#!/bin/bash
# forksand-workstation-bootstrap
# GPLv3+
# This script does some initial setup and config

# Log script
exec > >(tee /root/bootstrap-workstation-bootstrap.log) 2>/root/bootstrap-workstation-bootstrap.err

set -x

# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale

# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime

# Use apt-cache
echo 'Acquire::http::Proxy "http://10.102.10.2:3142";' > /etc/apt/apt.conf

# Set up git for tracking. XXX Ansible... XXX
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git

cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF

git config --global user.name "Fork Sand Git"
git config --global user.email git@forksand.com
cd /etc ; git add . ; git commit -a -m 'Set up new Debian buster workstation'

# SET UP APT

# Add AO Key
wget -qO - http://devel.alephobjects.com/ao/aodeb/aokey.pub | apt-key add -
#
cat > /etc/apt/sources.list <<EOF
#deb http://mirrors.kernel.org/debian/ buster-backports main
deb http://mirrors.kernel.org/debian/ buster main
deb http://mirrors.kernel.org/debian/ buster-updates main
deb http://security.debian.org/ buster/updates main
#deb http://download.alephobjects.com/ao/aodeb buster main
deb http://devel.alephobjects.com/ao/aodeb buster main
EOF

# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4

git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4

cd /etc ; git add . ; git commit -a -m 'Set up apt.'

# UPGRADE Workstation
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade

cd /etc ; git add . ; git commit -a -m 'Update base install'

apt-get -y --download-only install					\
	--no-install-recommends						\
	apt-transport-https						\
	bzip2								\
	ca-certificates							\
	colordiff							\
	cpufrequtils							\
	curl								\
	debian-archive-keyring						\
	exuberant-ctags							\
	git								\
	host								\
	less								\
	locales								\
	lsb-release							\
	man-db								\
	manpages							\
	molly-guard							\
	net-tools							\
	ntp								\
	openssh-server							\
	postfix								\
	python3								\
	rsync								\
	telnet								\
	traceroute							\
	vim								\
	vim-scripts

DEBIAN_FRONTEND=noninteractive apt-get -y 				\
	-o Dpkg::Options::="--force-confdef"				\
	-o Dpkg::Options::="--force-confnew"				\
	install								\
	--no-install-recommends						\
	apt-transport-https						\
	bzip2								\
	ca-certificates							\
	colordiff							\
	cpufrequtils							\
	curl								\
	debian-archive-keyring						\
	exuberant-ctags							\
	git								\
	host								\
	less								\
	locales								\
	lsb-release							\
	man-db								\
	manpages							\
	molly-guard							\
	net-tools							\
	ntp								\
	openssh-server							\
	postfix								\
	python3								\
	rsync								\
	telnet								\
	traceroute							\
	vim								\
	vim-scripts

cd /etc ; git add . ; git commit -a -m 'Install base packages'

# Speed up
#echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
#/etc/init.d/cpufrequtils restart
#cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'

# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc

# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers

adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'

# SSH config XXX sed cruft
sed -i  \
 -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
 -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
 -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
 -e 's/\#X11Forwarding yes/X11Forwarding no/g' \
 /etc/ssh/sshd_config

#echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config

#echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config

# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config

# XXX Add admins as only allowed ssh users
echo "AllowUsers jebba" >> /etc/ssh/sshd_config

cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd

# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i 
  /usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'

# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub

update-grub

cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'

# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'

# XXX not sure why this is getting installed:
apt-get -y autoremove
cd /etc ; git add . ; git commit -a -m 'autoremove'

apt clean

# MOAR INstall
apt-get -y --download-only install					\
	--no-install-recommends						\
	arandr								\
	arduino								\
	audacity							\
	blender								\
	build-essential							\
	borgbackup							\
	ccache								\
	cclive								\
	chromium							\
	clusterssh							\
	cura-lulzbot							\
	epiphany							\
	ffmpeg								\
	galculator							\
	geeqie								\
	gimp								\
	glabels								\
	gmrun								\
	haveged								\
	inkscape							\
	kdenlive							\
	kicad								\
	kicad-demos							\
	kicad-doc-en							\
	kicad-footprints						\
	kicad-libraries							\
	kicad-symbols							\
	kicad-templates							\
	kicad-packages3d						\
	libpam-yubico							\
	lynx								\
	meshlab								\
	minicom								\
	mplayer								\
	nmap								\
	openjdk-10-jre							\
	p7zip-full							\
	pbzip2								\
	pidgin								\
	pidgin-otr							\
	qemu-utils							\
	qrencode							\
	rxvt-unicode							\
	scribus								\
	sshfs								\
	subversion							\
	tcpdump								\
	texlive-full							\
	tor								\
	torsocks							\
	thunderbird							\
	vlc								\
	whois								\
	wmctrl								\
	x11vnc								\
	xournal								\
	xterm								\
	youtube-dl							\
	yubikey-luks							\
	yubikey-personalization						\
	yubikey-personalization-gui

DEBIAN_FRONTEND=noninteractive apt-get -y 				\
	-o Dpkg::Options::="--force-confdef"				\
	-o Dpkg::Options::="--force-confnew"				\
	install								\
	--no-install-recommends						\
	arandr								\
	arduino								\
	audacity							\
	blender								\
	build-essential							\
	borgbackup							\
	ccache								\
	cclive								\
	chromium							\
	clusterssh							\
	cura-lulzbot							\
	epiphany							\
	ffmpeg								\
	galculator							\
	geeqie								\
	gimp								\
	glabels								\
	gmrun								\
	haveged								\
	inkscape							\
	kdenlive							\
	kicad								\
	kicad-demos							\
	kicad-doc-en							\
	kicad-footprints						\
	kicad-libraries							\
	kicad-symbols							\
	kicad-templates							\
	kicad-packages3d						\
	libpam-yubico							\
	lynx								\
	meshlab								\
	minicom								\
	mplayer								\
	nmap								\
	openjdk-10-jre							\
	p7zip-full							\
	pbzip2								\
	pidgin								\
	pidgin-otr							\
	qemu-utils							\
	qrencode							\
	rxvt-unicode							\
	scribus								\
	sshfs								\
	subversion							\
	tcpdump								\
	texlive-full							\
	thunderbird							\
	tor								\
	torsocks							\
	vlc								\
	whois								\
	wmctrl								\
	x11vnc								\
	xournal								\
	xterm								\
	youtube-dl							\
	yubikey-luks							\
	yubikey-personalization						\
	yubikey-personalization-gui


cd /etc ; git add . ; git commit -a -m 'Install moar packages'

apt remove light-locker --autoremove --purge -y

cd /etc ; git add . ; git commit -a -m 'Remove light-locker'

# Startup XXX disable unneeded.
for i in avahi-daemon bluetooth lightdm postfix tor unattended-upgrades
do echo $i 
  /usr/sbin/update-rc.d $i disable
done

cd /etc ; git add . ; git commit -a -m 'Disable startup packages'

apt clean

exit 0