#!/usr/bin/env bash
#
# https://gitea.wolfeden.online/Doc/bootstraps4ansible/scripts/bootstrap-vps-debian12.sh
#
# Bootstrap a clean system for use with Ansible

if [[ "${UID}" -ne 0 ]]; then
    echo " You need to run this script as root"
    exit 1
fi

ANSIUSER=${1:-ansiuser}
ANSIUSERDIR=/home/$ANSIUSER
TMP_PORT=${2:-46347}

cat << EOF


#####################
#  Updating System  #
#####################

EOF

# Update to current
apt update && apt upgrade -y
err=$?
# Was there an error
if [ $err -ne 0 ]; then
    cat << EOF

###########################################
# # # # # # # # # # # # # # # # # # # # # #
###  ERROR while updating the system!   ###
# # # # # # # # # # # # # # # # # # # # # #
###########################################

Correct the issues and try again. Exiting.

EOF
    exit $err
fi

cat << EOF


#############################
#  Installing ssh and sudo  #
#############################

EOF

# avoid --no-install-recommends for basic programs
#   like wget, sudo, and openssh
#   also python3 and python3-apt for Ansible
apt install -y openssh-server sudo \
    python3 python3-apt
err=$?

if [ $err -ne 0 ]; then
    cat << EOF

###############################################
# # # # # # # # # # # # # # # # # # # # # # # #
###  ERROR while installing ssh and sudo!   ###
# # # # # # # # # # # # # # # # # # # # # # # #
###############################################

Correct the issues and try again. Exiting.

EOF
    exit $err
fi

cat << EOF


###################################
#  Creating and configuring user  #
###################################

EOF

echo -e "- Creating user '$ANSIUSER'..."
useradd -m -s /bin/bash -c "Ansible User" $ANSIUSER

echo "- Configuring sudo for user '$ANSIUSER'..."
usermod -aG sudo $ANSIUSER
mkdir -p /etc/sudoers.d
cat << EOF > /etc/sudoers.d/99-ansible-user
$ANSIUSER ALL=(ALL) NOPASSWD:ALL
EOF

echo ""

mkdir -p $ANSIUSERDIR/.ssh

# Prompt to paste public key
cat << EOF


########################################################
#  IMPORTANT! |                                        #
#-------------+                                        #
#                                                      #
#  Past public key for '$ANSIUSER'.                    #
#    Ctrl+d when done.                                 #
#                                                      #
########################################################

EOF

if [ -f "$ANSIUSERDIR/.ssh/authorized_keys" ]; then
    BEFORESZ=$(wc -c "$ANSIUSERDIR/.ssh/authorized_keys" | awk '//{ print $1 }')
else
    BEFORESZ=0
fi

cat >> $ANSIUSERDIR/.ssh/authorized_keys
err=$?

if [ -f "$ANSIUSERDIR/.ssh/authorized_keys" ]; then
    AFTERSZ=$(wc -c "$ANSIUSERDIR/.ssh/authorized_keys" | awk '//{ print $1 }')
    if [ ! $AFTERSZ -gt $BEFORESZ ]; then
        cat << EOF

###############################################
# # # # # # # # # # # # # # # # # # # # # # # #
###  ERROR authorized_keys did not change   ###
# # # # # # # # # # # # # # # # # # # # # # # #
###############################################

Exiting!

EOF
        exit $?
    fi
else
    cat << EOF

#####################################################
# # # # # # # # # # # # # # # # # # # # # # # # # # #
###  ERROR could not append to authorized_keys!   ###
# # # # # # # # # # # # # # # # # # # # # # # # # # #
#####################################################

Exiting!

EOF
    exit $err
fi

cat << EOF


###################################
#  (Re)setting SSH configuration  #
###################################

EOF

chown -Rc ${ANSIUSER}:${ANSIUSER} $ANSIUSERDIR/.ssh
chmod 700 $ANSIUSERDIR/.ssh && chmod 600 $ANSIUSERDIR/.ssh/authorized_keys

rm -rf /etc/ssh/sshd_config.d/*.*

cat << EOF > /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
PermitEmptyPasswords no
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AuthenticationMethods publickey
UsePAM yes
# Change port to temp reduce attacks before Ansible connects
Port $TMP_PORT
MaxAuthTries 3
KbdInteractiveAuthentication no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
EOF

cat << EOF > /etc/ssh/sshd_config.d/enable_$ANSIUSER.conf
AllowUsers $ANSIUSER
EOF

cat << EOF


################################
#  Opening a port (if needed)  #
################################

EOF

if command -v ufw &> /dev/null; then
    echo "Opening port $TMP_PORT with ufw..."
    ufw allow $TMP_PORT/tcp comment 'Allow temporary SSH port' || echo "## WARNING error occurred while openning a port ##"
elif command -v firewall-cmd &> /dev/null; then
    echo "Opening port $TMP_PORT with firewalld..."
    firewall-cmd --permanent --add-port=$TMP_PORT/tcp || echo "## WARNING error occurred while openning a port ##"
    firewall-cmd --reload
elif command -v iptables &> /dev/null; then
    echo "Temporarily opening port $TMP_PORT with iptables (this session only)..."
    iptables -I INPUT -p tcp --dport $TMP_PORT -j ACCEPT || echo "## WARNING error occurred while openning a port ##"
fi

cat << EOF


###################################
#  Complete |                     #
#-----------+                     #
#                                 #
#  Process completed.             #
#    After action summary below:  #
#                                 #
###################################

EOF

echo " - User:  $ANSIUSER"
echo " - Port:  $TMP_PORT"
echo ""

# Partially redact authorized_keys
echo "--- Authorized Keys ---"
grep -Poi 'ssh\-.*' $ANSIUSERDIR/.ssh/authorized_keys | awk '{ print $1, substr($2, 1, 4)".."substr($2, length($2) - 3, 4), $3 }'
echo "-----------------------"

echo ""
echo "Restarting SSH server in 10 seconds and ending script"
sleep 10

systemctl enable ssh
systemctl restart ssh