#!/bin/bash
set -euo pipefail

GRUB_FILE="/etc/grub.d/99-bredos-grub-password"

usage() {
    echo "Usage: $0 [-d|--disable]"
    echo "  No flags: enable GRUB password protection"
    echo "  -d, --disable: disable GRUB password protection"
    exit 1
}

if [[ "${1:-}" == "-d" || "${1:-}" == "--disable" ]]; then
    echo "[*] Disabling GRUB password protection..."
    [[ -f "$GRUB_FILE" ]] && rm -f "$GRUB_FILE"
    pacman -S --noconfirm grub
    grub-mkconfig -o /boot/grub/grub.cfg
    echo "[+] GRUB password protection disabled."
    exit 0
fi

# -- Enable password protection
command -v grub-mkpasswd-pbkdf2 >/dev/null || { echo "Missing grub-mkpasswd-pbkdf2"; exit 1; }
[[ $EUID -eq 0 ]] || { echo "Root access required, rerun with sudo."; exit 1; }

read -s -p "Enter GRUB password: " password
echo
read -s -p "Confirm GRUB password: " password2
echo
[[ "$password" == "$password2" ]] || { echo "Passwords do not match"; exit 1; }

hashed=$(echo -e "$password\n$password" | grub-mkpasswd-pbkdf2 | awk '/grub.pbkdf2/{print $NF}')
[[ -n "$hashed" ]] || { echo "Failed to generate password hash"; exit 1; }

# Write GRUB control script
cat <<EOF > "$GRUB_FILE"
#!/bin/sh
echo 'set superusers="admin"'
echo 'password_pbkdf2 admin $hashed'
echo 'export superusers'
EOF

chmod +x "$GRUB_FILE"

grub-apply-unrestrict

grub-mkconfig -o /boot/grub/grub.cfg
echo "[+] GRUB password protection enabled via $GRUB_FILE."
echo '[+] When prompted for a username, type "admin", without the quotes.'
