#!/bin/bash

### configuration ###
admin_user="newnius"

#####################

# check permission
if [ "$EUID" -ne 0 ]; then
  echo "[ERROR] Please run with user root"
  exit 1
fi

# check OS
file=/etc/apt/sources.list
if ! test -f "${file}"; then
  echo "[ERROR] Only Debian is supported"
  exit 1
fi
if ! grep -q debian "${file}"; then
  echo "[ERROR] Only Debian is supported"
  exit 1
fi

# check do once
file=/etc/passwd
if grep -q ${admin_user} "${file}"; then
  echo "[ERROR] OS is already setup"
  exit 0
fi


# install security updates
apt update

#uncomment as it may prompt update grub window
#apt upgrade -y


# install necessary tools
echo "[INFO] Installing necessary tools"
apt install -y curl vim git sudo ca-certificates apt-transport-https haveged tree cron

# set locale to 
echo 'LANG=en_US.UTF-8' > /etc/default/locale
echo 'LC_ALL=en_US.UTF-8' >> /etc/default/locale
locale-gen "en_US.UTF-8"
localedef -i en_US -f UTF-8 en_US.UTF-8

# Vim no mouse select
touch ~/.vimrc  # make sure file exists
sed -i '/set mouse-=a /d' ~/.vimrc
sed -i '/set mouse=a /d' ~/.vimrc
echo "set mouse-=a" >> ~/.vimrc

# install ssh service
if ! hash sshd 2>/dev/null; then
  echo "[INFO] Installing ssh service"
  apt install -y openssh-server openssh-client
fi

# Add admin user
echo "[INFO] Creating admin user"
ssh_pass=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
useradd $admin_user -m -s /bin/bash
echo $admin_user:$ssh_pass | chpasswd

# Add to sudoers
sed -i "/$admin_user/d" /etc/sudoers
sed -i "/User privilege specification/a $admin_user\tALL=(ALL:ALL) ALL" /etc/sudoers
# username	ALL=(ALL:ALL) NOPASSWD:ALL


# update root password to random and forget it
echo "[INFO] Updating root password to random"
pass=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32)
echo root:$pass | chpasswd


# ssh, update port, decline root ligin
echo "[INFO] Updating ssh port"
ssh_port=$((RANDOM%65535+10000))
sed -i '/Port /d' /etc/ssh/sshd_config
echo "Port $ssh_port" >> /etc/ssh/sshd_config

sed -i '/^PermitRootLogin/d' /etc/ssh/sshd_config
echo "PermitRootLogin no" >> /etc/ssh/sshd_config

systemctl restart ssh

# install ntpdate
echo "[INFO] Configuring time sync service"
# from debian 12, ntp is replaced by ntpsec
sudo apt remove ntpdate
apt install -y ntpsec

ntpq -p


# enable bbr, requires 4.9.0 or higher
if [ "$(uname -r)" = "`echo -e "$(uname -r)\n4.9.0" | sort -V | head -n1`" ]; then
  echo "[WARN] bbr is not supported on $(uname -r), skip"
else
  echo "[INFO] Enabling bbr"
  sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf
  echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf

  sed -i '/net.ipv4.tcp_congestion_control/d' /etc/sysctl.conf
  echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf

  sysctl -p
fi

# Disable ipv6
#sed -i '/net.ipv6.conf.all.disable_ipv6/d' /etc/sysctl.conf
#echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
#sysctl -p

# Disable ufw
# systemctl stop ufw
# systemctl disable ufw


# output
echo "[INFO] Setup finished"

res="SSH user:\t$admin_user\n \
SSH port:\t$ssh_port\n \
SSH password:\t$ssh_pass\n"

echo -e $res | expand --tabs=16