#!/bin/sh -eu

# Known good post-debootstrap values
passwd_bootstrap="9738946debbc125bd6cf3f197582a8a5"
shadow_bootstrap="4d299751999cae6de045390dd568812c"
group_bootstrap="dd4a0ebdd3f5d170d5a46e6bade5c6c3"
gshadow_bootstrap="42025e85925432105b429b7c801a50a4"

# Current post-debootstrap values
passwd_hash=$(set -- $(md5sum /etc/passwd) && echo $1)
shadow_hash=$(set -- $(cat /etc/shadow | sed "s/:.*:0:99999:/:0:99999:/g" | md5sum) && echo $1)
group_hash=$(set -- $(md5sum /etc/group) && echo $1)
gshadow_hash=$(set -- $(md5sum /etc/gshadow) && echo $1)

# /etc/passwd
if [ "$passwd_bootstrap" = "$passwd_hash" ]; then
    cat > /etc/passwd <<EOF
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
messagebus:x:100:103::/var/run/dbus:/bin/false
clickpkg:x:101:104::/nonexistent:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
systemd-timesync:x:103:108:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:104:109:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:105:110:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:106:111:systemd Bus Proxy,,,:/run/systemd:/bin/false
EOF
else
    echo "/etc/passwd post-debootstrap hash doesn't match record" >&2
    exit 1
fi

# /etc/shadow
if [ "$shadow_bootstrap" = "$shadow_hash" ]; then
    cat > /etc/shadow <<EOF
root:*:16329:0:99999:7:::
daemon:*:16329:0:99999:7:::
bin:*:16329:0:99999:7:::
sys:*:16329:0:99999:7:::
sync:*:16329:0:99999:7:::
games:*:16329:0:99999:7:::
man:*:16329:0:99999:7:::
lp:*:16329:0:99999:7:::
mail:*:16329:0:99999:7:::
news:*:16329:0:99999:7:::
uucp:*:16329:0:99999:7:::
proxy:*:16329:0:99999:7:::
www-data:*:16329:0:99999:7:::
backup:*:16329:0:99999:7:::
list:*:16329:0:99999:7:::
irc:*:16329:0:99999:7:::
gnats:*:16329:0:99999:7:::
nobody:*:16329:0:99999:7:::
messagebus:*:16413:0:99999:7:::
clickpkg:*:16413:0:99999:7:::
sshd:*:16413:0:99999:7:::
systemd-timesync:*:16413:0:99999:7:::
systemd-network:*:16413:0:99999:7:::
systemd-resolve:*:16413:0:99999:7:::
systemd-bus-proxy:*:16413:0:99999:7:::
EOF
else
    echo "/etc/shadow post-debootstrap hash doesn't match record" >&2
    exit 1
fi

# /etc/group
if [ "$group_bootstrap" = "$group_hash" ]; then
    cat > /etc/group <<EOF
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:1005:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
netdev:x:101:
crontab:x:102:
messagebus:x:103:
clickpkg:x:104:
ssh:x:105:
systemd-journal:x:106:
systemd-journal-remote:x:107:
systemd-timesync:x:108:
systemd-network:x:109:
systemd-resolve:x:110:
systemd-bus-proxy:x:111:
input:x:112:
EOF
else
    echo "/etc/group post-debootstrap hash doesn't match record" >&2
    exit 1
fi

# /etc/gshadow
if [ "$gshadow_bootstrap" = "$gshadow_hash" ]; then
    cat > /etc/gshadow <<EOF
root:*::
daemon:*::
bin:*::
sys:*::
adm:*::syslog
tty:*::
disk:*::
lp:*::
mail:*::
news:*::
uucp:*::
man:*::
proxy:*::
kmem:*::
dialout:*::
fax:*::
voice:*::
cdrom:*::
floppy:*::
tape:*::
sudo:*::
audio:*::pulse
dip:*::
www-data:*::
backup:*::
operator:*::
list:*::
irc:*::
src:*::
gnats:*::
shadow:*::
utmp:*::
video:*::
sasl:*::
plugdev:*::
staff:*::
games:*::
users:*::
nogroup:*::
netdev:!::
crontab:!::
messagebus:!::
clickpkg:!::
ssh:!::
systemd-journal:!::
systemd-journal-remote:!::
systemd-timesync:!::
systemd-network:!::
systemd-resolve:!::
systemd-bus-proxy:!::
input:!::
EOF
else
    echo "/etc/gshadow post-debootstrap hash doesn't match record" >&2
    exit 1
fi


# Record the current state for later comparison
for file in /etc/passwd /etc/shadow /etc/group /etc/gshadow; do
    rm -f ${file}-
    cp ${file} ${file}.orig
done