#!/bin/bash

set -e

# run dpkg-reconfigure unattended-upgrades and answer no unattended
echo "Running dpkg-reconfigure unattended-upgrades..."
echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean false" | sudo debconf-set-selections
sudo dpkg-reconfigure -f noninteractive unattended-upgrades

# mark linux-image-generic and linux-headers-generic as held back
# no longer used
#echo "Marking linux-image-generic and linux-headers-generic as held back..."
#sudo apt-mark hold linux-image-generic linux-headers-generic

# Update and upgrade the system
echo "Upgrading the system..."
sudo DEBIAN_FRONTEND=noninteractive apt update
sudo DEBIAN_FRONTEND=noninteractive apt upgrade -y

# Install required packages for Active Directory
echo "Installing Active Directory Tools..."
sudo DEBIAN_FRONTEND=noninteractive apt install -y realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

# Install any additional software

# Required packages for NinjaRMM
echo "Installing Ninja Tools..."
sudo DEBIAN_FRONTEND=noninteractive apt install -y net-tools network-manager policycoreutils jq libjq1 libonig5

# Load configuration file
echo "Loading config file..."
source config.sh

# Set the username and password
echo "Enter Active Directory Password..."
ADMINUSER=$ADMIN_USER
#ADMINPASS=$ADMIN_PASSWORD

# Set the hostname
echo "Setting System Hostname..."
sudo hostnamectl set-hostname "$NEW_HOSTNAME"

# Set /etc/host
echo "127.0.0.1 localhost" | sudo tee /etc/hosts
echo "$(hostname -I | cut -d' ' -f1) $HOST $NEW_HOSTNAME" | sudo tee -a /etc/hosts

# Update and install required packages
##sudo apt update
##sudo apt install -y realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

# Join the domain
echo "Joining the domain..."
sudo -S realm join --user="$ADMINUSER" --computer-ou="$OU" "$DOMAIN"
#work in progress - --computer-desc="$COMPUTER_DESC"

# Configure PAM to create home directories for domain users on first login
sudo bash -c "cat >> /usr/share/pam-configs/mkhomedir" << EOL
Name: Activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
        required    pam_mkhomedir.so umask=0077 skel=/etc/skel
EOL

# Enable the mkhomedir PAM module
sudo pam-auth-update --enable mkhomedir

# Set permissions for the home directories
sudo chmod 0700 /home/*

# Configure SSSD
sudo sed -i 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf

# Deny login to all users
echo "Setting Permissions..."
sudo realm deny --all

# Allow login to domain groups
sudo realm permit -g "Domain Admins"
sudo realm permit -g "Access - Admin - All Servers"
sudo realm permit -g "Access - Admin - $HOST"
sudo realm permit -g "Access - Admin - All Linux Servers"

# Set up sudoers file
echo "%Domain\ Admins     ALL=(ALL:ALL)   ALL" | sudo tee /etc/sudoers.d/LocalAdmins > /dev/null
echo "%Access\ -\ Admin\ -\ All\ Servers     ALL=(ALL)   ALL" | sudo tee -a /etc/sudoers.d/LocalAdmins > /dev/null
echo "%Access\ -\ Admin\ -\ All\ Linux\ Servers     ALL=(ALL)   ALL" | sudo tee -a /etc/sudoers.d/LocalAdmins > /dev/null
echo "%Access\ -\ Admin\ -\ $HOST     ALL=(ALL)   ALL" | sudo tee -a /etc/sudoers.d/LocalAdmins > /dev/null
echo "Ansible  ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/LocalAdmins > /dev/null

# Set Timezone to Eastern
echo "Seting the Timezone..."
sudo timedatectl set-timezone America/New_York

# copy file from SCP server to local system
## sudo scp -r anonymous@ptiwa001:ninja-agent.deb /home/coadmin/
## curl -o ninja-agent.deb https://app.ninjarmm.com/agent/installer/e99519fc-b76e-4c50-b5ff-ef68db95b032/serverslinuxmainoffice-5.6.7925-installer-x86-64.deb

# Install Ninja RMM Agent
echo "Installing Ninja..."

# Step 1: Get OAuth token
oauth_response=$(curl --request POST \
  --url https://app.ninjarmm.com/ws/oauth/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=Exx51oPGv_hZ8fgQh2IqtpX5VpA \
  --data client_secret=AAv3WeKnUjSOSRuW94plKdrihEw8AEZCJd38VK56aSGjAa4BAtm_zw \
  --data scope=management)

# Extract access token from response
access_token=$(echo "$oauth_response" | jq -r '.access_token')

# Step 2: Generate installer URL
installer_response=$(curl -X 'GET' \
  'https://app.ninjarmm.com/v2/organization/26/location/45/installer/LINUX_DEB' \
  -H 'accept: application/json' \
  -H "Authorization: Bearer $access_token")

# Extract installer URL from response
installer_url=$(echo "$installer_response" | jq -r '.url')

# Step 3: Download installer using generated URL
curl -o ninja-agent.deb "$installer_url"

# install Ninja
sudo dpkg -i ninja-agent.deb
# End Install Ninja RMM Agent

# copy file from SCP server to local system
#sudo scp -r anonymous@ptiwa001:falcon-sensor_6.46.0-14306.deb /home/coadmin/

# Install CrowdStrike Falcon
echo "Installing Falcon Sensor..."
export FALCON_CLIENT_ID="58f632f6b11c43f48864c9043ec8428d"
export FALCON_CLIENT_SECRET="8VrQZaLfAHgJNpED0627tyeu9oGbcwWP51mxYk34"
export FALCON_CID="D0511099B3FF494D8B87F48C4AB90201-56"
export FALCON_SENSOR_VERSION_DECREMENT="1"
curl -L https://raw.githubusercontent.com/CrowdStrike/falcon-scripts/main/bash/install/falcon-linux-install.sh | bash
# End Install CrowdStrike Falcon

# install package using dpkg
# sudo dpkg -i falcon-sensor_6.46.0-14306.deb
 
# Run the additional command
# sudo /opt/CrowdStrike/falconctl -s --cid=D0511099B3FF494D8B87F48C4AB90201-56 

# Download Rapid7 package
echo "Downloading Rapid7 Insight Agent..."
wget https://us.storage.endpoint.ingress.rapid7.com/com.rapid7.razor.public/endpoint/agent/latest/linux/x86_64/rapid7_insight_agent_x64.deb
chmod +x rapid7_insight_agent_x64.deb

# Install required packages

# Install Rapid7 Insight Agent
echo "Installing Rapid7 Insight Agent..."
dpkg -i rapid7_insight_agent_x64.deb

# Configure Rapid7 Insight Agent
echo "Configuring Rapid7 Insight Agent..."
bash /opt/rapid7/ir_agent/components/insight_agent/*/configure_agent.sh --token=us2:1e644f56-2b11-4908-874e-6f1d62dc9f57 -v --start

# Remove packages that are not required
echo "Removing old packages..."
sudo apt autoremove -y

# Configure syslog server
echo "Configuring syslog server..."
echo 'remote host is: dcpi-siem 10.200.24.51:514' | sudo tee -a /etc/rsyslog.conf
echo '*.* @@10.200.24.51:514' | sudo tee -a /etc/rsyslog.conf

# Start/Restart Services
echo "Restarting system services..."
sudo systemctl restart sssd
sudo systemctl start ninjarmm-agent.service
sudo systemctl start falcon-sensor
sudo systemctl restart rsyslog
sudo systemctl restart ir_agent.service

# check the status of the services
echo "Checking status of required services..."
sudo systemctl | grep -E 'falcon-sensor|ninjarmm-agent|sssd.service|rsyslog.service|ir_agent.service'
    echo "$line"
    echo ""

# Query user and print message
echo "Checking Active Directory..."
id ansible && echo "Successfully queried Active Directory for user peo\ansible"
    echo "$line"
    echo ""

# Check if reboot is required
echo "Is a reboot required?..."
if [ -f /var/run/reboot-required ]; then
  echo -e "\033[31mA reboot is required.\033[0m"
else
  echo -e "\033[32mReboot not required.\033[0m"
fi