#!/usr/bin/env bash

set -euo pipefail

# Check permissions
if [ "$UID" != "0" ]; then
   echo "This script must be run as root / with sudo" >&2
   exit 1
fi

# Get settings
read -rsp "User Password: " pass; echo
RID=$(cat /etc/radio_id)
read -rp "Radio ID (${RID:-1-254}): " ip
ip=${ip:-$RID}
echo $ip > /etc/radio_id
read -rp "Radio Name ($HOSTNAME): " name
name=${name:-$HOSTNAME}
read -rp "Mesh Name: " mesh_ssid
read -rsp "Mesh Password: " mesh_pass; echo
read -rsp "Hotspot Password: " ap_pass; echo
read -p "Enable wireguard (Y/N): " wireguard
if [ "${wireguard,,}" == "y" ]; then
    while [ ! -f "/etc/wireguard/wg0.conf" ]; do
        read -n 1 -s -p "Add '/etc/wireguard/wg0.conf' then press any key to continue..."
    done
fi

# Install updates & packages
export DEBIAN_FRONTEND=noninteractive
apt update && apt upgrade -y && apt install -y \
    build-essential libpcap-dev libusb-1.0-0-dev libnetfilter-queue-dev \
    btop jq tmux unzip zip

# Update hostname
hostnamectl set-hostname "${name}"
sed -i "s/$HOSTNAME/$name" /etc/hostname
sed -i "s/$HOSTNAME/$name" /etc/hosts

# Update banner
cat <<EOF >> /etc/motd

 ██████   ██████ ███████████    █████████
░░██████ ██████ ░░███░░░░░███  ███░░░░░███
 ░███░█████░███  ░███    ░███ ░███    ░░░
 ░███░░███ ░███  ░██████████  ░░█████████
 ░███ ░░░  ░███  ░███░░░░░███  ░░░░░░░░███
 ░███      ░███  ░███    ░███  ███    ░███
 █████     █████ █████   █████░░█████████
░░░░░     ░░░░░ ░░░░░   ░░░░░  ░░░░░░░░░

EOF

# Setup wireguard
if [ "${wireguard,,}" == "y" ]; then
	apt install wireguard -y
	systemctl enable wg-quick@wg0
	systemctl start wg-quick@wg0
fi

# Setup GPS - gpsmon
sed -i '/^enable_uart=/d' /boot/firmware/config.txt
echo "enable_uart=1" >> /boot/firmware/config.txt
apt install -y gpsd gpsd-clients chrony
tee /etc/default/gpsd > /dev/null <<'EOF'
START_DAEMON="true"
GPSD_OPTIONS="-n"
DEVICES="/dev/serial0"
USBAUTO="false"
GPSD_SOCKET="/var/run/gpsd.sock"
EOF
tee -a /etc/chrony/chrony.conf > /dev/null <<'EOF'
refclock SHM 0 offset 0.5 delay 0.2 refid NMEA
EOF
systemctl enable --now gpsd chrony

# Setup DNS
# TODO: Setup AP management
apt install -y dnsmasq
tee -a /etc/dnsmasq.d/local.conf > /dev/null <<'EOF'
server=1.1.1.1
server=1.0.0.1
address=/$HOSTNAME/$IP
address=/.$HOSTNAME/$IP
EOF

# Install docker
apt install -y qemu-user-static
curl -fsSL https://get.docker.com | sh
usermod -aG docker $USER
newgrp docker

# Setup Guacamole - http://localhost:8080
sed -i 's/^#\?PasswordAuthentication .*/PasswordAuthentication yes/' /etc/ssh/sshd_config
systemctl restart ssh
apt-get install -y xrdp
tee /etc/xrdp/startwm.sh > /dev/null <<'EOF'
#!/bin/sh
unset DBUS_SESSION_BUS_ADDRESS
unset XDG_RUNTIME_DIR
exec startlxde-pi
EOF
mkdir -p /etc/polkit-1/rules.d
tee /etc/polkit-1/rules.d/49-nopasswd.rules > /dev/null <<'EOF'
polkit.addRule(function(action, subject) {
  return polkit.Result.YES;
});
EOF
systemctl restart polkit
systemctl enable --now xrdp
docker run -d --name guacamole --network host --restart unless-stopped -v guacamole:/config flcontainers/guacamole:latest

# Setup Automount + FileBrowser - http://localhost:1200
mkdir -p /etc/udev/rules.d/
echo 'ENV{ID_FS_USAGE}=="filesystem", ENV{UDISKS_FILESYSTEM_SHARED}="1"' > /etc/udev/rules.d/99-udisks2.rules
docker run -d --name filebrowser --restart unless-stopped -p 1200:8080 -e FB_USERNAME=$USER -v filebrowser:/config -v /media:/data hurlenko/filebrowser:latest
sleep 3
fb_pass=$(docker logs filebrowser 2>&1 | grep -oP 'randomly generated password: \K.*'); echo $fb_pass

# Setup Kiwix - http://localhost:1300
mkdir -p /media/library/archive
mkdir -p /media/library/zim
docker run -d --name kiwix --restart unless-stopped -p 1300:3000 -v /media/library:/data ztimson/kiwixm:latest

# Maps - http://localhost:1400
mkdir -p /media/maps/tiles
mkdir -p /media/maps/styles
docker run -d --name maps --restart unless-stopped -p 1400:8080 -v /media/maps/config.json:/config.json -v /media/maps/tiles:/data -v /media/maps/styles:/styles maptiler/tileserver-gl:v4.11.0

# Setup Ollama + OpenWebUI - http://localhost:1000
docker run -d --name ollama --restart unless-stopped -p 11434:11434 -v ollama:/root/.ollama ollama/ollama:latest
docker exec -d ollama ollama pull llama3.2:1b-instruct-q4_K_M # Works best on Pi5 (High TPS, Low memory)
docker run -d --name open-webui --restart unless-stopped -p 1000:8080 -e OLLAMA_BASE_URL=http://ollama:11434 --link ollama -v open-webui:/app/backend/data ghcr.io/open-webui/open-webui:main

# LoRa - http://localhost:4403
pip install --upgrade --break-system-packages meshtastic
LORA_DEVICE=$(ls /dev/serial/by-id | grep RAK)
apt install -y ser2net
rm /etc/ser2net.yaml || echo
tee /etc/ser2net.conf <<EOF
4403:raw:0:/dev/serial/by-id/$LORA_DEVICE:115200 8DATABITS NONE 1STOPBIT
EOF
sed -i 's|\$CONFFILE|/etc/ser2net.conf|g' /lib/systemd/system/ser2net.service
systemctl daemon-reload
systemctl restart ser2net

# Federated chat - http://localhost:1500
docker run -it --rm -v synapse:/data -e SYNAPSE_SERVER_NAME=server.local -e SYNAPSE_REPORT_STATS=no matrixdotorg/synapse:latest generate
tee -a /var/lib/docker/volumes/synapse/_data/homeserver.yaml <<EOF
enable_registration: true
enable_registration_without_verification: true
EOF
docker run -d --name synapse --restart unless-stopped -e SYNAPSE_SERVER_NAME=server.local -e SYNAPSE_REPORT_STATS=no -v synapse:/data -p 8008:8008 matrixdotorg/synapse:latest
mkdir -p /etc/element
echo "{\"default_server_config\":{\"m.homeserver\":{\"base_url\":\"http://$IP:8008\",\"server_name\":\"server.local\"}}}" > /etc/element/config.json
docker run -d --name element --restart unless-stopped -p 1500:80 -v /etc/element/config.json:/app/config.json vectorim/element-web:latest

# Setup pentest suite - http:localhost:1600
sudo apt install -y arp-scan aircrack-ng gobuster hashcat hcxtools hydra john netcat-openbsd nikto nmap masscan reaver sqlmap tcpdump wireshark
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod +x msfinstall
./msfinstall
rm msfinstall
docker run -d --name bettercap --restart unless-stopped --privileged --net=host bettercap/bettercap -eval "set api.rest.address 0.0.0.0; set ui.address 0.0.0.0; set ui.port 1600; ui on; set gps.device localhost:2947;"

# ATAK - http://localhost:1100 (XMPP - 5222, API - 8089)
docker run -d --name atak --restart unless-stopped --platform=linux/amd64 -p 8089:8080 -p 5222:8999 -p 1100:8088 -v atak:/app kdudkov/goatak_server:latest

# TODO: SDR tools (SDRangel, dump1060)
#docker run -d --name sdrserver --restart unless-stopped --device /dev/bus/usb:/dev/bus/usb -p 8091:8091 -p 8092:8092 f4exb06/sdrangelsrv:v7.22.7 --bind 0.0.0.0
#docker run -d --name sdrcli --restart unless-stopped -p 1000:8080  -e SDRANGEL_SERVER_URL=http://10.69.5.108:8091 f4exb06/sdrangelcli:v4.0.2

# Speedtest - http://localhost:1900
docker run -d --name speedtest --restart unless-stopped -p 1900:80 lscr.io/linuxserver/librespeed:latest

# TODO: Captive Portal + PWA & Caddy
# TODO: E-Ink + QR Join AP
# TODO: Mesh