#!/usr/bin/make -f
include /usr/share/dpkg/pkg-info.mk

DEB_DH_INSTALL_ARGS=-X .git
PIP_ARGS=--verbose --no-deps --no-binary=:all: --no-cache-dir

%:
	dh $@ --with systemd --buildsystem=pybuild

# Move the conffile in version control to squash the autogenerated one
# by debhelper, as files in /etc/ are automatically marked as
# conffiles.  We are shipping AppArmor profiles via this package, and
# want them to be correctly updated with each update.
override_dh_installdeb:
	dh_installdeb
	echo -n "" > ${CURDIR}/debian/securedrop-app-code/DEBIAN/conffiles
	echo -n "" > ${CURDIR}/debian/securedrop-config/DEBIAN/conffiles
	echo -n "" > ${CURDIR}/debian/securedrop-keyring/DEBIAN/conffiles

override_dh_auto_install:
	# Build securedrop-config Rust code
	cd /srv/rust/noble-migration && cargo build --release --locked && \
		cd /srv/securedrop && \
		mkdir -p ./debian/securedrop-config/usr/bin && \
		mv /srv/rust/target/release/check ./debian/securedrop-config/usr/bin/securedrop-noble-migration-check && \
		mv /srv/rust/target/release/upgrade ./debian/securedrop-config/usr/bin/securedrop-noble-migration-upgrade
	# Build redwood wheel
	python3 /srv/rust/redwood/build-wheel.py --release --redwood /srv/rust/redwood --target /srv/rust/target
	# Set up virtualenv and install dependencies
	/usr/bin/python3 -m venv ./debian/securedrop-app-code/opt/venvs/securedrop-app-code
	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
		pip==25.0
	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
		-r requirements/python3/requirements.txt
	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
		/srv/rust/redwood/redwood-*.whl
	# Update paths to point to install destination
	find ./debian/securedrop-app-code/ -type f -exec sed -i "s#$(shell pwd)/debian/securedrop-app-code##" {} \;
	# Generage wsgi.load for apache
	mkdir -p ./debian/securedrop-app-code/etc/apache2/mods-available
	python3 ./debian/gen-mods.py > ./debian/securedrop-app-code/etc/apache2/mods-available/wsgi.load
	dh_auto_install $@

override_dh_auto_test:
	# Skip, we don't run tests at package build time

override_dh_install:
	# Build translations
	bash ./debian/translations.sh
	# Things to exclude
	find . -type f -name '*requirements.in' -delete
	find . -type f -name '*.mako' -delete
	rm upload-screenshots.py
	# If a custom logo exists in the tree, delete it
	rm -f static/i/custom_logo.png
	# Same with any config.py
	rm -f config.py
	dh_install

override_dh_strip_nondeterminism:
	# Delete non-reproducible things
	find ./debian/ -type f -name '*.pyc' -delete
	find ./debian/ -type f -name 'pip-selfcheck.json' -delete
	find ./debian/ -type f -name 'RECORD' -delete
	dh_strip_nondeterminism $@

override_dh_gencontrol:
ifneq ($(findstring +noble,$(DEB_VERSION)),)
	dh_gencontrol -psecuredrop-app-code -- "-Vapparmor:Depends=apparmor (>= 4.0.1really4.0.1-0ubuntu0.24.04.3)"
	dh_gencontrol -psecuredrop-config -- "-Vsystemd:Depends=systemd-hwe-hwdb"
else
	dh_gencontrol -psecuredrop-app-code -- "-Vapparmor:Depends="
	dh_gencontrol -psecuredrop-config -- "-Vsystemd:Depends="
endif
	dh_gencontrol -psecuredrop-ossec-agent -- "-v3.6.0+${DEB_VERSION}"
	dh_gencontrol -psecuredrop-ossec-server -- "-v3.6.0+${DEB_VERSION}"
	dh_gencontrol -psecuredrop-keyring -- "-v0.2.2+${DEB_VERSION}"
	dh_gencontrol --remaining-packages

#
# Have to override the automatic service handling since we have more
# than one.
#
override_dh_installinit:
	dh_installinit --noscripts

# We want to enable all systemd units except those that are run by timers, so
# we have to mark those as --no-enable first, then the final
# `dh_systemd_enable` invocation will enable the rest.
override_dh_systemd_enable:
	dh_systemd_enable --no-enable securedrop-submissions-today.service
	dh_systemd_enable --no-enable securedrop-clean-tmp.service
	dh_systemd_enable --no-enable securedrop-remove-pending-sources.service
	dh_systemd_enable --no-enable securedrop-remove-packages.service
	dh_systemd_enable --no-enable securedrop-cleanup-ossec.service
	dh_systemd_enable --no-enable securedrop-reboot-required.service
	dh_systemd_enable --no-enable securedrop-noble-migration-check.service
	dh_systemd_enable --no-enable securedrop-noble-migration-upgrade.service
	dh_systemd_enable

# This is basically the same as the enable stanza above, just whether the
# unit should be started after installation.
override_dh_systemd_start:
	dh_systemd_start --no-start securedrop-submissions-today.service
	dh_systemd_start --no-start securedrop-clean-tmp.service
	dh_systemd_start --no-start securedrop-remove-pending-sources.service
	dh_systemd_start --no-start securedrop-remove-packages.service
	dh_systemd_start --no-start securedrop-cleanup-ossec.service
	dh_systemd_start --no-start securedrop-reboot-required.service
	dh_systemd_start --no-start securedrop-noble-migration-check.service
	dh_systemd_start --no-start --no-restart-after-upgrade \
		securedrop-noble-migration-upgrade.service
	dh_systemd_start
