#!/bin/bash
# script for installing a Debian Edu Workstation with ITZkS modifications

if [ "x$(id -u)" != "x0" ]; then
	echo
	echo "##########################"
	echo "$(basename $0): This script needs to be run as super-user 'root'."
	echo "##########################"
	echo
	exit 1
fi

# abort if any of the subprocesses returns non-zero exit code
set -e

# we want to see the commands being issued during script run
set -x

function apt_install_if_not() {
	pkgs_and_opts=$@
	install_pkgs=""
	options=""
	for param in $pkgs_and_opts; do
		echo "$param" | grep -qE '^-' && {
			options="$options $param"
		} || {
			[ -d "/usr/share/doc/$param" ] || install_pkgs="$install_pkgs $param"
		}
	done
	test -n "$install_pkgs" && apt-get install -y $options $install_pkgs || true
}

# Add user locadm if not already there
if [ -z $"(getent passwd locadm)" ]; then
	adduser --gecos "Local Administrator" locadm
	adduser locadm sudo
fi

# Enlarge root-fs

if [ -e /dev/vg_system/usr ]; then
	lvextend -L 18G /dev/vg_system/usr || true
	resize2fs /dev/vg_system/usr
else
	lvextend -L 22G /dev/vg_system/root || true
	resize2fs /dev/vg_system/root
fi

# Retrieve LDAP CA certificate
invoke-rc.d fetch-ldap-cert start

# Run upgrades to ensure the base system is as up-to-date as possible
apt-get update 1>/dev/null
apt-get upgrade -y

# Add itzks.list and its contents if file not already there
if [ ! -e "/etc/apt/sources.list.d/itzks.list" ]; then
	touch /etc/apt/sources.list.d/itzks.list
	echo "deb http://packages.it-zukunft-schule.de/debian stretch main contrib non-free" >> /etc/apt/sources.list.d/itzks.list
	echo "deb http://packages.it-zukunft-schule.de/debian stretch-backports main contrib non-free" >> /etc/apt/sources.list.d/itzks.list
fi

# Export proxy-settings for first install
export https_proxy=http://webcache:3128
export http_proxy=http://webcache:3128
export ftp_proxy=http://webcache:3128

# FIXME: We don't want to use Debian's old redirector service, but the new one...
# The below line is the ideal solution, but it does not work, sometimes the
# redirector URLs fail to produce a Release file. For whatever reason.
#sed -r -i /etc/apt/sources.list -e "s@http.debian.net@httpredir.debian.org@g"
sed -r -i /etc/apt/sources.list -e "s@http.debian.net@ftp.de.debian.org@g"
sed -r -i /etc/apt/sources.list -e "s@httpredir.debian.org@ftp.de.debian.org@g"

# take out the hammer and drop all previous package lists.
find /var/lib/apt/lists/ -type f -delete

# Get update and add itzks-keyring and itzks-systems-common package
apt-get update 1>/dev/null
apt_install_if_not --allow-unauthenticated itzks-keyring
apt-get update 1>/dev/null
apt_install_if_not itzks-systems-common
apt-get update 1>/dev/null

# Install the itzks-systems-workstation package
apt_install_if_not ocsinventory-agent
itzks-systems.do_preseed
apt_install_if_not itzks-systems-workstation

# Install wireless-tools for configuration of WiFi
apt_install_if_not wireless-tools
apt_install_if_not uuid-runtime

# Install libpacparser1
apt_install_if_not libpacparser1

# Make sure, we have Oracle's JAVA 8... (and that it is the default that people use)
apt_install_if_not oracle-java8-bin oracle-java8-jre oracle-java8-plugin
update-java-alternatives --jre --set java-8-oracle
update-java-alternatives --plugin --set java-8-oracle

# Install wine32
dpkg --add-architecture i386
apt-get update 1>/dev/null
apt_install_if_not wine32

# Install extras for wine32
apt-get update 1>/dev/null
apt_install_if_not playonlinux
apt_install_if_not winetricks
apt_install_if_not wine32-tools
apt_install_if_not wine-binfmt
apt_install_if_not fonts-wine
apt_install_if_not q4wine


if [ ! -d "/usr/share/doc/libdvdcss2" ]; then
	# Install libdvdcss2 if needed
	echo
	echo    "############################################################################################"
	read -p "Verfügt der Rechner über ein DVD-Laufwerk bzw. sollen DVDs abgespielt werden könnne? (j/n)? " answer
	case ${answer:0:1} in
		y|Y|j|J )
			apt_install_if_not libdvdcss2
		;;
		*)
			:
		;;
	esac
	unset answer
fi

# Run upgrades to prevent possible problems while running puppet
apt-get update 1>/dev/null
apt-get upgrade -y

####################

# Hand-over all NICs to NetworkManager
sed -r -e 's/auto\s+eth[0-9]//' -i /etc/network/interfaces
sed -r -e 's/^(iface\s+eth[0-9]\s+inet\s+dhcp)\s*/#NetworkManager \1/' -i /etc/network/interfaces

####################

# We don't need rpc.gssd on NFS clients (yet), if not used, it may start behaving weirdly (observed in Debian jessie, unsure about stretch)
sed -e 's/^NEED_GSSD=.*/NEED_GSSD=/' -i /etc/default/nfs-common

####################
# Disable NIS netgroup cache in NSCD, has been buggy in glibc since Debian jessie...
if [ -e /etc/nscd.conf ]; then
	sed -r -i /etc/nscd.conf -e "s/(\s+)enable-cache(\s+)netgroup(\s+)yes/\1enable-cache\2netgroup\3no/"
fi

####################
# Make sure, no USB devices are listed in /etc/fstab
sed -r -i /etc/fstab -e "s@^/dev/usb[0-9]+.*@@g"
# and neither list cdrom / dvdrom drives in /etc/fstab
sed -r -i /etc/fstab -e "s@^/dev/scd[0-9]+.*@@g"

####################
# Skip dpkg-reconfigure keyboard-configuration and change /etc/default/keyboard via script
sed -e 's/^XKBVARIANT=""/XKBVARIANT="deadgraveacute"/' -i /etc/default/keyboard
sed -e 's/^XKBOPTIONS=""/XKBOPTIONS="compose:rctrl"/' -i /etc/default/keyboard

# Restart keyboard-service to apply new settings
service keyboard-setup restart


####################
# WiFi-config for NetworkManager

# only if no system-wide connections exists, so far...
if ! grep -q -E '^permissions=$' /etc/NetworkManager/system-connections/*; then

	# Write standard config
	cat <<EOT > /etc/NetworkManager/system-connections/SSID.in
[connection]
id=@SSID@
uuid=@UUID@
type=wifi
permissions=
timestamp=@TIMESTAMP@
autoconnect=true

[wifi]
mac-address-blacklist=
mode=infrastructure
ssid=@SSID@

[wifi-security]
key-mgmt=wpa-psk
psk=@password@

[ipv4]
dns-search=
method=auto
ignore-auto-routes=false
ignore-auto-dns=false
never-default=false

[ipv6]
method=ignore
EOT

	# Set permissions on generated file
	chmod go-rwx /etc/NetworkManager/system-connections/SSID.in

	# Generate uuid and timestamp and overwrite in file

	UUID=$(uuidgen -t)
	sed -i 's/@UUID@/'"$UUID"'/' /etc/NetworkManager/system-connections/SSID.in

	TIMESTAMP=$(date +%s )
	sed -i 's/@TIMESTAMP@/'"$TIMESTAMP"'/' /etc/NetworkManager/system-connections/SSID.in

	# Ask user for SSID and password
	echo '!   WIFI-Netzwerk hinzufügen'
	read -p 'Wie lautet die SSID? ' ssid
	sed -i 's/@SSID@/'"$ssid"'/' /etc/NetworkManager/system-connections/SSID.in
	read -p 'Wie lautet das zugehörige Passwort? ' passw
	sed -i 's/@password@/'"$passw"'/' /etc/NetworkManager/system-connections/SSID.in
	unset passw

	# move tweaked template to real configuration file
	mv /etc/NetworkManager/system-connections/SSID.in /etc/NetworkManager/system-connections/"$ssid"

	unset ssid
fi

####################

# Configure Plymouth
apt_install_if_not -y plymouth-themes
if ! grep -q Theme=solar /etc/plymouth/plymouthd.conf; then
	plymouth-set-default-theme solar
	update-initramfs -k all -u
fi

####################

# Install puppet-agent
echo
echo "############################################################################################"
echo '!   Puppet-Agent installieren'
read -p 'Bevor der Puppet-Agent installiert werden kann,
muss der Hostname geändert werden. Es darf kein "lan" im
Namen auftauchen, z.B. statt mw101-lan.intern muss
es mw101.intern heißen. [ENTER]'
echo

# Set hostname
read -p 'Wie lautet der Hostname (ohne Domain, leer lassen, wenn Hostname des System nicht geändert werden muss)? ' myhost
echo

if [ -n "$(echo $myhost | xargs | cut -d" " -f1)" ]; then
	hostnamectl set-hostname "$myhost"
	export HOSTNAME="$myhost"
fi
unset myhost

# To be sure restart the following services
invoke-rc.d rsyslog restart
invoke-rc.d cron restart

# puppet may already be installed from a previous run...
if type -p puppet 1>/dev/null; then
	invoke-rc.d puppet restart
fi

# Install and enable puppet-agent on client
echo '!   Puppet-Agent wird installiert... '
apt_install_if_not puppet

echo
echo "############################################################################################"
echo 'Nun mit ssh auf den tjener wechseln und dort
mit   sudo puppet cert --list   die am Master angemeldeten
Clients auflisten.

Anschließend mit   sudo puppet cert --sign <myhost>.intern
den Puppet-Agent des Clients authorisieren.'
echo

puppet agent --test --waitforcert 120
puppet agent --enable

# enable puppet client if machine is running on systemd
pidof systemd && systemctl enable puppet || :
# and start the client service...
invoke-rc.d puppet start

echo
echo '!   FERTIG
Die Installation 
  - des Basissystems mit ITZKS-Anpassungen
  - des Puppet-Agents
ist abgeschlossen.'
echo