#!/usr/bin/env bash


## - On the host-system install "bridge-utils"
## -
apt-get install bridge-utils

## - On the host-system install LXC
## -
apt-get install lxc
apt-get install btrfs-tools lua5.3


## - !! Debian stretch related
## -
## - Konfiguration /etc/security/limits.conf seems not be working together 
## - with systemd.
## -
## - One possibility is, setting parameter "DefaultLimitNOFILE" in file
## - /etc/systemd/system.conf. This setting is "world wide".
## -
## - At least that allows me to do my work again but it is obviously not the
## - right solution. I just want to change my own user's limits, not the 
## - limits of each and everything.
## -
cp -a /etc/systemd/system.conf /etc/systemd/system.conf.ORIG
perl -i.ORIG -n -p -e "s/(\s*#\s*DefaultLimitNOFILE.*)/\1\nDefaultLimitNOFILE=1048576/" /etc/systemd/system.conf 
systemctl daemon-reload


## - Configure your hots-sstem to use a bridge-interface (typically br0)
## - instead of a real one (typically eth0)
## -
## - Replace your network configuration in file /etc/network/interfaces
## - from:
## - 
## -    auto eth0
## -    iface eth0 inet static
## -          address <ip-address>
## -          netmask <netmask>
## -          network <network-address>
## -          broadcast <broadcast-address>
## -          gateway <gateway-address>
## - 
## - to:
## - 
## -    auto br0
## -    iface br0 inet static
## -       bridge-ports eth0
## -       address <ip-address..>
## -       netmask <netmask>
## -       network <network-address>
## -       broadcast <broadcast-address>
## -       gateway <gateway-address>
## -       # default route to access subnet
## -       #up route add -net <network-address> netmask <netmask> gw <gateway-address> br0
## -
cp -a /etc/network/interfaces /etc/network/interfaces.ORIG
vim /etc/network/interfaces


## - Restart host-system
## -


# ---
# - <lxc name>
# ----
#LXC_ROOT_DIR=/srv/lxc
LXC_ROOT_DIR=/var/lib/lxc

LXC_NAME=<lxc name>
LXC_DIST=debian
LXC_RELEASE=stretch

###  Device 1
IPV4_ADDRESS_1=<ipv4-address 1>
IPV4_NETMASK_1=<netmask>
IPV4_BROADCAST_1=<broadcast>
IPV4_GATEWAY_1=<gateway>
IPv4_Prefix=24
## - !! Über das Hetzner Webinterface MAC-Adresse vergeben !!
## -
## - Zufällige MAC Adresse erstellen
## -
## -    echo -e "\n\t$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')\n"
## - 
#MAC_ADDRESS_1="$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')"
MAC_ADDRESS_1=<mac address 1>

#IPV6_ADDRESS_1=<IPv6-address>
#IPV6_GATEWAY_1=<IPv6-gateway>
#IPv6_Prefix_1=<IPv6-Prefix 1>

###  Device 2
IPV4_ADDRESS_2=83.223.86.202
IPV4_NETMASK_2=255.255.255.0
IPV4_BROADCAST_2=83.223.86.255
IPV4_GATEWAY_2="${IPV4_GATEWAY_1}"
IPv4_Prefix_2=24
MAC_ADDRESS_2=00:B4:D5:A0:5F:CE

#IPV6_ADDRESS_2=<IPv6-address 2>
#IPV6_GATEWAY_2=<IPv6-gateway 2>
#IPv6_Prefix_2=<IPv6-Prefix 2>


HOSTNAME=dns0.warenform.de


## - -------------------------------------------------------------------------


lxc-create -n $LXC_NAME -t $LXC_DIST -- --release $LXC_RELEASE --arch amd64


cp ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces \
   ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces.ORIG

touch /var/lib/lxc/${LXC_NAME}/fstab

if [[ -z "$IPV4_ADDRESS_2" ]] ; then
   cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces

#-----------------------------
# lo: loopback
#-----------------------------
auto lo
iface lo inet loopback


#-----------------------------
# eth0
#-----------------------------
auto eth0
iface eth0 inet manual
iface eth0 inet6 manual

EOF

else
   cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces

#-----------------------------
# lo: loopback
#-----------------------------
auto lo
iface lo inet loopback


#-----------------------------
# eth0
#-----------------------------
auto eth0
iface eth0 inet manual
   up ip route add default via ${IPV4_GATEWAY_1} dev eth0 table 100
   up ip rule add from ${IPV4_ADDRESS_1} table 100 prio 100



#-----------------------------
# eth1
#-----------------------------

auto eth1
iface eth1 inet manual
   up ip route add default via ${IPV4_GATEWAY_2} dev eth1 table 200
   up ip rule add from ${IPV4_ADDRESS_2} table 200 prio 120
EOF
fi

cp ${LXC_ROOT_DIR}/${LXC_NAME}/config ${LXC_ROOT_DIR}/${LXC_NAME}/config.ORIG

cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/config
lxc.rootfs = /var/lib/lxc/${LXC_NAME}/rootfs

# Common configuration
lxc.include = /usr/share/lxc/config/${LXC_DIST}.common.conf


# Container specific configuration
lxc.mount = /var/lib/lxc/${LXC_NAME}/fstab
lxc.utsname = $LXC_NAME
lxc.arch = amd64
lxc.autodev = 1
lxc.kmsg = 0


# Network configuration

###  Device 1
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.hwaddr = $MAC_ADDRESS_1
# IPv4
lxc.network.ipv4 = ${IPV4_ADDRESS_1}/$IPv4_Prefix
lxc.network.ipv4.gateway = ${IPV4_GATEWAY_1}
# IPv6
#lxc.network.ipv6 = ${IPV6_ADDRESS_1}/$IPv6_Prefix_1
#lxc.network.ipv6.gateway = $IPV6_GATEWAY_1

EOF

if [[ -n "$IPV4_ADDRESS_2" ]]; then
   cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config
###  Device 2
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth1
lxc.network.hwaddr = $MAC_ADDRESS_2
## IPv4
lxc.network.ipv4 = ${IPV4_ADDRESS_2}/$IPv4_Prefix
## IPv6
#lxc.network.ipv6 = ${IPV6_ADDRESS_2}/$IPv6_Prefix

EOF
fi

cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config

# Mount iso file inside LX Container
#lxc.aa_profile = unconfined
#lxc.cgroup.devices.allow = b 7:* rwm
#lxc.cgroup.devices.allow = c 10:237 rwm


# Autostart
lxc.start.auto = 1
lxc.start.delay = 5
lxc.start.order = 100
EOF

## - -------------------------------------------------------------------------

lxc-start -d -n $LXC_NAME

## - Starte eine root shell im neuen Container
## - 
lxc-attach -n $LXC_NAME

## - Alternativ: Starte eine Console im neuen Container
## -
## - Bemerkung: Es wird das root-passwort benötigt, welches Teil der
## - Ausgabe des "lxc-create" Befehls am Ende ist
## -
lxc-console -n $LXC_NAME

## - -------------------------------------------------------------------------

## - apt konfiguroren
## - setze in /etc/apt/sources.list
## -
## -    deb     http://ftp.de.debian.org/debian  stretch  main contrib non-free
## -    deb-src http://ftp.de.debian.org/debian  stretch  main contrib non-free
## -
## -    deb     http://security.debian.org/  stretch/updates  main contrib non-free
## -    deb-src http://security.debian.org/  stretch/updates  main contrib non-free
## -
## -    ## - formerly: volatile
## -    deb ftp://ftp.de.debian.org/debian stretch-updates main contrib
## -
## -    # stretch-backports
## -    deb http://ftp.de.debian.org/debian stretch-backports main contrib non-free
## -
cat << EOF > /etc/apt/sources.list

deb http://ftp.de.debian.org/debian/ stretch main non-free contrib
deb-src http://ftp.de.debian.org/debian/ stretch main non-free contrib

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free

# stretch-updates, previously known as 'volatile'
deb http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free

# stretch-backports, previously on backports.debian.org
deb http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free
deb-src http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free

EOF

## - Update
## -
apt-get update

## - Install/Setup locales
## -
apt-get install locales
dpkg-reconfigure locales

## - take care shadow passwords are enabled
## -
dpkg-reconfigure passwd
/sbin/shadowconfig on

## - Set password for user root
## -
passwd

## - configure time-zone
## -
dpkg-reconfigure tzdata


## - Upgrade System
## -
apt-get upgrade


apt-get -y install openssh-server rssh \
   vim vim-common vim-doc mc screen tmux bc figlet \
   rcconf sudo rsync dselect iputils-ping apt-utils aptitude apt-transport-https \
   zip unzip bzip2 arj \
   locate \
   curl \
   gawk mawk \
   lynx links w3m ctags mime-support \
   file coreutils moreutils less sipcalc psmisc \
   dnsutils rblcheck whois \
   gettext gettext-base gettext-doc \
   debian-keyring \
   patch patchutils \
   recode recode-doc librecode0 librecode-dev sharutils \
   perl perl-modules perl-doc libperl-dev \
   libterm-readline-gnu-perl libterm-readline-perl-perl libterm-readkey-perl \
   libmail-imapclient-perl libtime-duration-perl libtimedate-perl \
   libwww-perl libpcre3 libio-compress-perl \
   re2c util-linux \
   parted lshw gdisk smartmontools \
   tcpdump telnet unhide lsof hdparm groff iproute2 bridge-utils vlan \
   ethtool wipe iperf mtr iptraf \
   wget logrotate rsyslog haveged \
   rdate ntpdate wipe man \
   iptables shellcheck \
   ssl-cert ssl-cert-check \
   git ftp \
   htop \
   net-tools lsb-release \
   attr acl quota quotatool \
   needrestart


# - poppler-utils  - PDF-Werkzeuge (auf Basis von Poppler) u.a. pdftotxt
# - catdoc          - Konvertierungspromm von Word, Excel und PowerPoint zu Klartext
# -
apt-get install catdoc poppler-utils



## - add more users
adduser chris
adduser defa

## - add user/group back
addgroup --gid 1060 back
adduser --uid 1060 --gid 1060 back

## - user/group sysadm
## -
## -    passwd: gHZu81_p
## -
addgroup --gid 1050 sysadm
adduser --uid 1050 --gid 1050 sysadm


## - add new user to group sudo
usermod -a -G sudo chris
usermod -a -G sudo sysadm
usermod -a -G sudo defa

## - warenform specific
## -
#addgroup --gid 1008 webadmin
#mkdir /var/www
#adduser --uid 1008 --gid 1008 --home /var/www/html webadmin


## - Adjust (temporarily) /etc/sshd/sshd_config
## -
## - Set
## -    PermitRootLogin yes
## -
cd /etc/ssh
cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG
vim sshd_config
systemctl restart ssh


## - Install git repository 'admin-stuff'
## -
mkdir -p /root/bin
cd /root/bin
git clone https://git.oopen.de/script/admin-stuff


## - Copy templates for .bashrc, .profile, .vimrc, .ssh etcpp
## -
hostname=<ipv4-address>

users="chris sysadm back"
for user in $users ; do
   cp -a /home/${user}/.bashrc /home/${user}/.bashrc.ORIG
   cp -a /home/${user}/.profile /home/${user}/.profile.ORIG
done
cp -a /root/.bashrc /root/.bashrc.ORIG
cp -a /root/.profile /root/.profile.ORIG


cd /home/chris/O.OPEN/Rechner/templates_home/root
scp -r adduser_backup.oopen.sh adduser_defa.sh .bashrc .profile .vimrc bin .ssh root@${hostname}:

cd /home/chris/O.OPEN/Rechner/templates_home/chris
scp -r .bashrc .profile .ssh .vimrc ${hostname}:
scp -r .bashrc .profile .ssh .vimrc back@${hostname}:
scp -r .bashrc .profile .ssh .vimrc sysadm@${hostname}:

cd ~
./adduser_defa.sh
./adduser_backup.oopen.sh

rm adduser_*

## - Coppy sshd_config
## -
cd ~/merke/install/LXC
scp etc_sshd_sshd_config root@${hostname}:/etc/ssh/sshd_config


## - Adjust /etc/resolv.conf
## -
## -    search oopen.de
## -    nameserver 83.223.66.51
## -    nameserver 212.42.230.1
## -    nameserver 83.223.90.90
## -
vim /etc/resolv.conf


## - configure sudo
## - add lines:
## -
## -    back   ALL=(root)NOPASSWD:/usr/bin/rsync
## -    back   ALL=(root)NOPASSWD:/usr/bin/find
## -    back   ALL=(root)NOPASSWD:/usr/bin/realpath
## -
## -
visudo


## - NOTICE!!
## -
## - since "sueeze", /bin/sh ist linked to /bin/dash. with that some of my
## - scripts doesn't work. so link back to /bin/bash
## -
## - link /bin/sh to /bin/bash
## -
cd /bin
rm sh
ln -s bash sh



## - install subversion
## -
apt-get install -y subversion subversion-tools # smbclient

## ---------------------------------------------------------------

## - compiler stuff
## -
apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \
   make automake autoconf libtool flex bison \
   gettext pkg-config gnu-standards \
   libssl-dev libreadline-dev libncurses-dev

apt-get install -y libsystemd-dev

## - Packages to build utils-vserver
## -
apt-get install -y libnss3-dev
apt-get install -y python-dev


## - packages to build apache webserver with php5/ruby support
## -
apt-get install -y libdb-dev zlib1g zlib1g-dev libssl-dev \
    libneon27-dev

apt-get -y install libxml2 libxml2-dev \
   curl libcurl4-openssl-dev \
   libqdbm-dev libgdbm-dev libpspell-dev \
   libjpeg-dev libpng-dev libxpm-dev libfreetype6-dev \
   libwmf-dev libtiff-dev libpaper-dev \
   libmagic-dev  \
   libmagick-dev libgraphics-magick-perl \
   libgraphicsmagick++1-dev libgraphicsmagick++3 libgraphicsmagick1-dev \
   libgraphviz-dev libgd-dev libcroco3-dev libgsf-1-dev libilmbase-dev \
   libvpx-dev vpx-tools \
   libgpm-dev libkpathsea-dev libopenexr-dev librsvg2-dev libdjvulibre-dev \
   libatm-dev libexpat-dev \
   imagemagick graphicsmagick \
   exif libexiv2-dev \
   re2c \
   netpbm libnetpbm10-dev \
   libmcrypt-dev mcrypt \
   default-libmysqlclient-dev \
   libpq-dev postgresql-client \
   libreadline-dev libncurses-dev \
   libdb5.3 libdb5.3++ libdb5.3++-dev libdb5.3-dev \
   libxslt1-dev libpcre3-dev \
   libc-client2007e-dev libc-client-dev \
   libicu-dev \
   libtidy-dev \
   libmm-dev libgmp-dev libkrb5-dev libldap-dev \
   libmhash-dev libgd-dev \
   liblua5.3-dev \
   libapr1-dev libaprutil1-dev \
   libsctp-dev \
   libcrypto++-dev

## - Hinweis: libjasper-dev nicht mehr verfügbar in debian jessie
## -
## - Hinweis: »graphicsmagick-libmagick-dev-compat« wird an Stelle von »libmagick-dev« gewählt


## - Create a symlink
## -    /usr/lib/libldap.so -> /usr/lib/x86_64-linux-gnu/libldap.so
ln -s x86_64-linux-gnu/libldap.so /usr/lib/libldap.so


## - if ruby is/will be installed this is needed for rmagick gem
## -
##libmagick++-dev libmagickcore-dev libmagickwand-dev \


## - ffmpeg
## -
apt-get install -y ffmpeg

## - needed for php extension imagick
## -
apt-get install -y libmagickwand-dev

## - needed for php extension geoip
## -
apt-get install -y libgeoip-dev


## - add some tk/tcl stuff
## -

## - tcl tcl-dev tk tk-dev tclreadline
## -
apt-get install -y tk-dev  tcl-dev tclreadline
apt-get install -y expect expect-dev libexpect-perl

