#!/bin/bash

source /opt/scarif/.env

echo "------- Generating system users -------"
## Add me as a user and git for SSH passthrough to gitea (change passwords after finishing)
useradd -m -p $(echo $USER_PASSWORD | openssl passwd -1 -stdin) chris
useradd -m -p $(echo $GIT_PASSWORD | openssl passwd -1 -stdin) -u1200 git
## Set up privileges
echo "chris ALL=(ALL) ALL" >> /etc/sudoers
echo "root ALL=(ALL) ALL" >> /etc/sudoers
## Disable root login
passwd -l root

# Install necessary packages
echo "------- Installing packages -------"
pacman -Syyu --noconfirm
pacman -S --noconfirm archlinux-keyring
pacman -S --needed --noconfirm sudo wget tmux htop vim docker docker-compose git ufw certbot samba nfs-utils

echo "------- Setting up SSH -------"
# Remove old SSH keys in case running again
sudo -u git mkdir -p /home/git/.ssh
rm -f /home/git/.ssh/*
# Generate SSH keys for git to enable SSH proxy
sudo -u git ssh-keygen -t rsa -b 4096 -C "Gitea Host Key" -f/home/git/.ssh/id_rsa -q -N ""
# Add SSH key to authorized keys which is shared with docker container
echo "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty $(cat /home/git/.ssh/id_rsa.pub)" >> /home/git/.ssh/authorized_keys
# Add current SSH key to main user's authorized keys
mkdir -p /home/chris/.ssh
echo $SSH_KEY >> /home/chris/.ssh/authorized_keys
rm /etc/ssh/sshd_config
ln -s /opt/scarif/sshd_config /etc/ssh/sshd_config
# Modify login messages
echo "Clearance codes accepted! proceed:" > /etc/motd
# Enforce a delay after a failed login attempt to prevent brute force attacks
echo "auth optional pam-faildelay.so delay 2000000" >> /etc/pam.d/system-login

systemctl restart sshd

echo "------- Enabling SSH passthrough -------"
## Make files necessary for SSH passthrough (https://docs.gitea.io/en-us/install-with-docker/#ssh-container-passthrough)
mkdir -p /var/lib/gitea
cat <<"EOF" | sudo tee /usr/local/bin/gitea
#!/bin/sh
ssh -p 2222 -o StrictHostKeyChecking=no git@127.0.0.1 "SSH_ORIGINAL_COMMAND=\"$SSH_ORIGINAL_COMMAND\" $0 $@"
EOF
sudo chmod +x /usr/local/bin/gitea

chmod +x /app/gitea/gitea

chown -R git /app/gitea/gitea
chown -R git /var/lib/gitea

#if [ $APP_ENV = "production" ]
#then
#    echo "------- Enabling certbot service -------"
#    mkdir -p /root/.secret/certbot
#    tee /root/.secret/certbot/digitalocean.ini <<END
## DigitalOcean API credentials used by Certbot
#dns_digitalocean_token = $DIGITALOCEAN_TOKEN
#END

#    certbot certonly \
#	--dns-digitalocean \
#	--dns-digitalocean-credentials /root/.secret/certbot/digitalocean.ini \
#	-d *.$DOMAIN -d $DOMAIN \
#	-m stofflees@gmail.com \
#	--agree-tos \
#	--no-eff-email
#
#    cp /opt/scarif/certbot/* /etc/systemd/system/
#    systemctl enable --now certbot.timer
#fi

cp /opt/scarif/zfs/* /etc/systemd/system/
systemctl enable --now zfs-scrub.timer

echo "------- Adding config folders for jitsi -------"
mkdir -p /opt/jitsi/{web/letsencrypt,transcripts,prosody/config,prosody/prosody-plugins-custom,jicofo,jvb,jigasi,jibri}

echo "------- Setting up firewall -------"
ufw default deny incoming
ufw default allow outgoing
ufw allow 629
ufw allow 80
ufw allow 443
ufw allow 2049
ufw allow 25565
ufw allow CIFS
ufw --force enable

echo "------- Starting docker -------"
systemctl enable docker --now

docker-compose -f "/opt/scarif/docker-compose.yml" --env-file "/opt/scarif/.env" up -d
## Create user for jitsi
docker-compose exec prosody prosodyctl --config /config/prosody.cfg.lua register chris meet.jitsi ${USER_PASSWORD}

echo "------- Start Samba share -------"
ln -s /opt/scarif/smb.conf /etc/samba/smb.conf
smbpasswd -a chris
systemctl enable --now smb

echo "------- Start NFS share -------"
ln -s /opt/scarif/nfs.conf /etc/nfs.conf
ln -s /opt/scarif/exports /etc/exports
exportfs -arv
systemctl enable --now nfs4-server
systemctl enable --now zfs-share