#!/bin/bash

export DEBIAN_FRONTEND=noninteractive
 
#Password for Encryption and "serveradmin" User
PASSWORD="p@ssw0rd"
 
#Password for "root" User
PASSWORDROOT="p@ssw0rd"
 
#Release Name for Install
RELEASE="jammy"
 
setxkbmap de
 
 
echo "deb http://de.archive.ubuntu.com/ubuntu $RELEASE main universe" >> /etc/apt/sources.list
 
 
apt-get update
 
apt-get install --yes debootstrap net-tools arch-install-scripts
 
#List all Disks and put it into an Array.
#You can choose on what DISK the System will be installed.
options=()
 
for OUTPUT in $(lsblk -dp | grep -o '^/dev[^ ]*'|grep -v "loop"|grep -v "sr")
do
    options+=("$OUTPUT") 
done
 
options+=("Exit")
 
DISKA=`lsblk -dp | grep -o '^/dev[^ ]*'|grep -v "loop"|grep -v "sr"|head -n 1`
 
while :
do
  read -t20 -p "Automatic choose $DISKA in 20 Seconds (Y/N): "
  if [ $? -gt 128 ]; then
    DISK=$DISKA
    break
  fi
 
  case $REPLY in
  [yY]*)
    DISK=$DISKA
    break
    ;;
  [nN]*)
    NOAUTO="1"
    break
    ;;
  *) echo "Please enter Y or N"
     ;;
  esac
done
 
if [ "$NOAUTO" = "1" ]; then
 
select opt in "${options[@]}"
do
 
    case $opt in
        $opt)
            
            if [ ! -z "$opt" ]; then
        if [ "$opt" = "Exit" ]; then
            exit
        else
        DISK=$opt
        break
        fi  
            fi
                    
            ;;
        *)
    esac
done
 
fi
 
echo -e "\n"
 
while :
do
  read -t20 -p "Encrypted Install? (Y/N). N Default: "
  if [ $? -gt 128 ]; then
    ENC="0"
    break
  fi
 
  case $REPLY in
  [yY]*)
    ENC="1"
    break
    ;;
  [nN]*)
    ENC="0"
    break
    ;;
  *) echo "Please enter Y or N"
     ;;
  esac
done
 
#DISK=/dev/vda
 
#List the default Network Interface
INTERFACE=`route | grep default | awk '{print $8}'`
 
 
#WIPE the DISK
blkdiscard -f $(echo $DISK)
sgdisk --zap-all $(echo $DISK)
 
partprobe
 
#Calculate the Swap File Size.
#Depends on your current Memory.
typeset -i mema
typeset -i memb
typeset -i memc
mem=`cat /proc/meminfo|head -n 1|awk '{ print $2 }'`
mem0=`echo "$[(($mem * 1024/1024/1024/1024)+1)]"|bc`
 
mema=`echo "$[2*(($mem * 1024/1024/1024/1024)+1)]"|bc`
memb=$mem0
memc=`echo "$[0,5*(($mem * 1024/1024/1024/1024)+1)/10]"|bc`
 
if [ "$mem0" -lt "2" ]; then
memory="$mema"
fi
 
if [ "$mem0" -ge "2" ] && [ "$mem0" -le 8 ]; then
memory="$memb"
fi
 
if [ "$mem0" -gt "8" ]; then
memory="$membc"
fi
 
memoryb=`echo "$[(($memory * 1024))]"|bc`
 
memoryb="1024"


if [ -d "/sys/firmware/efi" ]; then

#Create 2 Disks. 1. for EFI. 2. for the encrypted Linux System
sgdisk -n1:0:+500M -c 1:"EFI System Partition" -t 1:ef00 $(echo $DISK)
sgdisk -n2:0:0 -c 2:"Linux /" -t 2:8300 $(echo $DISK)


#Prepare the Disks with LUKS and a Filesystem(ext4)
mkfs.vfat -F32 -n ESP $(echo $DISK)1


else

# Create 2 Disks. 1. for the BIOS Boot Partition. 2. for the encrypted Linux System
sgdisk -n1:0:+2M -c 1:"BIOS Boot Partition" -t 1:ef02 $(echo $DISK)
sgdisk -n2:0:0 -c 2:"Linux /" -t 2:8300 $(echo $DISK)

mkfs.vfat -F32 -n "BIOS Boot Partition" $(echo $DISK)1

fi


partprobe
 
 
if [ "$ENC" -eq "1" ]; then
    echo -n $PASSWORD | cryptsetup -c aes-xts-plain64 -s 512 -h sha512 luksFormat --label cryptlinux $(echo $DISK)2
    echo -n $PASSWORD | cryptsetup open $(echo $DISK)2 cryptlinux
    mkfs.ext4 -L linux /dev/mapper/cryptlinux
    #Mount the encrypted Disk and create the EFI Directory
    mount /dev/mapper/cryptlinux /mnt
    MAPPER="/dev/mapper/cryptlinux"
else
    mkfs.ext4 -L linux $(echo $DISK)2
    mount $(echo $DISK)2 /mnt
    MAPPER=$(echo $DISK)2
fi


if [ -d "/sys/firmware/efi" ]; then
mkdir -p /mnt/boot/efi
mount $(echo $DISK)1 /mnt/boot/efi
fi


#Create the Swapfile and FIX the Permissions Bug
dd if=/dev/zero of=/mnt/swapfile bs=1M count=$memoryb
chmod 600 /mnt/swapfile
mkswap /mnt/swapfile
swapon /mnt/swapfile
 
#Set a random Hostname
echo "s-`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 7 | head -n 1`" > /etc/hostname
host=`cat /etc/hostname`
 
#Install a very small Basic System. "base" is a Basic System. "minbase" is a smaller Basic System
 
    debootstrap \
    --arch=amd64 \
    --variant=minbase \
    $RELEASE \
    /mnt \
    http://de.archive.ubuntu.com/ubuntu/
 
 
echo "127.0.0.1       $host" >> /mnt/etc/hosts
echo "$host" >> /mnt/etc/hostname
 
ip4=$(ip -o -4 addr list $(ip r|grep "default"|awk '{print $5}') | awk '{print $4}' | cut -d/ -f1)
echo "$ip4      $host" >> /mnt/etc/host


if [ -d "/sys/firmware/efi" ]; then
mkdir -p /mnt/sys/firmware/efi/efivars
mount --bind /sys/firmware/efi/efivars /mnt/sys/firmware/efi/efivars
fi


#Create the FSTAB File
 
genfstab -U /mnt > /mnt/etc/fstab
 
cat >> /mnt/etc/fstab << SHAREFSTAB
10.0.1.2:/shares/storage/vms /share nfs rw,hard,intr,bg 0 0
SHAREFSTAB
mkdir -p /mnt/share
 
if [ "$ENC" -eq "1" ]; then
#That is important for unlocking the Disk on Boot
printf 'cryptlinux UUID=%s none luks\n' >>/mnt/etc/crypttab $(blkid -o value $(echo $DISK)2 | head -1)
fi
 
 
#write the Sources File for APT
cat > /mnt/etc/apt/sources.list << EOF
    deb http://archive.ubuntu.com/ubuntu/ $RELEASE main restricted
    deb http://security.ubuntu.com/ubuntu/ $RELEASE-security main restricted
    deb http://archive.ubuntu.com/ubuntu/ $RELEASE-updates main restricted
    deb http://archive.canonical.com/ubuntu $RELEASE partner
    deb http://de.archive.ubuntu.com/ubuntu/ $RELEASE universe
    deb http://de.archive.ubuntu.com/ubuntu/ $RELEASE-updates universe
    deb http://de.archive.ubuntu.com/ubuntu/ $RELEASE multiverse
    deb http://de.archive.ubuntu.com/ubuntu/ $RELEASE-updates multiverse
    #deb http://de.archive.ubuntu.com/ubuntu/ $RELEASE-backports main restricted universe multiverse
EOF
 
 
#Mount Ubuntu specific Disks
mount --bind /dev /mnt/dev
mount -t devpts /dev/pts /mnt/dev/pts
mount -t sysfs /sys /mnt/sys
mount -t proc /proc /mnt/proc
mount -t tmpfs tmpfs /mnt/tmp
rm /mnt/etc/mtab
cp /proc/mounts /mnt/etc/mtab

if [ -d "/sys/firmware/efi" ]; then
mount -t efivarfs efivarfs /mnt/sys/firmware/efi/efivars
fi 
 

#Write a Stage 2 Install Script into the Debootstrap Directory /mnt
#You can chroot + direct run a Script.
#If you just write the chroot command and after that write a command it will not be excecuted probably.
############################################################################
cat > /mnt/root/install.sh << ENDFILE
#!/bin/bash
export DEBIAN_FRONTEND=noninteractive
 
#Updating the System and add Mozilla PPA
apt-get update
apt-get -y install software-properties-common
add-apt-repository -y ppa:mozillateam/ppa
apt-get -y upgrade
apt-get -y dist-upgrade
 
 
#Install everything from Description
apt-get install -y --no-install-recommends \
  linux-{,image-,headers-}generic linux-firmware dkms \
  initramfs-tools cryptsetup{,-initramfs} efibootmgr shim-signed dialog grub-pc \
  iputils-ping dnsutils lsof isc-dhcp-client network-manager bridge-utils \
  iproute2 net-tools netplan.io locales localepurge policykit-1 nfs4-acl-tools \
  dosfstools vim gdisk file openssh-server mlocate apt-utils ssh-askpass cifs-utils nfs-common \
  ubuntu-drivers-common language-pack-de console-setup tzdata plymouth plymouth-themes sudo \
  tasksel wget curl udisks2-lvm2 bash nano less tree apparmor bash-completion rsyslog nano vim \
  cron man iotop iftop iptraf inxi lftp screen nethogs libpam-google-authenticator lvm2 xfsprogs xorg \
  qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils libvirt-daemon-driver-lxc ncat dnsmasq qemu-utils
 
 
#firewalld cockpit
#pacemaker pcs corosync fence* heartbeat
#zfsutils-linux glusterfs-server cephadm ceph-common ceph-base docker.io
#blackbox xserver-xorg-core xserver-xorg xinit x11-xserver-utils xterm firefox cephadm lvm2 docker.io
#mate-core mate-desktop-environment mate-notification-daemon 
#mate-icon-theme mate-tweak caja-eiciel gnome-system-tools xterm firefox 
#systemctl disable firewalld
 
#read -n 1 -s -r -p "Press any key to continue"
 
 
 
cat >> /etc/bash.bashrc << COMPLETION
# enable bash completion in interactive shells
if [ -f /etc/bash_completion ] && ! shopt -oq posix; then
    . /etc/bash_completion
fi
COMPLETION
 
cat > /etc/rsyslog.d/graylog.conf << SYSLOG
*.*@10.0.3.3:1514;RSYSLOG_SyslogProtocol23Format
SYSLOG
 
 
 
cat >> /etc/profile << SCREENSESSION
if [ "$TERM" != "screen" ] && [ "$SSH_CONNECTION" != "" ]; then
   /usr/bin/screen -S sshscreen -d -R && exit
fi
SCREENSESSION
 
 
#Change the Language and Keyboard Layout to "German"
cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime
echo 'LANG="de_DE.UTF-8"' >  /etc/default/locale
echo 'Europe/Berlin' > /etc/timezone
locale-gen de_DE.UTF-8
dpkg-reconfigure -f non-interactive tzdata
 
cat > /etc/default/keyboard << EOF
# KEYBOARD CONFIGURATION FILE
 
# Consult the keyboard(5) manual page.
 
XKBMODEL="pc105"
XKBLAYOUT="de"
XKBVARIANT="nodeadkeys"
XKBOPTIONS=""
 
BACKSPACE="guess"
EOF
 
dpkg-reconfigure -f non-interactive keyboard-configuration


if [ -d "/sys/firmware/efi" ]; then

#Make the System bootable(UEFI)
bootctl install
cp --dereference /boot/{vmlinuz,initrd.img,efi/}

else

grub-install $(echo $DISK)
update-grub

fi



echo $(echo $DISK)

#read -n 1 -s -r -p "Press any key to continue"



#Implement a small HOOK for upgrade the KERNEL after using APT
#If not add that maybe your System not boot after an Kernel Upgrade
cat > /boot/copykernels << EOF
#!/usr/bin/env bash
# copy updated kernel and initrd to efi system partition
 
b=/boot
e=/boot/efi
 
# kernels: check versions
for kern in vmlinuz{,.old}; do
  if [[ $(file -Lb $b/$kern 2>/dev/null) != $(file -b $e/$kern 2>/dev/null) ]]; then
    cp -fv --preserve $b/$kern $e/$kern
  fi
done
 
# initrd: check creation time
for init in initrd.img{,.old}; do
  if [[ $b/$init -nt $e/$init ]]; then
    cp -fv --preserve=mode,ownership $b/$init $e/$init
  fi
done
EOF
 
cat > /etc/netplan/01-netcfg.yaml << EOF
#DPkg::Post-Invoke { "/boot/copykernels"; }
network:
  version: 2
  renderer: NetworkManager
  ethernets:
    $INTERFACE:
      dhcp4: true
EOF
 
chmod 600 /etc/netplan/01-netcfg.yaml
 
cat > /boot/efi/loader/entries/ubuntu.conf << EOF
title   Ubuntu
linux   /vmlinuz
initrd  /initrd.img
options splash root=$MAPPER 
EOF
 
 
cp /usr/share/systemd/tmp.mount /etc/systemd/system/
systemctl enable tmp.mount
 
 
#Set root Password, add some Groups, add "serveradmin" User, Set Password for "serveradmin"
echo 'root:'$PASSWORDROOT''|chpasswd
 
addgroup --system lpadmin
addgroup --system lxd
addgroup --system sambashare
addgroup --system wheel

chown root:adm /usr/sbin/halt
chown root:adm /usr/sbin/reboot
 
adduser serveradmin --disabled-password --gecos ""
 
cp -a /etc/skel/. /home/serveradmin
usermod -aG adm,sudo,wheel,cdrom,dip,lpadmin,lxd,plugdev,sambashare,kvm,libvirt,video,tty serveradmin
 
echo "serveradmin ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/serveradmin
 
echo 'serveradmin:'$PASSWORD''|chpasswd
 
chown -R serveradmin:serveradmin /home/serveradmin
chmod -R ug+rwx,o-rwx /home/serveradmin
 
#create keyfile
mkdir -p /home/serveradmin/.ssh/
ssh-keygen -q -N "" -f /home/serveradmin/.ssh/localhost
 
chown -R serveradmin:serveradmin /home/serveradmin
chmod -R ug+rwx,o-rwx /home/serveradmin

mkdir -p /etc/motd.d/

cat > /etc/motd.d/google-authenticator << EOF
Run google-authenticator after first Login. Enable 2 Factor Authentication in "/etc/pam.d/sshd" (last Line)
EOF
 
cat >> /etc/ssh/sshd_config << EOF
ChallengeResponseAuthentication yes
EOF
 
cat >> /etc/pam.d/sshd << EOF
#auth required pam_google_authenticator.so
EOF
 
#########OPTIONAL

mkdir -P /etc/X11/ 
sed -i 's/allowed_users=console/allowed_users=anybody/' /etc/X11/Xwrapper.config



 
###################

update-initramfs -v -u -k all

#read -n 1 -s -r -p "Press any key to continue"


rm /root/install.sh
 
read -t20 -p "Installation done. Please wait..."
 
exit
ENDFILE
############################################################################
 
#Make Install Script as an Executable
chmod +x /mnt/root/install.sh
 
#chroot in /mnt and run install Script
chroot /mnt bash -c /root/install.sh
 
#read -n 1 -s -r -p "Press any key to continue"
 
reboot
#exit