#!/bin/bash
BANNER=$(cat << "EOF"
           :^7J5GB##&&##GPY?~:            
        ^75B&@@@@@@&&&@@@@@@@#GJ~:        
       5&@@@&B5?7~^^^^^~!7YP#@@@@#!       
       Y##P7^               :~JB#B!       
        ::                      :         
  7PP?:          :^~!!~^:          :?PP7  
 :B@@B:        !5B&@@@@&B5!        :#@@B: 
  :!!:       ^G@@@&BPPB@@@@G^       :!!:  
            :B@@@5^    ^5@@@B:            
:7J7:       !@@@#       :&@@@~       :?J7:
J@@@5       :#@@@Y:    :Y@@@B:       5@@@J
!@@@&^       ~B@@@&G55G&@@@B~       ~&@@@~
 5@@@G:       :7P#@@@@@@#P7:       :B@@@Y 
 :P@@@B~         :~!77!~:         ~B@@@P  
   Y@@@&Y^                      ^5@@@@J   
    !G@@@&P7^                ^7P&@@@G~    
      !P&@@@&B?     ::     ?B&@@@&P!      
        ^75#&&Y   :P&&5:   5&&B57^        
           :^^    :P&&5:    ^^:           
                    ^^                    

                [nullpoint]
EOF
)

TANG_SERVERS=(
#    "https://tang1.example.com your-thumbprint-1"
#    "https://tang2.example.com your-thumbprint-2"
)
TPM_PCR_BANK="sha256"
TPM_PCR_IDS="0,1,2,3,4,5,6,7,8"
ALMA_USER="null"
ENABLE_MOTD=true
# REQUIRED: Set your SSH public key here - installation will fail without it!
SSH_KEY="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkoTn2NreAXMriOUqzyj3YoFW6jMo9B5B+3R5k8yrMi dodox@dodox-ProArt"

########################################################
# Config End
########################################################

set -euo pipefail

echo -e "\n$BANNER"
echo -e "\n[+] Starting post-installation configuration..."

# Check for SSH key
if [ -z "${SSH_KEY:-}" ]; then
    echo "ERROR: No SSH key configured!"
    echo "You must set SSH_KEY variable at the top of this script."
    exit 1
fi

# Check for TPM
echo "[+] Checking for TPM..."
if [ ! -d "/sys/class/tpm/tpm0" ]; then
    echo "WARNING: No TPM detected!"
    TPM_ENABLED=false
else
    echo "TPM detected."
    TPM_ENABLED=true
fi

# Create user and add SSH key
echo "[+] Creating user ${ALMA_USER}..."
useradd -m -G wheel -s /bin/zsh ${ALMA_USER}
mkdir -p /home/${ALMA_USER}/.ssh
echo "${SSH_KEY}" > /home/${ALMA_USER}/.ssh/authorized_keys
chmod 700 /home/${ALMA_USER}/.ssh
chmod 600 /home/${ALMA_USER}/.ssh/authorized_keys
chown -R ${ALMA_USER}:${ALMA_USER} /home/${ALMA_USER}/.ssh

# Install oh-my-zsh and powerlevel10k
echo "[+] Installing oh-my-zsh and powerlevel10k..."
# Run oh-my-zsh installer as the user
sudo -u ${ALMA_USER} bash -c 'sh -c "$(wget https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh -O -)" "" --unattended'
# Clone powerlevel10k theme
sudo -u ${ALMA_USER} git clone --depth=1 https://github.com/romkatv/powerlevel10k.git /home/${ALMA_USER}/.oh-my-zsh/custom/themes/powerlevel10k

# Install dotfiles
echo "[+] Setting up dotfiles..."
if [ -d /tmp/nullpoint/dotfiles ]; then
    echo "[+] Installing dotfiles from repository..."
    cp /tmp/nullpoint/dotfiles/.* /home/${ALMA_USER}/ 2>/dev/null || true
    chown -R ${ALMA_USER}:${ALMA_USER} /home/${ALMA_USER}/
else
    echo "[!] No dotfiles directory found, user will need to configure manually"
fi

# Set up MOTD
if [ "$ENABLE_MOTD" = true ]; then
    echo "[+] Setting up MOTD..."
    cat > /etc/motd << MOTD
$BANNER
MOTD
fi

# Install additional packages
echo "[+] Installing additional packages..."
dnf install -y epel-release
dnf config-manager --set-enabled crb
dnf install -y \
  clevis clevis-luks clevis-tang clevis-tpm2 tpm2-tools tpm2-tss \
  git zsh tmux neovim python3-pip \
  dracut-clevis dropbear tree curl wget nano

# Install lsd and bat from GitHub releases (not in repos)
echo "[+] Installing lsd and bat..."
# Get latest lsd version
LSD_VERSION=$(curl -s https://api.github.com/repos/lsd-rs/lsd/releases/latest | grep -Po '"tag_name": "v\K[0-9.]+')
curl -sL "https://github.com/lsd-rs/lsd/releases/download/v${LSD_VERSION}/lsd-v${LSD_VERSION}-x86_64-unknown-linux-musl.tar.gz" | tar xz -C /tmp
mv /tmp/lsd-*/lsd /usr/local/bin/
chmod +x /usr/local/bin/lsd

# Get latest bat version
BAT_VERSION=$(curl -s https://api.github.com/repos/sharkdp/bat/releases/latest | grep -Po '"tag_name": "v\K[0-9.]+')
curl -sL "https://github.com/sharkdp/bat/releases/download/v${BAT_VERSION}/bat-v${BAT_VERSION}-x86_64-unknown-linux-musl.tar.gz" | tar xz -C /tmp  
mv /tmp/bat-*/bat /usr/local/bin/
chmod +x /usr/local/bin/bat

# Create batman script for fancy man pages
cat > /usr/local/bin/batman << 'BATMAN'
#!/bin/bash
export MANPAGER="sh -c 'col -bx | bat -l man -p'"
export MANROFFOPT="-c"
man "$@"
BATMAN
chmod +x /usr/local/bin/batman

# Create .tmp directory for user
mkdir -p /home/${ALMA_USER}/.tmp
chown ${ALMA_USER}:${ALMA_USER} /home/${ALMA_USER}/.tmp

# Configure Clevis for automatic unlock
if [ ${#TANG_SERVERS[@]} -gt 0 ] || [ "$TPM_ENABLED" = true ]; then
    echo "[+] Configuring Clevis for automatic unlock..."
    
    # Find LUKS devices
    LUKS_DEVICES=$(lsblk -o NAME,FSTYPE -nr | grep crypto_LUKS | cut -d' ' -f1)
    
    for device in $LUKS_DEVICES; do
        DEVICE_PATH="/dev/${device}"
        echo "Configuring Clevis for ${DEVICE_PATH}..."
        
        if [ "$TPM_ENABLED" = true ] && [ ${#TANG_SERVERS[@]} -eq 0 ]; then
            # TPM only
            clevis luks bind -d "$DEVICE_PATH" tpm2 "{\"pcr_bank\":\"$TPM_PCR_BANK\",\"pcr_ids\":\"$TPM_PCR_IDS\"}"
        elif [ "$TPM_ENABLED" = false ] && [ ${#TANG_SERVERS[@]} -gt 0 ]; then
            # Tang only
            for server in "${TANG_SERVERS[@]}"; do
                read -r url thumbprint <<< "$server"
                clevis luks bind -d "$DEVICE_PATH" tang "{\"url\":\"$url\",\"thp\":\"$thumbprint\"}"
            done
        elif [ "$TPM_ENABLED" = true ] && [ ${#TANG_SERVERS[@]} -gt 0 ]; then
            # Both TPM and Tang (require both)
            CONFIG="{\"t\":2,\"pins\":{"
            CONFIG+="\"tpm2\":{\"pcr_bank\":\"$TPM_PCR_BANK\",\"pcr_ids\":\"$TPM_PCR_IDS\"},"
            CONFIG+="\"tang\":{\"t\":1,\"tang\":["
            for server in "${TANG_SERVERS[@]}"; do
                read -r url thumbprint <<< "$server"
                CONFIG+="{\"url\":\"$url\",\"thp\":\"$thumbprint\"},"
            done
            CONFIG="${CONFIG%,}]}}}"
            clevis luks bind -d "$DEVICE_PATH" sss "$CONFIG"
        fi
    done
fi

# Enable Clevis for early boot
echo "[+] Enabling Clevis for early boot..."
systemctl enable clevis-luks-askpass.service

# Configure dropbear for remote unlock
echo "[+] Configuring dropbear for remote unlock..."
mkdir -p /etc/dropbear
echo "${SSH_KEY}" > /etc/dropbear/authorized_keys
chmod 600 /etc/dropbear/authorized_keys

# Regenerate initramfs
echo "[+] Regenerating initramfs..."
dracut -f --regenerate-all

# Enable required services
echo "[+] Enabling services..."
# systemctl enable stratisd  # Not needed without Stratis
systemctl enable sshd

# Disable root login
echo "[+] Securing SSH..."
sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

# Set SELinux to enforcing
echo "[+] Setting SELinux to enforcing..."
sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config

echo "✅ Post-installation complete!"
echo ""
echo "IMPORTANT: The LUKS passphrase is set in install.conf"
echo "Save it securely for recovery purposes."
echo ""
echo "After reboot:"
echo "- System will unlock automatically if TPM/Tang configured"
echo "- Or SSH to port 22 for manual unlock"
echo "- Then SSH as user '${ALMA_USER}'"