#!/bin/bash
set -euo pipefail

# sign-mirror.sh
# Generate detached PGP signature for stygian.failzero.net/mirror

MIRROR_PATH="/mnt/brimstone/mirror/signatures"
SIGNING_KEY="doc@filenotfound.org"
BASENAME="SHA256SUMS"
TS=$(date +"%Y%m%d-%H%M%S")
CHECKSUM_FILE="$MIRROR_PATH/${BASENAME}-$TS"

echo "[*] Generating $CHECKSUM_FILE..."
(
  cd "$MIRROR_PATH"
  find . -type f -not -xtype l ! -name "SHA256SUMS*" -exec sha256sum {} \;
) > "$CHECKSUM_FILE"

echo "[*] Signing with GPG key: $SIGNING_KEY"
gpg --batch --yes --default-key "$SIGNING_KEY" \
    --armor --detach-sign "$CHECKSUM_FILE"

echo "[*] Verifying signature..."
gpg --verify "$CHECKSUM_FILE.asc" "$CHECKSUM_FILE"

# Rotate old files, keep last 3
echo "[*] Rotating old signatures (keeping last 3)..."
cd "$MIRROR_PATH"
(ls -1t ${BASENAME}-* 2>/dev/null || true) | tail -n +4 | xargs -r rm -f || true
(ls -1t ${BASENAME}-*.asc 2>/dev/null || true) | tail -n +4 | xargs -r rm -f || true

# Update symlinks to latest
echo "[*] Updating symlinks..."
LATEST=$(ls -1t ${BASENAME}-* | head -n1)
ln -sf "$LATEST" "${BASENAME}"
ln -sf "$LATEST.asc" "${BASENAME}.asc"

echo "[+] Done. Latest signature: ${LATEST}.asc"