#!/bin/sh
set -e

. /usr/share/debconf/confmodule

file="$1"

db_get apt-setup/services-select
if ! echo "$RET" | grep -q security; then
	exit
fi

db_get apt-setup/security_host
host="$RET"
[ "$host" ] || exit

if ! db_get mirror/codename || [ -z "$RET" ]; then
	db_get cdrom/codename
fi
codename="$RET"

# Trust what was set by 50mirror:
components=$(cat /tmp/apt-setup.components)

# Starting with bullseye, /updates became -security:
case "$codename" in
	squeeze|wheezy|jessie|stretch|buster)
		security_codename="$codename/updates"  ;;
	*)	security_codename="$codename-security" ;;
esac

# Don't test mirror if no network selected in netcfg
echo "deb http://$host/debian-security $security_codename $components" >> $file
if db_get netcfg/dhcp_options && \
   [ "$RET" = "Do not configure the network at this time" ]; then
	CODE=9
else
	CODE=0
	export ASV_TIMEOUT="-o Acquire::http::Timeout=30"
	if ! apt-setup-verify --from $PROGRESS_FROM --to $PROGRESS_TO $file; then
		db_subst apt-setup/service-failed HOST "$host"
		db_input critical apt-setup/service-failed || true
		if ! db_go; then
			exit 10 # back up
		fi
		CODE=9
	fi
fi

deb_src="deb-src"
db_get apt-setup/enable-source-repositories
if [ "$RET" = false ]; then
	deb_src="# deb-src"
fi

echo "$deb_src http://$host/debian-security $security_codename $components" >> $file

exit $CODE
