#!/usr/bin/bash

#####
#Core framework functions...
#####

export PROJECT_ROOT_PATH
PROJECT_ROOT_PATH="$(realpath ../)"

#Framework variables are read from hee
source $PROJECT_ROOT_PATH/Framework-Includes/FrameworkVars

#Boilerplate and support functions
FrameworkIncludeFiles="$(ls -1 --color=none ../Framework-Includes/*)"

IFS=$'\n\t'
for file in "${FrameworkIncludeFiles[@]}"; do
	source "$file"
done
unset IFS

ProjectIncludeFiles="$(ls -1 --color=none ../Project-Includes/*)"
IFS=$'\n\t'
for file in "${ProjectIncludeFiles[@]}"; do
	source "$file"
done
unset IFS

# Start actual script logic here...

#################
#Global variables
#################

apt-get -y install git sudo dmidecode curl

export IS_PHYSICAL_HOST
IS_PHYSICAL_HOST="$(/usr/sbin/dmidecode -t System|grep -c Dell ||true)"

export SUBODEV_CHECK
SUBODEV_CHECK="$(getent passwd|grep -c subodev || true)"

export LOCALUSER_CHECK
LOCALUSER_CHECK="$(getent passwd|grep -c localuser || true)"

export DL_ROOT
DL_ROOT="https://dl.knownelement.com/KNEL/FetchApply/"


#######################
# Support functions
#######################

function global-oam()
{
print_info "Now running "$FUNCNAME"...."

cat ./scripts/up2date.sh > /usr/local/bin/up2date.sh && chmod +x /usr/local/bin/up2date.sh

cd Modules/OAM || exit
bash ./oam-librenms.sh
cd - || exit

print_info "Completed running "$FUNCNAME""

}

function global-systemServiceConfigurationFiles()
{
print_info "Now running "$FUNCNAME"...."


curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/ZSH/tsys-zshrc > /etc/zshrc
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/SMTP/aliases > /etc/aliases 
curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/Syslog/rsyslog.conf > /etc/rsyslog.conf


newaliases

print_info "Completed running "$FUNCNAME""
}

function global-installPackages()
{
print_info "Now running "$FUNCNAME"...."


# Setup webmin repo, used for RBAC/2fa PAM

curl https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh > /tmp/webmin-setup.sh
sh /tmp/webmin-setup.sh -f && rm -f /tmp/webmin-setup.sh

# Setup lynis repo, used for sec ops/compliance

if [ -f /etc/apt/trusted.gpg.d/cisofy-software-public.gpg ]; then
rm -f /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
fi

curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list

# Setup tailscale

curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/debian/bookworm.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list

#
#Patch the system
#

/usr/local/bin/up2date.sh

#Remove stuff we don't want

apt-get --yes --purge remove systemd-timesyncd chrony telnet inetutils-telnet

#export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" --purge remove nano

# add stuff we want

print_info ""Now installing all the packages...""

DEBIAN_FRONTEND="noninteractive" apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
virt-what \
auditd \
audispd-plugins \
aide \
htop  \
dstat  \
snmpd  \
ncdu \
iftop \
acct \
nethogs \
sysstat \
ngrep \
lsb-release  \
screen  \
tailscale \
tmux  \
vim \
command-not-found \
lldpd  \
net-tools  \
dos2unix \
gpg  \
molly-guard  \
lshw  \
fzf \
ripgrep \
sudo  \
mailutils \
clamav \
sl \
rsyslog  \
logwatch \
git \
net-tools \
tshark \
tcpdump \
lynis \
glances \
zsh \
zsh-autosuggestions \
zsh-syntax-highlighting \
fonts-powerline \
webmin \
usermin \
iotop \
ntpsec \
ntpsec-ntpdate \
tuned \
cockpit \
iptables \
netfilter-persistent \
iptables-persistent \
pflogsumm \
postfix 

export KALI_CHECK
KALI_CHECK="$(distro |grep -c kali ||true)"

export VIRT_TYPE
VIRT_TYPE="$(virt-what)"

export IS_VIRT_GUEST
IS_VIRT_GUEST="$(echo "$VIRT_TYPE"|egrep -c 'hyperv|kvm' ||true )"

export IS_KVM_GUEST
IS_KVM_GUEST="$(echo "$VIRT_TYPE"|grep -c 'kvm' || true)"

if [[ $IS_KVM_GUEST = 1 ]]; then
  apt -y install qemu-guest-agent
fi

if [[ $IS_PHYSICAL_HOST -gt 0 ]]; then
export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes -o Dpkg::Options::="--force-confold" install \
 i7z \
 thermald \
 cpufrequtils \
 linux-cpupower
# power-profiles-daemon
fi

print_info "Completed running "$FUNCNAME""
}

function global-postPackageConfiguration()
{

print_info "Now running "$FUNCNAME""

systemctl --now enable auditd

systemctl stop postfix

curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/SMTP/postfix_generic> /etc/postfix/generic
postmap /etc/postfix/generic

postconf -e "inet_protocols = ipv4" 
postconf -e "inet_interfaces = 127.0.0.1"
postconf -e "mydestination= 127.0.0.1"
postconf -e "relayhost = tsys-cloudron.knel.net"
postconf -e "smtp_generic_maps = hash:/etc/postfix/generic"
# smtp_generic_maps = hash:/etc/postfix/generic

systemctl restart postfix

#This is under test/dev and may fail
echo "hi from root to root" | mail -s "hi directly to root from $(hostname)" root

chsh -s $(which zsh) root

if [ "$LOCALUSER_CHECK" -gt 0 ]; then
chsh -s "$(which zsh)" localuser
fi

if [ "$SUBODEV_CHECK" -gt 0 ]; then
chsh -s "$(which zsh)" subodev
fi

###Post package deployment bits

curl --silent ${DL_ROOT}/ProjectCode/ConfigFiles/DHCP/dhclient.conf > /etc/dhcp/dhclient.conf

systemctl stop snmpd  && /etc/init.d/snmpd stop

cat ./ConfigFiles/SNMP/snmp-sudo.conf > /etc/sudoers.d/Debian-snmp
sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service 

pi-detect

if [ "$IS_RASPI" = 1 ] ; then
cat ./ConfigFiles/SNMP/snmpd-rpi.conf > /etc/snmp/snmpd.conf 
fi

if [ "$IS_PHYSICAL_HOST" = 1 ] ; then
cat ./ConfigFiles/SNMP/snmpd-physicalhost.conf > /etc/snmp/snmpd.conf 
fi

if [ "$IS_VIRT_GUEST" = 1 ] ; then
cat ./ConfigFiles/SNMP/snmpd.conf > /etc/snmp/snmpd.conf
fi

systemctl daemon-reload && systemctl restart  snmpd && /etc/init.d/snmpd restart

systemctl stop rsyslog 
systemctl start rsyslog

if [ "$KALI_CHECK" = 0 ]; then
  cat ./ConfigFiles/NTP/ntp.conf > /etc/ntpsec/ntp.conf
  systemctl restart ntpsec.service
fi

if [ "$KALI_CHECK" = 1 ]; then
  cat ./ConfigFiles/NTP/ntp.conf > /etc/ntpsec/ntp.conf
  systemctl restart ntpsec.service
fi

systemctl stop postfix
systemctl start postfix

/usr/sbin/accton on


if [ "$IS_PHYSICAL_HOST" -gt 0 ]; then
cpufreq-set -r -g performance
cpupower frequency-set --governor performance

# Potentially merge the below if needed.
# power-profiles-daemon
# powerprofilesctl set performance
#tsys1# systemctl enable power-profiles-daemon
#tsys1# systemctl start power-profiles-daemon

fi

if [ "$IS_VIRT_GUEST" = 1 ]; then
  tuned-adm profile virtual-guest
fi

print_info "Completed running "$FUNCNAME""
}


####################################################################################################
# Run various modules
####################################################################################################

####################################################################################################
# Security Hardening
####################################################################################################

# SSH

function secharden-ssh()
{
print_info "Now running "$FUNCNAME""

cd ./Modules/Security
bash ./secharden-ssh.sh
cd -

print_info "Completed running "$FUNCNAME""
}

function secharden-wazuh()
{
print_info "Now running "$FUNCNAME""
bash ./Modules/Security/secharden-wazuh.sh
print_info "Completed running "$FUNCNAME""
}

function secharden-auto-upgrades()
{
print_info "Now running "$FUNCNAME""
#curl --silent ${DL_ROOT}/Modules/Security/secharden-ssh.sh|$(which bash)
print_info "Completed running "$FUNCNAME""
}

function secharden-2fa()
{
print_info "Now running "$FUNCNAME""
#curl --silent ${DL_ROOT}/Modules/Security/secharden-2fa.sh|$(which bash)
print_info "Completed running "$FUNCNAME""
}

function secharden-agents()
{
print_info "Now running "$FUNCNAME""
#curl --silent ${DL_ROOT}/Modules/Security/secharden-audit-agents.sh|$(which bash)
print_info "Completed running "$FUNCNAME""
}


function secharden-scap-stig()
{
print_info "Now running "$FUNCNAME""
bash ./Modules/Security/secharden-scap-stig.sh
print_info "Completed running "$FUNCNAME""
}


####################################################################################################
# Authentication
####################################################################################################

function auth-cloudron-ldap()
{
print_info "Now running "$FUNCNAME""
#curl --silent ${DL_ROOT}/Modules/Auth/auth-cloudron-ldap.sh|$(which bash)
print_info "Completed running "$FUNCNAME""
}


####################################################################################################
# RUn the various functions in the correct order
####################################################################################################

echo > $LOGFILENAME

print_info "Execution starting at $CURRENT_TIMESTAMP..."

PreflightCheck
global-oam
global-installPackages
global-systemServiceConfigurationFiles
global-postPackageConfiguration

secharden-ssh
secharden-wazuh
secharden-scap-stig
#secharden-agents
#secharden-auto-upgrades

#secharden-2fa
#auth-cloudron-ldap

print_info "Execution ended at $CURRENT_TIMESTAMP..."