#!/bin/bash
set -x
exit

passwd  # root
# copy over ssh key

chmod og-rwx ~debian
mkdir -p ~debian/.ssh
cp -p ~root/authorized_keys ~debian/.ssh/
chmod -R og-rwx ~debian/.ssh
chown -R debian:debian ~debian/.ssh


echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale
ln -sf /usr/share/zoneinfo/UTC /etc/localtime

rm -f /etc/apt/sources.list.d/*.list

cat > /etc/apt/sources.list <<EOF
deb http://deb.debian.org/debian/ buster-backports main
deb http://deb.debian.org/debian/ buster main
deb http://deb.debian.org/debian/ buster-updates main
deb http://security.debian.org/ buster/updates main
EOF

echo "RESUME=none" > /etc/initramfs-tools/conf.d/resume

echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4

# XXX nameservers
echo "nameserver 208.67.222.222" >  /etc/resolv.conf
echo "nameserver 208.67.220.220" >> /etc/resolv.conf

apt-get update

iptables -L -n || DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" install iptables

cat > /etc/network/if-pre-up.d/iptables <<EOF
#!/bin/bash
# iptables
/sbin/iptables-restore < /etc/iptables.up.rules
EOF

cat > /etc/iptables.test.rules <<EOF
# iptables.test.rules
*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# SSH Access Port
-A INPUT -p tcp --dport 42661 -j ACCEPT

# Ethereum
-A INPUT -p tcp --dport 30303 -j ACCEPT
-A INPUT -p udp --dport 30303 -j ACCEPT

# Allow ping
#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EOF

touch /etc/iptables.up.rules
chmod 600 /etc/iptables.up.rules
chmod 755 /etc/network/if-pre-up.d/iptables
chmod 600 /etc/iptables.test.rules

iptables-restore < /etc/iptables.test.rules
iptables -L -n
iptables-save > /etc/iptables.up.rules

cat > /root/iptables-reload <<EOF
iptables-restore < /etc/iptables.test.rules
iptables-save > /etc/iptables.up.rules
EOF
chmod 700 /root/iptables-reload

apt-get update
apt-get -y autoremove --purge
apt-get -y purge --autoremove						\
	apache2								\
	chrony								\
	exim4-base							\
	exim4-config							\
	man-db								\
	manpages							\
	postfix								\
	reportbug							\
	rpcbind								\
	snmpd								\
	unscd								\
	xinetd

apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade

DEBIAN_FRONTEND=noninteractive apt-get -y 				\
	-o Dpkg::Options::="--force-confdef"				\
	-o Dpkg::Options::="--force-confnew"				\
	install								\
	bzip2								\
	ca-certificates							\
	debian-archive-keyring						\
	haveged								\
	host								\
	less								\
	locales								\
	lsb-release							\
	net-tools							\
	parted								\
	psmisc								\
	sudo								\
	traceroute							\
	vim								\
	wget

apt-get clean

adduser debian sudo

echo ":syntax on" > ~/.vimrc

# XXX turn off macros in clusterssh
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
cat /etc/sudoers

echo ":syntax on" > ~debian/.vimrc

# TEST XMR LOGIN BEFORE REBOOT!
# Port 42661
sed -i  \
 -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin no/g' \
 -e 's/\#Port 22/Port 42661/g' \
 -e 's/\PermitRootLogin yes/PermitRootLogin no/g' \
 -e 's/\#PasswordAuthentication no/PasswordAuthentication no/g' \
 -e 's/RSAAuthentication yes/RSAAuthentication no/g' \
 -e 's/X11Forwarding yes/X11Forwarding no/g' \
 /etc/ssh/sshd_config

echo "AllowUsers debian" >> /etc/ssh/sshd_config

for i in plymouth rpcbind rsync saslauthd unattended-upgrades
do echo $i 
  /usr/sbin/update-rc.d $i stop
  /usr/sbin/update-rc.d $i disable
done

# keep quiet for now am6 console serial is slow ? rm quiet
#sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/g' /etc/default/grub
#sed -i -e 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="ipv6.disable=1"/g' /etc/default/grub
# GRUB_CMDLINE_LINUX_DEFAULT="quiet"
# GRUB_CMDLINE_LINUX="console=tty0 console=ttyS1,115200n8 ipv6.disable=1"

grub-install /dev/sda
update-grub

echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
echo alias net-pf-10 off >>  /etc/modprobe.d/aliases.conf
echo alias ivp6 off  >>  /etc/modprobe.d/aliases.conf
cat >> /etc/sysctl.conf <<EOF
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.ens3.disable_ipv6 = 1
EOF
sysctl -p

cat /etc/network/interfaces
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces

cat /etc/hosts
cat /etc/hostname
hostname > /etc/hostname
echo "127.0.1.1 `hostname`" >> /etc/hosts

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server

systemctl restart sshd
# TEST SSH
# ssh xmr@foo
# sudo su -
# reboot