#!/bin/sh
clear
echo "####################"
echo "# WEBSERVER RUNNER #"
echo "# »» hitler.rip «« #"
echo "####################"
echo
echo "[run] This script sets up my web servers the way I like it."
echo "[run] Note:"
echo "[run] this script assumes you already have an openssh server set up properly."
echo

echo "[run] installing base packages..."
sudo apt update
sudo apt upgrade -y
sudo apt install -y sudo vim git curl wget btop tmux
sudo usermod -aG sudo "$(whoami)"
sudo apt install -y nmap traceroute netcat-openbsd man man-db rsync ed bc unrar-free zip unzip lvm2

echo "[run] installing other packages..."
sudo apt install -y pandoc

echo "[run] setting up classical vim..."
tee -a ~/.vimrc << END
syntax on
set number
set relativenumber
set tabstop=4
set shiftwidth=4
set hlsearch
set showmatch
set mouse=a
END

echo "[run] setting up tmux..."
tee ~/.tmux.conf << EOF
unbind C-b
set-option -g prefix C-d
bind-key C-d send-prefix

bind -n M-f detach
bind -n M-t kill-session
bind -n M-q kill-pane

bind -n M-y split-window -h
bind -n M-x split-window -v
bind -n M-a select-pane -L
bind -n M-d select-pane -R
bind -n M-w select-pane -U
bind -n M-s select-pane -D
bind -nr M-h resize-pane -L 1
bind -nr M-j resize-pane -D 1
bind -nr M-k resize-pane -U 1
bind -nr M-l resize-pane -R 1
bind -nr M-Left resize-pane -L 1
bind -nr M-Down resize-pane -D 1
bind -nr M-Up resize-pane -U 1
bind -nr M-Right resize-pane -R 1
bind -n M-c swap-pane -D

bind -n M-g prev
bind -n M-b next
bind -n M-v new-window

bind -n M-e command-prompt -I '#W' { rename-window -- '%%' }
bind -n M-r command-prompt -I '#W' { select-pane -T '%%' }

set -g base-index 1
setw -g pane-base-index 1
set-option -g allow-rename off
setw -g automatic-rename off
set -g renumber-windows on

set -g pane-border-status top
set -g pane-border-format " [ ###P #T ] "
set -g pane-active-border-style "fg=magenta"

set -g mouse on
set -g default-terminal "tmux-256color"

set-window-option -g window-status-separator ''
set -gF window-status-format "#[bg=default,fg=white] ##I "
set -gF window-status-current-format "#[bg=magenta,fg=default] ##I "
set -gF status-style "bg=default,fg=white"

set -g status-right-length 100
set -g status-left-length 100
set -g status-left ""
set -g status-right ""
set -g status-right "#[fg=white]#S #[fg=magenta]| #[fg=white]#(whoami)#[fg=magenta]@#[fg=white]#H #[fg=magenta]| %Y-%m-%d %H:%M"
EOF
tmux source ~/.tmux.conf

echo "[run] installing server packages..."
sudo apt install -y ufw fail2ban
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ssh
#sudo ufw allow 41641/udp # tailscale
#sudo ufw allow 1965/tcp # gemini
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
sudo systemctl enable ufw
sudo systemctl start ufw
sudo tee /etc/fail2ban/jail.local << EOF
[sshd]
enabled = true
filter = sshd
port = ssh
banaction = ufw
banaction_allports = ufw
bantime = -1
maxretry = 3
logpath = \$(sshd_log)s
backend = systemd
EOF
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

echo "[run] setting up nginx..."
sudo apt install -y nginx python3-certbot-nginx
sudo certbot --nginx
	# web@hitler.rip
	# Y
	# N
	# hitler.rip www.hitler.rip links.hitler.rip git.hitler.rip
sudo tee /etc/nginx/sites-available/default << EOF
server {
	server_name hitler.rip www.hitler.rip links.hitler.rip;

	if (\$host = links.hitler.rip) {
		return 301 https://hitler.rip/links$request_uri;
	}
	if (\$host = www.hitler.rip) {
		return 301 https://hitler.rip$request_uri;
	}

	if (\$host = git.hitler.rip) {
		return 404;
	}

	root /srv/web;
	index index.html;
	location / {
		try_files $uri $uri/ =404;
	}
	listen [::]:443 ssl ipv6only=on;
	listen 443 ssl;
	ssl_certificate /etc/letsencrypt/live/hitler.rip/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/hitler.rip/privkey.pem;
	include /etc/letsencrypt/options-ssl-nginx.conf;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
	if (\$host = hitler.rip) {
		return 301 https://hitler.rip$request_uri;
	}
	if (\$host = www.hitler.rip) {
		return 301 https://hitler.rip$request_uri;
	}
	if (\$host = links.hitler.rip) {
		return 301 https://hitler.rip/links$request_uri;
	}
	if (\$host = git.hitler.rip) {
		return 301 https://git.hitler.rip$request_uri;
	}
	listen 80;
	listen [::]:80;
	serer_name hitler.rip www.hitler.rip links.hitler.rip git.hitler.rip;
	return 301 https://hitler.rip$request_uri;
}
EOF
sudo mkdir -p /srv/web/
sudo mkdir -p /srv/build/
sudo chown -R $(whoami):$(whoami) /srv/web/
sudo chown -R $(whoami):$(whoami) /srv/build/
sudo systemctl restart nginx
sudo systemctl enable nginx

echo "[run] setting up git server..."
sudo adduser --shell $(which git-shell) git
sudo mkdir /home/git/.ssh/
sudo cp ~/.ssh/authorized_keys /home/git/.ssh/
sudo chown -R git:git /home/git/.ssh/
sudo chmod 700 /home/git/.ssh/
sudo chmod 600 /home/git/.ssh/authorized_keys
sudo mkdir -p /srv/git/
sudo chown -R git:git /srv/git/
sudo mkdir -p /srv/pgit/
sudo chown -R git:git /srv/pgit/
git config --global --add safe.directory '*' # to allow the server to clone its own repos
echo "[run] git server created. you may now clone the website build script to /srv/build/ and push your website."