#!/usr/bin/bash
# veilor-firstboot — set admin password on first boot, then self-disable.
# Runs on TTY1 before SDDM. Only fires while admin password is empty/expired.

set -uo pipefail

STATE=/var/lib/veilor-firstboot.done
[[ -f $STATE ]] && exit 0

# Branded banner
clear
cat << 'EOF'

  ┌──────────────────────────────────────────────────────────┐
  │                                                          │
  │                       veilor-os                          │
  │              first boot — admin password                 │
  │                                                          │
  └──────────────────────────────────────────────────────────┘

  Set a password for the local admin account.

  Requirements: minimum 14 characters, at least one digit,
  one uppercase, one lowercase, one special character.

EOF

# Loop until passwd succeeds (pwquality enforces complexity)
until passwd admin; do
    echo
    echo "  Password not accepted. Try again."
    echo
    sleep 1
done

# Mark done so service doesn't fire again
touch "$STATE"

# Disable self for next boots
systemctl disable veilor-firstboot.service >/dev/null 2>&1 || true

echo
echo "  Password set."
echo "  Re-enabling SELinux enforcing mode..."

# Re-enable SELinux (build-time disabled to bypass pcre2/regex mismatch).
# Set to enforcing for next boot, schedule full relabel.
sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config 2>/dev/null
touch /.autorelabel 2>/dev/null
echo "  Starting graphical session..."
sleep 2

# Start SDDM (was held back by service ordering)
systemctl start sddm.service
