#!/usr/bin/env bash

# 🕵️🕵️🕵️ Check
# 1. read https://docs.pi-hole.net/ftldns/interfaces/
# 2. go to www.virustotal.com and check 'https://install.pi-hole.net'

# port 22 is open everywhere
# port 53 is open only for the value of 'YOUR_HOME_EXTERNAL_IP'

### ✏️✏️✏️ fill out
YOUR_HOME_EXTERNAL_IP="w.x.y.z"       # your office/home external ip or network cidr
YOUR_VPS_INTERFACE="eth0"             # network interface of your vps

# 🍓🍓🍓 pi-hole setup
wget -O basic-install.sh https://install.pi-hole.net    # ensure you open/trust 'basic-install.sh'
sudo bash basic-install.sh

apt udpate
apt upgrade
# reboot
apt install sudo vim iftop htop nmap iperf3 iotop screen
apt install python3-pip

# ansible
echo "deb http://ppa.launchpad.net/ansible/ansible/ubuntu bionic main" > /etc/apt/sources.list.d/ansible.list
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 93C4A3FD7BB9C367
apt update
apt install ansible

# etckeeper
ansible-galaxy install sourcejedi.etckeeper
cat << EOF > etckeeper.yml
---
- name: Install etckeeper
  hosts: localhost
  connection: local
  become: yes
  gather_facts: yes

  tasks:
    - name: install etckeeper
      include_role:
        name: sourcejedi.etckeeper
    
    - name: "initialize /etc path"
      raw: cd /etc && etckeeper init
      register: etckeeper_init
      failed_when: etckeeper_init.rc >= 2
    
    - name: "perform first commit "
      raw: cd /etc && etckeeper commit "first commit"
      register: etckeeper_commit
      failed_when: etckeeper_commit.rc >= 2
EOF
ansible-playbook etckeeper.yml

# unattended upgrades
apt-get install unattended-upgrades apt-listchanges
ansible-galaxy install hifis.unattended_upgrades
cat << EOF > unattended.yml
---
- name: Unattended upgrades
  hosts: localhost
  connection: local
  become: yes
  gather_facts: yes

  roles:
    - role: hifis.unattended_upgrades 
      unattended_remove_unused_dependencies: true
      unattended_automatic_reboot: true
      unattended_automatic_reboot_time: 04:00
      unattended_update_days: 6
      unattended_origins_patterns:
        - 'origin=Debian,codename=${distro_codename},label=Debian-Security'
        - 'o=Debian,codename=${distro_codename},label=Debian'
      when: 
        - ansible_lsb.id == "Debian"
EOF
ansible-playbook unattended.yml

# 🛡️🛡️🛡️ fail2ban
ansible-galaxy install robertdebock.fail2ban
cat << EOF > fail2ban.yml
---
- name: SetupVPS
  hosts: localhost
  connection: local
  become: yes
  gather_facts: yes

  roles:
    - role: robertdebock.fail2ban
EOF
ansible-playbook fail2ban.yml
sed -i 's/#PasswordAuthentication.*/PasswordAuthentication yes/g' /etc/ssh/sshd_config
grep -r "PasswordAuthentication no" /etc/ssh/sshd_config || exit
service ssh restart

# 🔥🔥🔥 ufw
apt-get install ufw
ufw reset
ufw default allow incoming
ufw deny 1:21/tcp
ufw deny 23:52/tcp
ufw deny 54:65535/tcp
ufw allow ssh
ufw allow from ${YOUR_HOME_EXTERNAL_IP} to any port 53
ufw deny 53
ufw default allow outgoing
echo y | ufw enable
ufw status verbose

# ☠️☠️☠️ Enabling pi-hole on non-local networks is [DANGEROUS]
# ⚠️⚠️⚠️ Uncomment only if you understand the consequences ... 'https://docs.pi-hole.net/ftldns/interfaces/#potentially-dangerous-options'
# grep -r local-service /etc/dnsmasq.d/01-pihole.conf && sed -i "s/local-service/interface=${YOUR_VPS_INTERFACE}/g' /etc/dnsmasq.d/01-pihole.conf
# pihole restartdns

# swappiness
grep -r swappiness /etc/sysctl.conf || echo "vm.swappiness=1" >> /etc/sysctl.conf
sysctl -p