#!/bin/bash

### FUNCTIONS
### ---------

function prepare_config_hardened() {
  mkdir -p "$HARDEN_CONFIGDIR"
}

function pubkey_authorize() {
  local PREFIX="harden:pubkey:authorize"

  if [[ ! -d $HOME/.ssh ]]; then
    echo -n "create .ssh folder for the first time ..."
    mkdir -m 700 ~/.ssh
    PREFIX="" echo "OK"
  else
    local security_issue_in_ssh_folder
    security_issue_in_ssh_folder=$(find "$HOME/.ssh" -perm -go=r | wc -l)
    if [[ $security_issue_in_ssh_folder -gt 0 ]]; then
      echo -n "force security in .ssh folder for <$CURRENT_USER> ..."
      chmod -R u+rwX,go-rwx "/home/$CURRENT_USER/.ssh"
      PREFIX="" echo "OK"
    else
      echo "security in .ssh folder for <$CURRENT_USER> approved!"
    fi
  fi

  pubkey_value=$(yq ".authorized.pubkey" "$HARDEN_CONFIGFILE")
  if [[ ! -f /home/$CURRENT_USER/.ssh/authorized_keys ]]; then
    echo -n "authorized_keys first time ..."
    PREFIX="" echo "$pubkey_value" >"$HOME/.ssh/authorized_keys"
    chmod u+rw,go-rwx "/home/$CURRENT_USER/.ssh/authorized_keys"
    PREFIX="" echo "OK"
  else
    if ! grep -q "^$pubkey_value" "/home/$CURRENT_USER/.ssh/authorized_keys"; then
      echo -n "pubkey <$CURRENT_USER> appended to <.ssh/authorized_keys> ..."
      echo "$pubkey_value" >>"$HOME/.ssh/authorized_keys"
      PREFIX="" echo "OK"
    else
      echo "pubkey <$CURRENT_USER> already authorized!"
    fi
  fi
}

function sudoers() {
  local PREFIX="harden:sudoers"
  if [[ -d /etc/sudoers.d ]]; then
    echo -n "add $CURRENT_USER and no more ..."

    sudo env current_user="$CURRENT_USER" tera -e --env-key env --env-only -o /etc/sudoers -t "$MIAOU_BASEDIR/templates/hardened/sudoers.j2" >/dev/null

    rm /etc/sudoers.d -rf
    grep -Eq "^debian" /etc/passwd && userdel -rf debian
    grep -Eq "^sudo" /etc/group && groupdel sudo
    passwd -dq root
    passwd -dq "$CURRENT_USER"

    PREFIX="" echo "OK"
  else
    echo "sudo authorized for <$CURRENT_USER> only!"
  fi
}

function sshd() {
  local PREFIX="harden:sshd"
  if [[ ! -f /etc/ssh/sshd_config ]]; then
    sudo apt install -y openssh-server
  else
    echo "sshd already installed!"
  fi

  if ! grep -Eq "^Port 2222" /etc/ssh/sshd_config; then
    echo -n "replacing sshd ..."

    sudo env current_user="$CURRENT_USER" tera -e --env-key env --env-only -o /etc/ssh/sshd_config -t "$MIAOU_BASEDIR/templates/hardened/sshd_config.j2" >/dev/null
    sudo systemctl restart sshd

    PREFIX="" echo "OK"
  else
    echo "already done!"
  fi
}

function prepare_proxy() {
  local PREFIX="harden:proxy"

  if ! grep -Eq "^precedence ::ffff:0:0/96.*" /etc/gai.conf; then
    echo "prefer ipv4 ..."
    sudo /opt/miaou-bash/tools/append_or_replace "^precedence ::ffff:0:0/96.*" "precedence ::ffff:0:0/96  100" /etc/gai.conf
    echo "OK"
  else
    echo "ipv4 already prefered!"
  fi

  if ! grep -Eq "^net.ipv4.ip_forward=1" /etc/sysctl.conf; then
    echo "allow forwarding from kernel ..."
    sudo /opt/miaou-bash/tools/append_or_replace "^net.ipv4.ip_forward=1.*" "net.ipv4.ip_forward=1" /etc/sysctl.conf
    sudo sysctl -p
    echo "OK"
  else
    echo "kernel forwarding already allowed!"
  fi
}

function set_current_user {
  local PREFIX="harden:environment"

  CURRENT_USER=$(id -un)
  echo "current user is <$CURRENT_USER>"
}

function load_configuration {
  local PREFIX="harden:configuration:load"

  if [[ ! -f "$HARDEN_CONFIGFILE" ]]; then
    echo "configuration requires further details ..."
    cp "$MIAOU_BASEDIR/templates/hardened/hardened.yaml.sample" "$HARDEN_CONFIGFILE"
    echo "OK"
  fi

  editor "$HARDEN_CONFIGFILE"
}

function check_configuration {
  local PREFIX="harden:configuration:check"

  check_yaml_defined_value "$HARDEN_CONFIGFILE" 'authorized.pubkey'
  check_yaml_defined_value "$HARDEN_CONFIGFILE" 'alert.to'
  check_yaml_defined_value "$HARDEN_CONFIGFILE" 'alert.from'
  check_yaml_defined_value "$HARDEN_CONFIGFILE" 'alert.smtp.server'
}

function set_timezone_if_defined {
  local PREFIX="harden:timezone"
  timezone=$(yq ".timezone" "$HARDEN_CONFIGFILE")
  if [[ "$timezone" != null ]]; then
    if ! grep -q "$timezone" /etc/timezone; then
      if [[ -f "/usr/share/zoneinfo/$timezone" ]]; then
        echo "set timezone to $timezone ..."
        sudo ln -fs "/usr/share/zoneinfo/$timezone" /etc/localtime
        sudo dpkg-reconfigure -f noninteractive tzdata
        echo OK
      else
        echoerr "unkown timezone: <$timezone>, please edit <$HARDEN_CONFIGFILE> and change to a correct value" && exit 98
      fi
    else
      echo "timezone <$timezone> already set!"
    fi
  fi
}

function mailer_alert() {
  local PREFIX="harden:mailer"

  if [[ ! -f /etc/msmtprc ]]; then
    for i in exim4-config libevent-2.1-7 libgnutls-dane0 libunbound8; do
      if dpkg -l "$i" 2>/dev/null | grep -q ^ii && echo 'installed'; then
        echo "purging package <$i> ..."
        apt purge -y "$i"
        echo "OK"
      fi
    done

    echo "installing <msmtp> ..."
    sudo /opt/miaou-bash/tools/idem_apt_install msmtp msmtp-mta mailutils bsd-mailx
    echo "OK"

    echo "configuring </etc/aliases>"
    sudo env current_user="$CURRENT_USER" tera -e --env-key env -o /etc/aliases -t "$MIAOU_BASEDIR/templates/hardened/mailer/aliases.j2" "$HARDEN_CONFIGDIR/hardened.yaml" >/dev/null
    echo "OK"

    # populate environment variable with fqdn
    fqdn=$(hostname -f)

    echo "configuring </etc/mail.rc>"
    sudo env current_user="$CURRENT_USER" fqdn="$fqdn" tera -e --env-key env -o /etc/mail.rc -t "$MIAOU_BASEDIR/templates/hardened/mailer/mail.rc.j2" "$HARDEN_CONFIGDIR/hardened.yaml" >/dev/null
    echo "OK"

    echo "generating </etc/msmtprc> configuration file ..."
    sudo env fqdn="$fqdn" tera -e --env-key env -o /etc/msmtprc -t "$MIAOU_BASEDIR/templates/hardened/mailer/msmtprc.j2" "$HARDEN_CONFIGDIR/hardened.yaml" >/dev/null
    sudo chown root:msmtp /etc/msmtprc
    sudo chmod 640 /etc/msmtprc
    echo "OK"
  else
    echo "mailer <msmtp> already configured!"
  fi

}

function alert_at_boot() {
  local PREFIX="harden:alert:boot"
  if ! systemctl is-enabled --quiet on_startup.service 2>/dev/null; then
    echo "installing <on_startup.service> on systemd..."
    sudo cp "$MIAOU_BASEDIR/templates/hardened/systemd/on_startup.service" /etc/systemd/system/on_startup.service
    sudo systemctl daemon-reload
    sudo systemctl enable on_startup.service
    REBOOT=true
    echo "OK"
  else
    echo "systemd <on_startup.service> already enabled!"
  fi
}

function show_reboot_on_purpose() {
  if "$REBOOT"; then
    PREFIX="harden:reboot" echowarn "we recommend reboot on purpose, Reboot NOW?"
  else
    PREFIX="harden" echo "success"
  fi
}

function disable_systemd_resolved() {
  PREFIX="harden:systemd:resolved"
  if file /etc/resolv.conf | grep -q /run/systemd/resolve/stub-resolv.conf; then
    echo "disabling systemd-resolved..."
    sudo systemctl stop systemd-resolved.service
    sudo systemctl disable systemd-resolved.service
    sudo rm /etc/resolv.conf
    sudo tee /etc/resolv.conf &>/dev/null <<EOF
nameserver 1.1.1.1
EOF
    echo "OK"
  else
    echo "systemd-resolved already disabled!"
  fi
}

function alert_at_ssh_password() {
  local PREFIX="harden:alert:ssh:password"
  if ! grep -Eq "^session optional pam_exec.so /usr/local/bin/alert_ssh_password.sh" /etc/pam.d/sshd; then
    echo "installing alert_at_ssh_password..."
    sudo cp "$MIAOU_BASEDIR/templates/hardened/pam/alert_ssh_password.sh" /usr/local/bin/
    sudo chmod 700 /usr/local/bin/alert_ssh_password.sh
    sudo /opt/miaou-bash/tools/append_or_replace "^session optional pam_exec.so /usr/local/bin/alert_ssh_password.sh" "session optional pam_exec.so /usr/local/bin/alert_ssh_password.sh" /etc/pam.d/sshd
    echo "OK"
  else
    echo "alert_at_ssh_password already enabled!"
  fi
}

function customize_motd {
  local PREFIX="harden:motd:customize"
  if [[ ! -f /etc/update-motd.d/80-users ]]; then
    echo "customizing motd..."
    sudo /opt/miaou-bash/tools/idem_apt_install figlet lsb-release
    sudo rm -f /etc/motd
    sudo mkdir -p /etc/update-motd.d
    sudo rm -f /etc/update-motd.d/*
    sudo cp "$MIAOU_BASEDIR"/templates/hardened/motd/* /etc/update-motd.d/
    sudo chmod +x /etc/update-motd.d/*
    echo "OK"
  else
    echo "motd already customized!"
  fi
}

### CONSTANTS
### ---------

MIAOU_BASEDIR=$(readlink -f "$(dirname "$0")/..")
readonly HARDEN_CONFIGDIR="$HOME/.config/hardened"
readonly HARDEN_CONFIGFILE="$HARDEN_CONFIGDIR/hardened.yaml"

### MAIN
### ----

# shellcheck source=/dev/null
. "$MIAOU_BASEDIR/lib/functions.sh"
miaou_init

REBOOT=false
PREFIX="harden"
: $PREFIX

sudo_required
install_miaou_bash
install_mandatory_commands
prepare_config_hardened
set_current_user
check_configuration 2>/dev/null || load_configuration
check_configuration
pubkey_authorize
sshd
prepare_proxy
prepare_nftables
disable_systemd_resolved
set_timezone_if_defined
mailer_alert
alert_at_boot
alert_at_ssh_password
customize_motd

show_reboot_on_purpose