# nixos-config - My current NixOS configuration
#
# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de>
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This file is part of my nixos-config.
#
# You should have received a copy of the License along with this program.
# If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>.
{
  stdenv,
  fetchurl,
  sequoia-sq,
  libarchive, # for bsdtar
}: let
  version = "7.8.1";

  checked_iso = stdenv.mkDerivation (finalAttrs: {
    pname = "tails-iso";
    version = "amd64-${version}";

    srcs = [
      (fetchurl {
        url = "https://tails.net/torrents/files/tails-${finalAttrs.version}.iso.sig";
        hash = "sha256-DQm+EHe0KllmzLQzGU61cqaRDNjhU3KUCtDzHKDwWck=";
      })
      (fetchurl {
        url = "https://download.tails.net/tails/stable/tails-${finalAttrs.version}/tails-${finalAttrs.version}.iso";
        hash = "sha256-Y4Sch1ZgWUODi9rxcXimVrFvicXPCN6SgLvINvJGcvw=";
      })
      (fetchurl {
        url = "https://tails.net/tails-signing.key";
        hash = "sha256-OwdqyM7o7K6F5Km0U1RU3hzsnaT+Yw0sjQk/thMeq1k=";
      })
    ];

    dontUnpack = true;

    nativeBuildInputs = [
      sequoia-sq
    ];

    buildPhase =
      /*
      bash
      */
      ''
        for src in $srcs; do
          cp --recursive "$src" "$(stripHash "$src")"
        done

        sq verify \
          --signer-file=tails-signing.key \
          --signature-file=tails-${finalAttrs.version}.iso.sig \
          tails-${finalAttrs.version}.iso
      '';

    installPhase = ''
      cp tails-${finalAttrs.version}.iso "$out";
    '';
  });
in
  stdenv.mkDerivation {
    name = "live_iso_boot_entry";

    src = checked_iso;

    dontUnpack = true;

    nativeBuildInputs = [
      libarchive
    ];

    buildPhase = ''
      mkdir iso
      bsdtar -xf "$src" -C iso
    '';

    passthru = {
      inherit version;
    };

    installPhase = ''
      install -D ./iso/live/initrd.img "$out/live/initrd.img"
      install -D ./iso/live/vmlinuz "$out/live/vmlinuz"
      install -D ./iso/live/filesystem.squashfs "$out/live/filesystem.squashfs"
    '';
  }