#!/bin/bash

# Turn off Debian default for %sudo
sed -i -e '/^%sudo/d' /etc/sudoers || true

# Add minion user for salt-minion
if ! grep -q '^minion' /etc/passwd; then
    adduser --quiet --firstuid 100 --system --disabled-login --ingroup vyattacfg \
        --gecos "salt minion user" --shell /bin/vbash minion
    adduser --quiet minion frrvty
    adduser --quiet minion sudo
    adduser --quiet minion adm
    adduser --quiet minion dip
    adduser --quiet minion disk
    adduser --quiet minion users
    adduser --quiet minion frr
fi

# OpenVPN should get its own user
if ! grep -q '^openvpn' /etc/passwd; then
    adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
fi

# node_exporter should get its own user
if ! grep -q '^node_exporter' /etc/passwd; then
    adduser --quiet --firstuid 100 --system --group --shell /bin/false node_exporter
fi

# We need to have a group for RADIUS service users to use it inside PAM rules
if ! grep -q '^radius' /etc/group; then
    addgroup --firstgid 1000 --quiet radius
fi

# Remove TACACS user added by base package - we use our own UID range and group
# assignments - see below
if grep -q '^tacacs' /etc/passwd; then
    if [ $(id -u tacacs0) -ge 1000 ]; then
        level=0
        vyos_group=vyattaop
        while [ $level -lt 16 ]; do
            userdel tacacs${level} || true
            rm -rf /home/tacacs${level} || true
            level=$(( level+1 ))
        done 2>&1
    fi
fi

# Remove TACACS+ PAM default profile
if [[ -e /usr/share/pam-configs/tacplus ]]; then
    rm /usr/share/pam-configs/tacplus
fi

# Add TACACS system users required for TACACS based system authentication
if ! grep -q '^tacacs' /etc/passwd; then
    # Add the tacacs group and all 16 possible tacacs privilege-level users to
    # the password file, home directories, etc. The accounts are not enabled
    # for local login, since they are only used to provide uid/gid/homedir for
    # the mapped TACACS+ logins (and lookups against them). The tacacs15 user
    # is also added to the sudo group, and vyattacfg group rather than vyattaop
    # (used for tacacs0-14).
    level=0
    vyos_group=vyattaop
    while [ $level -lt 16 ]; do
        adduser --quiet --system --firstuid 900 --disabled-login --ingroup tacacs \
            --no-create-home --gecos "TACACS+ mapped user at privilege level ${level}" \
            --shell /bin/vbash tacacs${level}
        adduser --quiet tacacs${level} frrvty
        adduser --quiet tacacs${level} adm
        adduser --quiet tacacs${level} dip
        adduser --quiet tacacs${level} users
        if [ $level -lt 15 ]; then
            adduser --quiet tacacs${level} vyattaop
            adduser --quiet tacacs${level} operator
        else
            adduser --quiet tacacs${level} vyattacfg
            adduser --quiet tacacs${level} sudo
            adduser --quiet tacacs${level} disk
            adduser --quiet tacacs${level} frr
            adduser --quiet tacacs${level} _kea
        fi
        level=$(( level+1 ))
    done 2>&1 | grep -v "User tacacs${level} already exists"
fi

# Add RADIUS operator user for RADIUS authenticated users to map to
if ! grep -q '^radius_user' /etc/passwd; then
    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
        --no-create-home --gecos "RADIUS mapped user at privilege level operator" \
        --shell /sbin/radius_shell radius_user
    adduser --quiet radius_user frrvty
    adduser --quiet radius_user vyattaop
    adduser --quiet radius_user operator
    adduser --quiet radius_user adm
    adduser --quiet radius_user dip
    adduser --quiet radius_user users
fi

# Add RADIUS admin user for RADIUS authenticated users to map to
if ! grep -q '^radius_priv_user' /etc/passwd; then
    adduser --quiet --firstuid 1000 --disabled-login --ingroup radius \
        --no-create-home --gecos "RADIUS mapped user at privilege level admin" \
        --shell /sbin/radius_shell radius_priv_user
    adduser --quiet radius_priv_user frrvty
    adduser --quiet radius_priv_user vyattacfg
    adduser --quiet radius_priv_user sudo
    adduser --quiet radius_priv_user adm
    adduser --quiet radius_priv_user dip
    adduser --quiet radius_priv_user disk
    adduser --quiet radius_priv_user users
    adduser --quiet radius_priv_user frr
    adduser --quiet radius_priv_user _kea
fi

# add hostsd group for vyos-hostsd
if ! grep -q '^hostsd' /etc/group; then
    addgroup --quiet --system hostsd
fi

# Add _kea user for kea-dhcp{4,6}-server to vyattacfg
# The user should exist via kea-common installed as transitive dependency
if grep -q '^_kea' /etc/passwd; then
    adduser --quiet _kea vyattacfg
fi

# ensure the proxy user has a proper shell
chsh -s /bin/sh proxy

# Set file capabilities
setcap cap_net_admin=pe /sbin/ethtool
setcap cap_net_admin=pe /sbin/tc
setcap cap_net_admin=pe /bin/ip
setcap cap_net_admin=pe /sbin/xtables-legacy-multi
setcap cap_net_admin=pe /sbin/xtables-nft-multi
setcap cap_net_admin=pe /usr/sbin/conntrack
setcap cap_net_admin=pe /usr/sbin/arp
setcap cap_net_raw=pe /usr/bin/tcpdump
setcap cap_net_admin,cap_sys_admin=pe /sbin/sysctl
setcap cap_sys_module=pe /bin/kmod
setcap cap_sys_time=pe /bin/date

# create needed directories
mkdir -p /var/log/user
mkdir -p /var/core
mkdir -p /opt/vyatta/etc/config/auth
mkdir -p /opt/vyatta/etc/config/scripts
mkdir -p /opt/vyatta/etc/config/user-data
mkdir -p /opt/vyatta/etc/config/support
chown -R root:vyattacfg /opt/vyatta/etc/config
chmod -R 775 /opt/vyatta/etc/config
mkdir -p /opt/vyatta/etc/logrotate
mkdir -p /opt/vyatta/etc/netdevice.d

touch /etc/environment

if [ ! -f /etc/bash_completion ]; then
  echo "source /etc/bash_completion.d/10vyatta-op" > /etc/bash_completion
  echo "source /etc/bash_completion.d/20vyatta-cfg" >> /etc/bash_completion
fi

sed -i 's/^set /builtin set /' /etc/bash_completion

# Fix up PAM configuration for login so that invalid users are prompted
# for password
sed -i 's/requisite[ \t][ \t]*pam_securetty.so/required pam_securetty.so/' $rootfsdir/etc/pam.d/login

# Change default shell for new accounts
sed -i -e ':^DSHELL:s:/bin/bash:/bin/vbash:' /etc/adduser.conf

# Do not allow users to change full name field (controlled by vyos-1x)
sed -i -e 's/^CHFN_RESTRICT/#&/' /etc/login.defs

# Only allow root to use passwd command
if ! grep -q 'pam_succeed_if.so' /etc/pam.d/passwd ; then
    sed -i -e '/^@include/i \
password    requisite pam_succeed_if.so user = root
' /etc/pam.d/passwd
fi

# remove unnecessary ddclient script in /etc/ppp/ip-up.d/
# this logs unnecessary messages trying to start ddclient
rm -f /etc/ppp/ip-up.d/ddclient

# create /opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
PRECONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-preconfig-bootup.script
if [ ! -x $PRECONFIG_SCRIPT ]; then
    mkdir -p $(dirname $PRECONFIG_SCRIPT)
    touch $PRECONFIG_SCRIPT
    chmod 755 $PRECONFIG_SCRIPT
    cat <<EOF >>$PRECONFIG_SCRIPT
#!/bin/sh
# This script is executed at boot time before VyOS configuration is applied.
# Any modifications required to work around unfixed bugs or use
# services not available through the VyOS CLI system can be placed here.

EOF
fi

# create /opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
POSTCONFIG_SCRIPT=/opt/vyatta/etc/config/scripts/vyos-postconfig-bootup.script
if [ ! -x $POSTCONFIG_SCRIPT ]; then
    mkdir -p $(dirname $POSTCONFIG_SCRIPT)
    touch $POSTCONFIG_SCRIPT
    chmod 755 $POSTCONFIG_SCRIPT
    cat <<EOF >>$POSTCONFIG_SCRIPT
#!/bin/sh
# This script is executed at boot time after VyOS configuration is fully applied.
# Any modifications required to work around unfixed bugs
# or use services not available through the VyOS CLI system can be placed here.

EOF
fi

# symlink destination is deleted during ISO assembly - this generates some noise
# when the system boots: systemd-sysv-generator[1881]: stat() failed on
# /etc/init.d/README, ignoring: No such file or directory. Thus we simply drop
# the file.
if [ -L /etc/init.d/README ]; then
    rm -f /etc/init.d/README
fi

# Remove unwanted daemon files from /etc
# conntackd
# pmacct
# fastnetmon
# ntp
DELETE="/etc/logrotate.d/conntrackd.distrib /etc/init.d/conntrackd /etc/default/conntrackd
        /etc/default/pmacctd /etc/pmacct
        /etc/networks_list /etc/networks_whitelist /etc/fastnetmon.conf
        /etc/ntp.conf /etc/default/ssh /etc/avahi/avahi-daemon.conf /etc/avahi/hosts
        /etc/powerdns /etc/default/pdns-recursor
        /etc/ppp/ip-up.d/0000usepeerdns /etc/ppp/ip-down.d/0000usepeerdns"
for tmp in $DELETE; do
    if [ -e ${tmp} ]; then
        rm -rf ${tmp}
    fi
done

# Remove logrotate items controlled via CLI and VyOS defaults
sed -i '/^\/var\/log\/messages$/d' /etc/logrotate.d/rsyslog
sed -i '/^\/var\/log\/auth.log$/d' /etc/logrotate.d/rsyslog

# Fix FRR pam.d "vtysh_pam" vtysh_pam: Failed in account validation T5110
if test -f /etc/pam.d/frr; then
    if grep -q 'pam_rootok.so' /etc/pam.d/frr; then
        sed -i -re 's/rootok/permit/' /etc/pam.d/frr
    fi
fi

# Enable Cloud-init pre-configuration service
systemctl enable vyos-config-cloud-init.service

# Enable Podman API
systemctl enable podman.service

# Generate API GraphQL schema
/usr/libexec/vyos/services/api/graphql/generate/generate_schema.py

# Update XML cache
python3 /usr/lib/python3/dist-packages/vyos/xml_ref/update_cache.py

# Generate hardlinks for systemd units for multi VRF support
# as softlinks will fail in systemd:
# symlink target name type "ssh.service" does not match source, rejecting.
if [ ! -f /lib/systemd/system/ssh@.service ]; then
    ln /lib/systemd/system/ssh.service /lib/systemd/system/ssh@.service
fi

# T4287 - as we have a non-signed kernel use the upstream wireless reulatory database
update-alternatives --set regulatory.db /lib/firmware/regulatory.db-upstream

# Restart vyos-configd to apply changes in Python scripts/templates
if systemctl is-active --quiet vyos-configd; then
    systemctl restart vyos-configd
fi