#!/usr/bin/env bash
set -euo pipefail


### ==== CONFIG ====
NEW_USER="vk"
NEW_USER_SSH_KEY='ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCrWDR47Kc44jCeM+DK+2J1MZgPm6FlHc7LTkN0loeWea0EMCu3rtzSRV6OUIMsbh6038m77kNmsoP7XjfYOdHLTEdYZ87Y4kd6O0VUSW0ldDCtrmFZBy7rI7YAnAh1Hup0Q4DaimDHx2UWrrXxUxKcuPw2eJtbN7/yhq9nrdTkr1kP213geHIcs91d+g9UrGSU2eMS8wGm67VSEgIQSiOoGiY422JzDR57x3EmH3M4bDw0kQFAwguBM7LtBG0oX/Znd4EjAZNnkqaGGqdaxxld3sqzs8EjXIgkEfvwp7qX9tW5qyyA2j3syg/qj89FaLW/CRmIKqxIZnYaweL4e2MhvHWE8CaMws5N801YuTdyvyQZSUHgNCe5MR9f6FihgPBX9M0qDAHlZ0oUKq6ScIUqz+JpWL/NTcOLYMCnBoL+JDIyzkwBzlJpreq4MmC7bjL6hjw5K0ykA9S8Kk4Cuarfw9OwSk5LiL/bVy2CDBtBBIzFg9Hd0TanSERjRQrhh7s= vk@jalezze'
HOSTNAME_FQDN="lab-by-02.ulakar.com"
### ===================================

if [[ "$(id -u)" -ne 0 ]]; then
  echo "Run this script under root user" >&2
  exit 1
fi

echo "== Update System =="
apt-get update -y
apt-get upgrade -y

if [[ -n "$HOSTNAME_FQDN" ]]; then
  echo "== Set hostname: $HOSTNAME_FQDN =="
  hostnamectl set-hostname "$HOSTNAME_FQDN"
fi

echo "== Create user $NEW_USER =="
if id "$NEW_USER" >/dev/null 2>&1; then
  echo "User $NEW_USER already exists. Skip."
else
  adduser --disabled-password --gecos "" "$NEW_USER"
fi

echo "== Add $NEW_USER into sudo =="
usermod -aG sudo "$NEW_USER"

# allow sudo commands without password
echo "$NEW_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee "/etc/sudoers.d/$NEW_USER"
sudo chmod 440 "/etc/sudoers.d/$NEW_USER"

echo "== Setup SSH-key for $NEW_USER =="
USER_HOME=$(getent passwd "$NEW_USER" | cut -d: -f6)
mkdir -p "$USER_HOME/.ssh"
chmod 700 "$USER_HOME/.ssh"

AUTH_KEYS="$USER_HOME/.ssh/authorized_keys"
touch "$AUTH_KEYS"
grep -qxF "$NEW_USER_SSH_KEY" "$AUTH_KEYS" || echo "$NEW_USER_SSH_KEY" >> "$AUTH_KEYS"
chmod 600 "$AUTH_KEYS"
chown -R "$NEW_USER:$NEW_USER" "$USER_HOME/.ssh"

echo "== Setup SSH =="

cat >/etc/ssh/sshd_config.d/100-security.conf <<EOF
PermitRootLogin no
PasswordAuthentication no
EOF

echo "== Reload SSH daemon =="

if systemctl reload ssh 2>/dev/null; then
    echo "SSH reloaded via ssh.service"
elif systemctl reload sshd 2>/dev/null; then
    echo "SSH reloaded via sshd.service"
else
    echo "Warning: could not reload SSH daemon"
fi

echo "== Install base utilities =="
apt-get install -y \
  net-tools \
  htop \
  curl \
  wget \
  git \
  vim \
  gnupg \
  ca-certificates \
  lsb-release

echo "== Finished. Check SSH for $NEW_USER =="