Salt: $YKFDE_SALT"
fi
YKFDE_CHALLENGE="$(echo -n $YKFDE_SALT | openssl dgst -binary -sha512 | rbtohex)"
YKFDE_RESPONSE="$(ykchalresp -2 -x $YKFDE_CHALLENGE 2>/dev/null)"
YKFDE_K_LUKS="$(echo | pbkdf2-sha512 $(($YKFDE_KEY_LENGTH / 8)) $YKFDE_ITERATIONS $YKFDE_RESPONSE | rbtohex)"
mkdir -p "$(dirname $YKFDE_STORAGE)"
echo -ne "$YKFDE_SALT\n$YKFDE_ITERATIONS" > $YKFDE_STORAGE
echo $YKFDE_K_LUKS > luks.key
cryptsetup luksAddKey /dev/nvme0n1p2 luks.key
rm luks.key

exit 0