#!/usr/bin/make -f
#export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,defs
export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,+bindnow

CONFIGUREARGS := --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
		--enable-ldap --enable-curl \
		--with-capabilities=libcap \
		--enable-smartcard --enable-pkcs11 \
		--with-default-pkcs11=/usr/lib/$(DEB_HOST_MULTIARCH)/opensc-pkcs11.so \
		--enable-mediation --enable-medsrv --enable-medcli \
		--enable-openssl --enable-agent \
		--enable-ctr --enable-ccm --enable-gcm --enable-addrblock \
		--enable-eap-radius --enable-eap-identity --enable-eap-md5 \
		--enable-eap-gtc --enable-eap-aka --enable-eap-mschapv2 \
		--enable-eap-tls --enable-eap-ttls --enable-eap-tnc \
		--enable-sql --enable-integrity-test \
		--enable-ha --enable-dhcp --enable-farp \
		--enable-led \
		--enable-test-vectors --enable-nat-transport \
		--enable-nm
	#	--with-user=strongswan --with-group=nogroup \
	#	--enable-kernel-pfkey --enable-kernel-klips \
	# And for --enable-eap-sim we would need the library, which we don't
	# have right now.
	# Don't --enable-cisco-quirks, because some other IPsec implementations
	# (most notably the Phion one) have problems connecting when pluto 
	# sends these Cisco options.

DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU)

ifeq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
	CFLAGS += -O2
endif
ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
	NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
	MAKEFLAGS += -j$(NUMJOBS)
endif
# the padlock plugin only makes sense on i386 
# but it actually doesn't do much, so maybe we don't need it
ifeq ($(DEB_BUILD_ARCH_CPU),i386)
  CONFIGUREARGS += --enable-padlock
endif

override_dh_auto_configure:
	dh_auto_configure -- $(CONFIGUREARGS)

override_dh_auto_clean:
	dh_auto_clean
	# after a make clean, no binaries _should_ be left, but ....
	-find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm

	# Really clean (#356716)
	# This is a hack: should be better implemented
	rm -f lib/libstrongswan/libstrongswan.a || true
	rm -f lib/libstrongswan/liboswlog.a || true

	# just in case something went wrong
	rm -f $(CURDIR)/debian/ipsec.secrets
	
	# and make sure that template are up-to-date
	debconf-updatepo


override_dh_install:
	# install files from debian/tmp into proper package dirs
	dh_install --fail-missing -X\.la -X\.a -Xmedsrv -Xman3 -Xlibstrongswan-padlock.so -Xlibstrongswan-nm.so

	# special handling for padlock, as it is only built on i386
ifeq ($(DEB_BUILD_ARCH_CPU),i386)
	  install $(CURDIR)/debian/tmp/usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/libstrongswan-padlock.so* $(CURDIR)/debian/libstrongswan/usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins/
endif

	# and additional files not covered by upstream makefile...
	install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
	# also "patch" ipsec.conf to include the debconf-managed file
	echo >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
	echo "include /var/lib/strongswan/ipsec.conf.inc" >> $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
	# and to enable both IKEv1 and IKEv2 by default
	sed -r 's/^[ \t]+# *plutostart=(yes|no) */\tplutostart=yes/;s/^[ \t]+# *charonstart=(yes|no) */\tcharonstart=yes/' < $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf > $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp
	mv $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf.tmp $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
	# set permissions on ipsec.secrets
	chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
	#chmod 644 $(CURDIR)/debian/strongswan-starter/etc/ipsec.conf
	chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/
	chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/
	# don't know why they come with +x set by default...
	#chmod 644 $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/policies/*
	#chmod 644 $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/examples/*

	# this is handled by update-rc.d
	rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d

	# delete var/lock/subsys and var/run to satisfy lintian
	rm -rf $(CURDIR)/debian/openswan/var/lock
	rm -rf $(CURDIR)/debian/openswan/var/run

	# the logcheck ignore files
	install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.paranoid $(CURDIR)/debian/libstrongswan/etc/logcheck/ignore.d.paranoid/strongswan
	install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/libstrongswan/etc/logcheck/ignore.d.server/strongswan
	install -D --mode=0600 $(CURDIR)/debian/logcheck.ignore.server $(CURDIR)/debian/libstrongswan/etc/logcheck/ignore.d.workstation/strongswan
	install -D --mode=0600 $(CURDIR)/debian/logcheck.violations.ignore $(CURDIR)/debian/libstrongswan/etc/logcheck/violations.ignore.d/strongswan

	# more lintian cleanups
	find $(CURDIR)/debian/*strongswan*/ -name ".cvsignore" | xargs --no-run-if-empty rm -f
	find $(CURDIR)/debian/*strongswan*/ -name "/.svn/" | xargs --no-run-if-empty rm -rf


override_dh_installdocs:
	dh_installdocs -pstrongswan -n
	# change the paths in the installed doc files (but only in regular 
	# files, not in links to the outside of the build tree !)
	# TODO: check if we still need this
	( cd $(CURDIR)/debian/strongswan/; \
	  for f in `grep "/usr/local/" --recursive --files-with-match *`; \
	  do \
		if [ -f $$f -a ! -L $$f ]; then \
		    cp $$f $$f.old; \
 		    sed 's/\/usr\/local\//\/usr\//' $$f.old > $$f; \
		    rm $$f.old; \
		fi; \
	  done )

override_dh_installinit:
	dh_installinit -n --name=ipsec

override_dh_installchangelogs:
	dh_installchangelogs NEWS

override_dh_installdocs:
	dh_installdocs README

override_dh_strip:
	dh_strip --dbg-package=strongswan-dbg

override_dh_fixperms:
	dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d -X var/lib/strongswan

override_dh_makeshlibs:
	dh_makeshlibs -n -X usr/lib/$(DEB_HOST_MULTIARCH)/ipsec/plugins

%:
	dh $@