#!/usr/bin/env bash
# <UDF name="hostname" label="Server hostname" />
# <UDF name="consul_version" label="Consul version" default="" />
# <UDF name="nomad_version" label="Nomad version" default="" />
# <UDF name="vault_version" label="Vault version" default="" />

# TODO: separate out application concerns from server/client concerns.
# The Nomad servers need to be deployed with Consul clients.
# See: https://www.nomadproject.io/guides/install/production/reference-architecture.html

set -o errexit
set -o nounset
set -o pipefail
set -o xtrace

# Redirect all output in this script to logger.
exec 1> >(logger --stderr --tag stackscript) 2>&1

# {{{ set_hostname
function set_hostname () {
  echo "[Setting Hostname]"
  hostnamectl set-hostname "${HOSTNAME}"
}
# }}}

# {{{ install_base_packages
function install_base_packages () {
  echo "[Installing Base Packages]"
  zypper --non-interactive install \
    sudo jq firewalld
}
# }}}

# {{{ create_user
function create_user () {
  useradd damien
  mkdir /home/damien
  touch /home/damien/.bashrc  # needed in order to install autocompletion
  mkdir /home/damien/.ssh
  cp /root/.ssh/authorized_keys /home/damien/.ssh/
  chown -R damien:users /home/damien
  sed -i 's/#PasswordAuthentication .*/PasswordAuthentication no/' /etc/ssh/sshd_config
  service sshd reload
  echo 'damien ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/damien
}
# }}}

# {{{ install_cfssl
function install_cfssl () {
  echo "[Installing CFSSL]"
  curl -o /usr/local/bin/cfssl "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64"
  chmod +x /usr/local/bin/cfssl

  curl -o /usr/local/bin/cfssljson "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64"
  chmod +x /usr/local/bin/cfssljson
}
# }}}

# {{{ install_hashicorp
function install_hashicorp () {
  local name="$1"
  local version="$2"
  local osarch="linux_amd64"

  cat >/tmp/hashicorp.asc <<EOF
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JAU4EEwEKADgWIQSRpuf4XQXG
VjC+8YlRhS2HNI/8TAUCXn0BIQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAK
CRBRhS2HNI/8TJITCACT2Zu2l8Jo/YLQMs+iYsC3gn5qJE/qf60VWpOnP0LG24rj
k3j4ET5P2ow/o9lQNCM/fJrEB2CwhnlvbrLbNBbt2e35QVWvvxwFZwVcoBQXTXdT
+G2cKS2Snc0bhNF7jcPX1zau8gxLurxQBaRdoL38XQ41aKfdOjEico4ZxQYSrOoC
RbF6FODXj+ZL8CzJFa2Sd0rHAROHoF7WhKOvTrg1u8JvHrSgvLYGBHQZUV23cmXH
yvzITl5jFzORf9TUdSv8tnuAnNsOV4vOA6lj61Z3/0Vgor+ZByfiznonPHQtKYtY
kac1M/Dq2xZYiSf0tDFywgUDIF/IyS348wKmnDGjuQENBFMORM0BCADWj1GNOP4O
wJmJDjI2gmeok6fYQeUbI/+Hnv5Z/cAK80Tvft3noy1oedxaDdazvrLu7YlyQOWA
M1curbqJa6ozPAwc7T8XSwWxIuFfo9rStHQE3QUARxIdziQKTtlAbXI2mQU99c6x
vSueQ/gq3ICFRBwCmPAm+JCwZG+cDLJJ/g6wEilNATSFdakbMX4lHUB2X0qradNO
J66pdZWxTCxRLomPBWa5JEPanbosaJk0+n9+P6ImPiWpt8wiu0Qzfzo7loXiDxo/
0G8fSbjYsIF+skY+zhNbY1MenfIPctB9X5iyW291mWW7rhhZyuqqxN2xnmPPgFmi
QGd+8KVodadHABEBAAGJATwEGAECACYCGwwWIQSRpuf4XQXGVjC+8YlRhS2HNI/8
TAUCXn0BRAUJEvOKdwAKCRBRhS2HNI/8TEzUB/9pEHVwtTxL8+VRq559Q0tPOIOb
h3b+GroZRQGq/tcQDVbYOO6cyRMR9IohVJk0b9wnnUHoZpoA4H79UUfIB4sZngma
enL/9magP1uAHxPxEa5i/yYqR0MYfz4+PGdvqyj91NrkZm3WIpwzqW/KZp8YnD77
VzGVodT8xqAoHW+bHiza9Jmm9Rkf5/0i0JY7GXoJgk4QBG/Fcp0OR5NUWxN3PEM0
dpeiU4GI5wOz5RAIOvSv7u1h0ZxMnJG4B4MKniIAr4yD7WYYZh/VxEPeiS/E1CVx
qHV5VVCoEIoYVHIuFIyFu1lIcei53VD6V690rmn0bp4A5hs+kErhThvkok3c
=+mCN
-----END PGP PUBLIC KEY BLOCK-----
EOF
  
  gpg --import /tmp/hashicorp.asc
  
  pushd /tmp
    local base="https://releases.hashicorp.com/${name}/${version}"
    local archive="${name}_${version}_${osarch}.zip"
    local checksum="${name}_${version}_SHA256SUMS"
    local checksum_sig="${checksum}.sig"
  
    # Download the checksum first and verify that it's signed by Hashicorp.
    curl -o "${checksum}" "${base}/${checksum}"
    curl -o "${checksum_sig}" "${base}/${checksum_sig}"
    sync
  
    # Verify that the checksum was signed by Hashicorp.
    gpg --verify "${checksum_sig}" "${checksum}" || exit 13
  
    # Now download the release and verify that the checksum matches.
    # Note that the checksum comes with sums for every platform,
    # so we need to filter down to 64-bit Linux to avoid failures caused by
    # the other releases not being present.
    curl -o "${archive}" "${base}/${archive}"
    sync
    cat "${checksum}" | grep -E "_${osarch}\\.zip$" | sha256sum --check - || exit 13
  
    # If we've reached this point, everything is good to go.
    unzip "${archive}"
    mv ./${name} /usr/local/bin/${name}-${version}
  
    # Attempt to create a symlink for it.
    ln -s "/usr/local/bin/${name}-${version}" "/usr/local/bin/${name}"
  popd

  local home_dir="/var/lib/${name}"
  local certs_dir="/etc/ssl/${name}"

  # This function copies client configs into /etc/<app>.d,
  # creates a user and group named after the app, creates
  # a home directory for them, and then enables+starts it.
  echo "[Setting up ${name}]"
  mkdir -p "${home_dir}" "${certs_dir}"
  groupadd "${name}"
  useradd --home-dir "${home_dir}" --gid "${name}" "${name}"

  chown -R "${name}:${name}" "${home_dir}"
  chown -R "${name}:${name}" "${certs_dir}"

  usermod -a -G "${name}" damien

  # vault and nomad need to be in the consul group so they can access the unix socket.
  # Technically, nomad doesn't need it since it runs as root, but it's good for consistency.
  usermod -a -G consul "${name}"
}
# }}}

# {{{ setup_dns
function setup_dns () {
  # Install named server and configure DNS.
  # This should be done last in order to ensure it doesn't interfere with previous operations.
  zypper --non-interactive install -t pattern dhcp_dns_server  # DNS server for forwarding to Consul

  # Configure the Consul zone for DNS.
  cat > /etc/named.d/consul.conf <<EOF
zone "consul" IN {
  type forward;
  forward only;
  forwarders { 127.0.0.1 port 8600; };
};
EOF
  yast2 sysconfig set NAMED_CONF_INCLUDE_FILES="consul.conf"
  systemctl enable named
  service named start

  yast2 sysconfig set NETCONFIG_DNS_STATIC_SERVERS=127.0.0.1
  cp /etc/resolv.conf /etc/resolv.conf.bak
  netconfig update -f  # -f required if Linode's Network Helper ran?
}
# }}}

set_hostname
update-ca-certificates --verbose  # sometimes the CA certs folder is empty, this seems to fix it
install_base_packages
create_user
systemctl enable firewalld; service firewalld start
install_cfssl
setup_dns

if [[ "${CONSUL_VERSION:-}" != "" ]]; then install_hashicorp consul "${CONSUL_VERSION}"; fi
if [[ "${NOMAD_VERSION:-}" != "" ]]; then install_hashicorp nomad "${NOMAD_VERSION}"; fi
if [[ "${VAULT_VERSION:-}" != "" ]]; then install_hashicorp vault "${VAULT_VERSION}"; fi

# Ensure certs dirs exist so that CAs can be provisioned.
mkdir -p /etc/ssl/{consul,nomad,vault}

echo "Stackscript complete"
touch /root/StackScript.complete

# vim: set expandtab shiftwidth=2 tabstop=2 foldmethod=marker: