#!/usr/bin/make -f
export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1
#export DEB_LDFLAGS_MAINT_APPEND=-Wl,--as-needed -Wl,-O1 -Wl,-z,defs
export DEB_BUILD_MAINT_OPTIONS=hardening=+all
export DEB_BUILD_OPTIONS=nostrip
export TESTS_REDUCED_KEYLENGTHS=1

CONFIGUREARGS := --disable-static \
	--libdir=/usr/lib \
	--libexecdir=/usr/lib \
	--with-tss=trousers \
	--enable-addrblock \
	--enable-af-alg \
	--enable-agent \
	--enable-attr-sql \
	--enable-ccm \
	--enable-certexpire \
	--enable-cmd \
	--enable-coupling \
	--enable-ctr \
	--enable-curl \
	--enable-dhcp \
	--enable-dnscert \
	--enable-duplicheck \
	--enable-eap-aka \
	--enable-eap-aka-3gpp2 \
	--enable-eap-dynamic \
	--enable-eap-gtc \
	--enable-eap-identity \
	--enable-eap-md5 \
	--enable-eap-mschapv2 \
	--enable-eap-peap \
	--enable-eap-radius \
	--enable-eap-sim \
	--enable-eap-sim-file \
	--enable-eap-sim-pcsc \
	--enable-eap-simaka-pseudonym \
	--enable-eap-simaka-reauth \
	--enable-eap-simaka-sql \
	--enable-eap-tls \
	--enable-eap-tnc \
	--enable-eap-ttls \
	--enable-error-notify \
	--enable-farp \
	--enable-gcm \
	--enable-gcrypt \
	--enable-imc-attestation \
	--enable-imc-os \
	--enable-imc-scanner \
	--enable-imc-swid \
	--enable-imc-test \
	--enable-imv-attestation \
	--enable-imv-os \
	--enable-imv-scanner  \
	--enable-imv-swid \
	--enable-imv-test \
	--enable-integrity-test \
	--enable-ipseckey \
	--enable-kernel-libipsec \
	--enable-ldap \
	--enable-led \
	--enable-load-tester \
	--enable-lookip \
	--enable-md4 \
	--enable-mysql \
	--enable-ntru \
	--enable-openssl \
	--enable-pkcs11 \
	--enable-radattr \
	--enable-soup \
	--enable-sql \
	--enable-sqlite \
	--enable-systime-fix \
	--enable-test-vectors \
	--enable-tnccs-11 \
	--enable-tnccs-20 \
	--enable-tnccs-dynamic \
	--enable-tnc-ifmap \
	--enable-tnc-imc \
	--enable-tnc-imv \
	--enable-tnc-pdp \
	--enable-unbound \
	--enable-unit-tests \
	--enable-unity \
	--enable-whitelist \
	--enable-xauth-eap \
	--enable-xauth-generic \
	--enable-xauth-noauth \
	--enable-xauth-pam \
	--disable-blowfish \
	--disable-des # BSD-Young license

# the padlock plugin only makes sense on i386 
# RdRand only makes sense on i386 and amd64
DEB_BUILD_ARCH_CPU ?=$(shell dpkg-architecture -qDEB_BUILD_ARCH_CPU)
ifeq ($(DEB_BUILD_ARCH_CPU),i386)
	CONFIGUREARGS += --enable-padlock --enable-rdrand
endif

ifeq ($(DEB_BUILD_ARCH_CPU),amd64)
	CONFIGUREARGS += --enable-rdrand
endif

ifeq ($(DEB_BUILD_ARCH_OS),linux)
	# only enable network-manager and capabilities dropping on linux hosts
	# some plugins are linux-only too
	CONFIGUREARGS += --enable-nm \
		--with-capabilities=libcap
endif

ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd)
	# recommended configure line for FreeBSD
	# http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD
	CONFIGUREARGS += --disable-kernel-netlink \
		--enable-kernel-pfkey --enable-kernel-pfroute \
		--with-group=wheel
endif

override_dh_auto_configure:
	dh_auto_configure -- $(CONFIGUREARGS)

override_dh_auto_clean:
	dh_auto_clean
	# after a make clean, no binaries _should_ be left, but ....
	-find $(CURDIR) -name "*.o" | xargs --no-run-if-empty rm

	# Really clean (#356716)
	# This is a hack: should be better implemented
	rm -f lib/libstrongswan/libstrongswan.a || true
	rm -f lib/libstrongswan/liboswlog.a || true

	# just in case something went wrong
	rm -f $(CURDIR)/debian/ipsec.secrets
	
	# and make sure that template are up-to-date
	debconf-updatepo


override_dh_install:

	# first special cases
ifeq ($(DEB_BUILD_ARCH_OS),linux)
	# handle Linux-only plugins
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so
endif

ifeq ($(DEB_BUILD_ARCH_OS),kfreebsd)
	# handle FreeBSD-only plugins
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-pfkey.so
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-kernel-pfroute.so
endif

ifeq ($(DEB_BUILD_ARCH_CPU),i386)
	# special handling for padlock, as it is only built on i386
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-padlock.so
	dh_install -p libstrongswan etc/strongswan.d/charon/padlock.conf
	dh_install -p libstrongswan usr/share/strongswan/templates/config/plugins/padlock.conf
endif

ifeq ($(DEB_BUILD_ARCH_CPU),amd64)
	dh_install -p libstrongswan usr/lib/ipsec/plugins/libstrongswan-rdrand.so
	dh_install -p libstrongswan etc/strongswan.d/charon/rdrand.conf
	dh_install -p libstrongswan usr/share/strongswan/templates/config/plugins/rdrand.conf
endif

	# then install the rest, ignoring the above
	dh_install --fail-missing \
		-X\.la -X\.a \
		-Xman3 \
		-Xlibstrongswan-kernel \
		-Xlibstrongswan-padlock.so \
		-Xpadlock.conf \
		-Xlibstrongswan-rdrand.so \
		-Xrdrand.conf

	# AppArmor.
	dh_apparmor --profile-name=usr.lib.ipsec.charon -p strongswan-ike
	dh_apparmor --profile-name=usr.lib.ipsec.lookip -p strongswan-plugin-lookip
	dh_apparmor --profile-name=usr.lib.ipsec.stroke -p strongswan-starter

	# add additional files not covered by upstream makefile...
	install --mode=0600 $(CURDIR)/debian/ipsec.secrets.proto $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets

	# set permissions on ipsec.secrets
	chmod 600 $(CURDIR)/debian/strongswan-starter/etc/ipsec.secrets
	chmod 700 -R $(CURDIR)/debian/strongswan-starter/etc/ipsec.d/private/
	chmod 700 -R $(CURDIR)/debian/strongswan-starter/var/lib/strongswan/

	# this is handled by update-rc.d
	rm -rf $(CURDIR)/debian/strongswan-starter/etc/rc?.d

	# delete var/lock/subsys and var/run to satisfy lintian
	rm -rf $(CURDIR)/debian/openswan/var/lock
	rm -rf $(CURDIR)/debian/openswan/var/run

	# more lintian cleanups
	find $(CURDIR)/debian/*strongswan*/ -name ".cvsignore" | xargs --no-run-if-empty rm -f
	find $(CURDIR)/debian/*strongswan*/ -name "/.svn/" | xargs --no-run-if-empty rm -rf

override_dh_installinit:
	dh_installinit -n --name=strongswan

override_dh_installchangelogs:
	dh_installchangelogs NEWS

override_dh_strip:
	dh_strip --dbg-package=strongswan-dbg

override_dh_fixperms:
	dh_fixperms -X etc/ipsec.secrets -X etc/ipsec.d -X var/lib/strongswan

override_dh_makeshlibs:
	dh_makeshlibs -n -X usr/lib/ipsec/plugins

override_dh_installlogcheck:
	dh_installlogcheck --name strongswan

%:
	dh $@ --parallel --with autoreconf
