#!/bin/sh
set -x
gpg_set_ultimate_trust()
{
    local keygrip
    keygrip=$(gpg2 -K --with-colons --with-fingerprint --with-fingerprint|sed -ne '/^sec/{n;p;q}'|cut -d: -f10)
    printf '%s:6:\n' "$keygrip" | gpg2 --import-ownertrust
}

add()
{
    kiki merge \
        --flow=sync \
        --home${2:+="$2"} \
        --create=rsa:4096 \
        --flow=spill,match="$1" \
        --type=pem \
        --access=secret \
        nil
}

init()
{
    local root="$1"

    if [ "$root" ]; then
        mkdir -m0600 -p "$root"/root/.gnupg
        : kiki init root=$root
    else
        : kiki init root=/
    fi

    kiki init --cipher=- ${root:+--chroot "$root"}
    # add encrypt ${root:+"$root/root/.gnupg"}
    # add sign    ${root:+"$root/root/.gnupg"}

    (
        [ "$root" ] && export GNUPGHOME="$root/root/.gnupg/"
        gpg_set_ultimate_trust
    )
}

sync()
{
    local home1="$1"/root/.gnupg home2="$2"/root/.gnupg
    kiki sync-public \
        --homedir "$home1" \
        --passphrase-fd=0 \
        --import-if-authentic \
        --autosign \
        --keyrings "$home2"/pubring.gpg
    kiki sync-secret \
        --homedir "$home1" \
        --autosign --import
}

doublecheck()
{
    local o='--ignore-time-conflict'
    gpg2 $o --clearsign --homedir "$2"/root/.gnupg </dev/null | gpg2 $o --homedir "$1"/root/.gnupg --verify
    gpg2 $o --clearsign --homedir "$1"/root/.gnupg </dev/null | gpg2 $o --homedir "$2"/root/.gnupg --verify
}

silent()
{
    case "$-" in
        *x*) return ;;
    esac
    SILENT=y
    exec 3>&1 4>&2
    exec >/dev/null 2>&1
}

noisy()
{
    if [ "$SILENT" ]; then
        exec >&3 2>&1
    fi
}

new_child()
{
    local child_root="$1" parent_root="$2"
    init "$child_root"

    sync "$child_root" "$parent_root"
    sync "$parent_root" "$child_root"

    for d in "$parent_root"/root/.gnupg "$child_root"/root/.gnupg
    do
        gpg2 --import --homedir "$d" < "$d/pubring.gpg"
        gpg2 --import --homedir "$d" < "$d/secring.gpg"
        gpg2 --check-trustdb --homedir "$d"
    done

    doublecheck "$child_root" "$parent_root"
}

ls -lL "$(which kiki)"

child_dir=$1

set -e

[ "$(id -u)" = 0 ]

# Hate.  So much hate.
# TODO: document the fail
[ -d /run/user/0 ] || mkdir -p /run/user/0

[ "$child_dir" ]
[ ! -d "$child_dir" ]

mkdir "$child_dir"
trap -- 'umount "$child_dir"; rmdir "$child_dir"' EXIT
mount -t tmpfs -o mode=0700 tmpfs "$child_dir"

if [ "$PARENT_ROOT" ]
then
    parent_root=$PARENT_ROOT
else
    parent_root=
fi

exec </dev/null
silent
init "$parent_root"
new_child "$child_dir" "$parent_root"
noisy

trap EXIT

# gpg2 -k
# gpg2 -k --homedir "$child_dir"/root/.gnupg