#!/bin/bash
# forksand-bootstrap-oc1-desktop
# GPLv3+
# This script does some initial setup and config

# Log script
exec > >(tee /root/bootstrap-oc1-desktop.log) 2>/root/bootstrap-oc1-desktop.err

set -x

# Set locale
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
update-locale

# XXX Set timezone
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime

# Use apt-cache
#echo 'Acquire::http::Proxy "http://192.168.110.72:3142";' > /etc/apt/apt.conf

# Set up git for tracking. XXX Ansible... XXX
apt-get -y install git sudo
cd /etc
git init
chmod og-rwx /etc/.git

cat > /etc/.gitignore <<EOF
prelink.cache
*.swp
ld.so.cache
adjtime
blkid.tab
blkid.tab.old
mtab
resolv.conf
asound.state
mtab.fuselock
aliases.db
EOF

git config --global user.name "Jeff Moe"
git config --global user.email moe@forksand.com
cd /etc ; git add . ; git commit -a -m 'Set up new Debian stretch oc1-desktop.'

# SET UP APT
#
cat > /etc/apt/sources.list <<EOF
deb http://mirrors.kernel.org/debian/ stretch-backports main
deb http://mirrors.kernel.org/debian/ stretch main
deb http://mirrors.kernel.org/debian/ stretch-updates main
deb http://security.debian.org/ stretch/updates main
EOF

# Make apt use IPv4:
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4

git add /etc/apt/apt.conf.d/99force-ipv4
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4

cd /etc ; git add . ; git commit -a -m 'Set up apt.'

# UPGRADE SERVER
apt-get update
apt-get -y dist-upgrade --download-only
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade

cd /etc ; git add . ; git commit -a -m 'Update base install'

apt-get -y --download-only install					\
	--no-install-recommends						\
	apt-transport-https						\
	bzip2								\
	ca-certificates							\
	colordiff							\
	cpufrequtils							\
	curl								\
	debian-archive-keyring						\
	exuberant-ctags							\
	git								\
	host								\
	less								\
	locales								\
	lsb-release							\
	man-db								\
	manpages							\
	molly-guard							\
	net-tools							\
	ntp								\
	openssh-server							\
	postfix								\
	python3								\
	qemu-guest-agent						\
	rsync								\
	telnet								\
	traceroute							\
	vim								\
	vim-scripts

DEBIAN_FRONTEND=noninteractive apt-get -y 				\
	-o Dpkg::Options::="--force-confdef"				\
	-o Dpkg::Options::="--force-confnew"				\
	install								\
	--no-install-recommends						\
	apt-transport-https						\
	bzip2								\
	ca-certificates							\
	colordiff							\
	cpufrequtils							\
	curl								\
	debian-archive-keyring						\
	exuberant-ctags							\
	git								\
	host								\
	less								\
	locales								\
	lsb-release							\
	man-db								\
	manpages							\
	molly-guard							\
	net-tools							\
	ntp								\
	openssh-server							\
	postfix								\
	python3								\
	qemu-guest-agent						\
	rsync								\
	telnet								\
	traceroute							\
	vim								\
	vim-scripts

cd /etc ; git add . ; git commit -a -m 'Install base packages'

# Speed up
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
/etc/init.d/cpufrequtils restart
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'

# Small user tweaks
echo :syntax on > ~/.vimrc
echo :syntax on > /home/jebba/.vimrc
chown jebba:jebba /home/jebba/.vimrc
echo export EDITOR=vi >> /root/.bashrc

# XXX Passwordless sudo XXX Ya, probably remove
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers

adduser jebba sudo
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'

# SSH config XXX sed cruft
sed -i  \
 -e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
 -e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
 -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
 -e 's/\#X11Forwarding yes/X11Forwarding no/g' \
 /etc/ssh/sshd_config

echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config

echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config

# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config

# XXX Add admins as only allowed ssh users
# XXX add user for ansbile
echo "AllowUsers jebba" >> /etc/ssh/sshd_config

cd /etc ; git add . ; git commit -a -m 'Set up sshd'
systemctl restart sshd

# Startup XXX disable unneeded.
for i in rsync exim4 saned
do echo $i 
  /usr/sbin/update-rc.d $i disable
done
# XXX KILL THIS, listening on public port (firewalled, but still):
# tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      296/systemd-resolve
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'

# GRUB
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub

update-grub

cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'

# Fix network to come up on boot
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
cd /etc ; git add . ; git commit -a -m 'Auto start network'

# XXX not sure why this is getting installed:
apt-get -y autoremove
cd /etc ; git add . ; git commit -a -m 'autoremove'

apt clean

exit 0