#!/usr/bin/env bash

# Configure FIDO2 support declaratively for Nomarchy NixOS.

FEATURE_FILE="/etc/nixos/nomarchy-features/fido2.nix"

if [[ "--remove" == $1 ]]; then
    if [ -f "$FEATURE_FILE" ]; then
        sudo rm "$FEATURE_FILE"
        echo "Removed $FEATURE_FILE."
        echo "IMPORTANT: Remove './nomarchy-features/fido2.nix' from your imports and run 'sys-update'."
    else
        echo "FIDO2 support not found."
    fi
    exit 0
fi

if [ -f "$FEATURE_FILE" ]; then
    echo "FIDO2 support is already configured in $FEATURE_FILE"
else
    sudo mkdir -p "/etc/nixos/nomarchy-features"
    cat <<EOF | sudo tee "$FEATURE_FILE" > /dev/null
{ config, pkgs, ... }:
{
  security.pam.u2f = {
    enable = true;
    control = "sufficient";
    cue = true;
    # authFile = "/etc/fido2/fido2"; # Default is ~/.config/Yubico/u2f_keys
  };
}
EOF
    echo "Created $FEATURE_FILE."
    echo "IMPORTANT: To finish enabling FIDO2 support, add './nomarchy-features/fido2.nix' to your imports list in /etc/nixos/system.nix or /etc/nixos/flake.nix,"
    echo "then run 'sys-update'."
fi

# Enrollment is still an imperative action
if command -v pamu2fcfg &> /dev/null; then
    echo "Let's register your FIDO2 key now."
    mkdir -p ~/.config/Yubico
    pamu2fcfg > ~/.config/Yubico/u2f_keys
    echo "FIDO2 key registered."
else
    echo "pamu2fcfg not found. Please run 'nomarchy-pkg-add pam-u2f' or 'sys-update' if you just enabled it."
fi
