#!/usr/bin/env bash
# veilor-os — ISO builder
# Wraps livemedia-creator inside a podman container for reproducibility.
# Run from repo root.

set -euo pipefail

REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
OUT_DIR="$REPO_ROOT/build/out"
KS="$REPO_ROOT/kickstart/veilor-os.ks"
RELEASEVER="${RELEASEVER:-43}"
DATE="$(date +%Y%m%d)"
ISO_NAME="veilor-os-${RELEASEVER}-${DATE}.iso"

mkdir -p "$OUT_DIR"

# ── Validate kickstart ──
if command -v ksvalidator &>/dev/null; then
    ksvalidator "$KS"
fi

# ── Build container (rootless OK) ──
podman build -t veilor-build:latest "$REPO_ROOT/build"

# ── Build ISO (rootful — losetup + mount need real CAP_SYS_ADMIN) ──
# rootless podman can't create loop devices even with --privileged because the
# host kernel rejects CAP_SYS_ADMIN from a user namespace.
SUDO=""
if [[ $EUID -ne 0 ]]; then
    SUDO="sudo"
    echo "[INFO] Running ISO build under sudo (loop devices require root)"
fi

# Make rootful podman see the rootless-built image
$SUDO podman load -i <(podman save veilor-build:latest) 2>/dev/null || \
    $SUDO podman build -t veilor-build:latest "$REPO_ROOT/build"

$SUDO podman run --rm --privileged \
    --security-opt label=disable \
    -v /dev:/dev \
    -v "$REPO_ROOT:/work" \
    -v "$OUT_DIR:/out" \
    veilor-build:latest -c "
        set -e
        rm -rf /out/build-${DATE} /tmp/lmc
        livemedia-creator \
            --make-iso \
            --no-virt \
            --ks /work/kickstart/veilor-os.ks \
            --resultdir /out/build-${DATE} \
            --project veilor-os \
            --releasever ${RELEASEVER} \
            --volid VEILOR_OS \
            --tmp /tmp/lmc \
            --logfile /out/build-${DATE}.log
        cp /out/build-${DATE}/*.iso /out/${ISO_NAME}
        sha256sum /out/${ISO_NAME} > /out/${ISO_NAME}.sha256
    "

echo
echo "════════════════════════════════════════════════════════"
echo " ISO ready:    $OUT_DIR/$ISO_NAME"
echo " Checksum:     $OUT_DIR/$ISO_NAME.sha256"
echo " Build log:    $OUT_DIR/build-${DATE}.log"
echo "════════════════════════════════════════════════════════"
echo
echo " Write to USB: sudo dd if=$OUT_DIR/$ISO_NAME of=/dev/sdX bs=4M status=progress conv=fsync"
echo "  (replace /dev/sdX with your USB device — use lsblk to identify)"