#!/bin/bash
#
# rfxn-redetect
#   Re-run rfxn-defense workload detection on demand.
#   Use after enabling IPsec / AFS / rootless containers post-install
#   to refresh the conditional drop-in state.
#
# The helper does NOT call systemctl daemon-reload; the operator
# decides reload timing (a daemon-reload is required before systemd
# drop-in changes take effect on running services).
set -euo pipefail

if [ "$(id -u)" -ne 0 ]; then
    echo "rfxn-redetect: must be run as root" >&2
    exit 1
fi

if [ ! -x /usr/libexec/rfxn-defense/detect.sh ]; then
    echo "rfxn-redetect: /usr/libexec/rfxn-defense/detect.sh missing" >&2
    echo "  (re-install rfxn-defense-modprobe or -systemd to restore)" >&2
    exit 1
fi

# Pass scope=all per v2.0.2: operator-driven re-detect updates modprobe,
# systemd AND sysctl state regardless of which subpackage's %posttrans
# last fired. 'all' replaces 'both' (which was modprobe+systemd only)
# now that -sysctl ships a host-wide drop-in that detection manages.
/usr/libexec/rfxn-defense/detect.sh apply all
echo
echo "Detection refreshed. State: /var/lib/rfxn-defense/auto-detect.json"
echo
echo "If conditional systemd drop-ins changed, run:"
echo "    systemctl daemon-reload"
echo "    systemctl try-reload-or-restart sshd.service"
echo "to apply the change to running services."
echo
echo "If the sysctl drop-in was added or removed, run:"
echo "    sysctl --system"
echo "to apply the change to the running kernel."
