#!/bin/bash

umask 022

# Create /opt directories.
echo "-> Creating /opt directories..."
mkdir -p -m 755 {/opt,/opt/{bin,include,info,lib64,man,man/man{0..8},sbin,share}}

# Install the CA bundles, to stop wget moaning.
echo "-> Adding CA certificates..."
cp -R ca-certificates /usr/local/share
update-ca-certificates

# Install memtest86 into /boot.
# Only install if /boot exists, and this isn't an EFI system.
[[ -e /boot ]] && [[ ! -e /boot/efi ]] && echo "-> Adding memtest86+..." && cp memtest86+ /boot

# Install root's new crontab.
echo "-> Changing root's crontab..."
cat root.crontab >/var/spool/cron/crontabs/root

# Install the /etc files, which includes crontabs (permissions corrected below).
echo "-> Copying base files into /etc..."
( cd base-files
  IFS=$'\n'
  for dir in $(find . -type d | sort | sed -re 's/^\.\///'); do
    mkdir -p -m 755 /etc/$dir
  done
  for file in $(find . -type f | sort | sed -re 's/^\.\///'); do
    cat "$file" >"/etc/$file"
  done )

# Copy in the rc.d files (permissions corrected below)
echo "-> Copying base rc.d files into /etc/rc.d..."
cp rc.d/rc.local rc.d/rc.modules.local rc.d/rc.firewall rc.d/rc.local_shutdown /etc/rc.d/
echo "----> Generic blocking rc.firewall installed - change it if required."

# Restart crond for new configurations.
echo "-> Restarting crond..."
/etc/rc.d/rc.crond restart

echo "-> Fixing base files' permissions..."
# Correct file/directory specific permissions.
chmod 755 /etc/cron.daily/update-slackpkg-template
chmod 755 /etc/cron.daily/warn-git-status
chmod 755 /etc/cron.daily/warn-smtp-queue
chmod 755 /etc/cron.hourly/log-acls
chmod 755 /etc/initscript
chmod 755 /etc/profile.d/biff.*
chmod 755 /etc/profile.d/lang.*
chmod 755 /etc/profile.d/less.*
chmod 755 /etc/profile.d/optpaths.*
chmod 750 /etc/sudoers.d

# Install pushover.
echo "-> Installing pushover..."
cp utils/pushover /opt/bin
chmod 755 /opt/bin/pushover

# Read the gpg passphraise.
read -r -p "----> Enter GPG decryption passphraise (appears in clear text): " PASS

# Decrypt the pushover-config.
echo "-> Decrypting /etc/pushover/*.gpg..."
for FILE in /etc/pushover/*.gpg; do
  gpg -d --passphrase "$PASS" -o "/etc/pushover/${FILE%.gpg}" "$FILE"
  chmod 640 "/etc/pushover/${FILE%.gpg}"
done
unset FILE

# Get the current domain name.
DOMAIN="$(hostname -d)"

# Decrypt the netdata SSL key.
echo "-> Decrypting netdata SSL key for $DOMAIN..."
if [[ -e /etc/certificates/_netdata_-$DOMAIN-key.pem.gpg ]]; then
  gpg -d --passphrase "$PASS" -o /etc/certificates/_netdata_-$DOMAIN-key.pem /etc/certificates/_netdata_-$DOMAIN-key.pem.gpg
  chmod 600 /etc/certificates/_netdata_-$DOMAIN-key.pem
  setfacl -m u:36:r /etc/certificates/_netdata_-$DOMAIN-key.pem
  ( cd /etc/certificates/ && ln -sf _netdata_-$DOMAIN-cert.pem _netdata_-cert.pem &&
    ln -sf _netdata_-$DOMAIN-key.pem _netdata_-key.pem )
else
  echo "----> No netdata SSL key found for $DOMAIN!"
fi

# Decrypt the msmtp SSL key.
echo "-> Decrypting msmtp SSL key for $DOMAIN..."
if [[ -e /etc/certificates/_msmtp_-$DOMAIN-key.pem.gpg ]]; then
  gpg -d --passphrase "$PASS" -o /etc/certificates/_msmtp_-$DOMAIN-key.pem /etc/certificates/_msmtp_-$DOMAIN-key.pem.gpg
  chmod 600 /etc/certificates/_msmtp_-$DOMAIN-key.pem
  setfacl -m g:mail:r /etc/certificates/_msmtp_-$DOMAIN-key.pem
  ( cd /etc/certificates/ && ln -sf _msmtp_-$DOMAIN-cert.pem _msmtp_-cert.pem &&
    ln -sf _msmtp_-$DOMAIN-key.pem _msmtp_-key.pem )
else
  echo "----> No msmtp SSL key found for $DOMAIN!"
fi

# Remove the decryption password from the environment now it's finished with.
unset PASS

# Re-generate root's password for longer hash.
echo "-> Reset root's password..."
passwd root

# Make Tadgy's account.
echo "-> Adding user 'tadgy'..."
adduser tadgy

# Move the 'console' group.  I dislike it above 100.
echo "-> Fixing 'console' GID..."
grep "^console:x:101:" /etc/group >/dev/null && groupmod -g 97 console
grpconv

# Add group 'admin', and make root and tadgy a member.
echo "-> Adding 'admin' group and making 'root' and 'tadgy' members..."
grep "^admin:" /etc/group >/dev/null || groupadd -g 101 admin
usermod -aG admin root
usermod -aG admin tadgy

# Restrict access to 'logger', since it can be used to spam the logs.
echo "-> Restricting access to /usr/bin/logger..."
chmod 750 /usr/bin/logger
setfacl -m g:admin:rx /usr/bin/logger

# Copy ssh keys into place for root and tadgy.
echo "-> Adding authorized_keys for 'root' and 'tadgy'..."
mkdir -p -m 0700 /root/.ssh
cat authorized_keys >/root/.ssh/authorized_keys
mkdir -p -m 0700 /home/tadgy/.ssh
cat authorized_keys >/home/tadgy/.ssh/authorized_keys
chown -R tadgy:users /home/tadgy/.ssh

# Encrypt the databases so they can be checked into git.
echo "-> Encrypting /etc/shadow and /etc/gshadow..."
read -r -p "----> Enter GPG encryption passphraise (appears in clear text): " PASS
gpg -c --passphrase "$PASS" -o /etc/shadow.gpg /etc/shadow
gpg -c --passphrase "$PASS" -o /etc/gshadow.gpg /etc/gshadow

# Remove the passphraise from environment.
unset PASS

# Create log archive directories and move old log files.
echo "-> Archiving old logs..."
[[ ! -d /var/log/Archived ]] && mkdir -m 750 /var/log/Archived
[[ ! -d /var/log/Archived/pre-bootstrapping ]] && mkdir -m 750 /var/log/Archived/pre-bootstrapping
mv /var/log/{btmp.*,{cron,debug,maillog,messages,secure,spooler,syslog}{,.*}} /var/log/Archived/pre-bootstrapping/

# Restart syslogd.
echo "-> Restarting syslogd for new config..."
/etc/rc.d/rc.syslog restart

# Restart ntpd.
[[ -x /etc/rc.d/rc.ntpd ]] && echo "-> Restarting ntpd for new config..." && /etc/rc.d/rc.ntpd restart

# Restart sshd.
echo "-> Restarting sshd for new config..."
/etc/rc.d/rc.sshd restart

echo "-> Creating optional log files..."
touch /var/log/sulog
touch /var/log/fail2ban

# Add a complete rc.local if the one on the system isn't customised.
[[ ! "$(md5sum /etc/rc.d/rc.local | cut -d' ' -f1)" == "583386a1a839ae04025629d202781a2c" ]] && {
  echo "-> Copying better rc.local..."
  cat rc.d/rc.local >/etc/rc.d/rc.local
  chmod 755 /etc/rc.d/rc.local
}

# Add an rc.local_shutdown script if it doesn't exist already.
[[ ! -e /etc/rc.d/rc.local_shutdown ]] && {
  echo "-> Creating rc.local_shutdown..."
  cat rc.d/rc.local_shutdown >/etc/rc.d/rc.local_shutdown
  chmod 755 /etc/rc.d/rc.local_shutdown
}

# Secure /var/log
echo "-> Securing /var/log..."
shopt -s globstar
GLOBIGNORE="/var/log/packages/:/var/log/setup/:/var/log/scripts/"
#  Set standard access perms for directories
setfacl -m user::rwx,group::rx,other::- /var/log/**/
setfacl -m user::rwx,group::rx,other::x /var/log/
#  Set standard access perms for files
find /var/log -type f -exec setfacl -m user::rw,group::r,other::- {} +
#  Allow group 'admin' read access to all directories/files
setfacl -m group:admin:rX /var/log/**/
find /var/log -type f -exec setfacl -m group:admin:r {} +
#  Set default access for new files in directories.
setfacl -dm user::rwX,group::rX,other::- /var/log/**/
setfacl -dm group:admin:rX /var/log/**/
#  /var/log/wtmp needs to be readable by everyone
setfacl -m user::rw,group::r,other::r /var/log/wtmp
unset GLOBIGNORE

# Secure /root
echo "-> Securing /root..."
#  Set standard access perms for files
setfacl -m user::rwX,group::rX,other::- /root/**
#  Set standard access perms for directories
setfacl -m user::rwx,group::rx,other::- /root/**/
#  Allow group 'admin' read access to all files/dirs
setfacl -m group:admin:rX /root/**
setfacl -m group:admin:rx /root/**/
#  Set default access for new files/dirs
setfacl -dm user::rwX,group::rX,other::- /root/**/
setfacl -dm group:admin:rX /root/**/

# Clean up some cruft.
echo "-> Cleaning up..."
rm -rf /etc/nntpserver /etc/lilo.conf_example
rm -rf /usr/{local/games,local/man/cat*,man/cat*} /var/man

# Finally, check for FIXMEs.
( echo "-> There may be some FIXMEs to attend to (also written to /tmp/FIXMEs):"
  while IFS=$'\n' read -r ITEM; do
    echo "  -> $ITEM"
  done < <(grep -R FIXME /etc | egrep -v "^/etc/(\.git|file|magic|misc)") 2>&1) | tee /tmp/FIXMEs

echo "-> Bootstrap complete!"