#!/bin/sh
set -eu

notify () { printf '\n\e[1;94m=== %s ====\e[0m\n\n' "$1" >&2; }

notify 'Install Debian packages.'
echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/ /' > /etc/apt/sources.list.d/podman.list
wget "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04/Release.key" -O - | apt-key add -
apt update
apt install  -y \
    amd64-microcode \
    btrfs-progs \
    cryptsetup \
    docker.io \
    fonts-noto-cjk-extra \
    fonts-sil-ezra \
    intel-microcode \
    language-pack-gnome-he \
    libpam-mount \
    podman \
    sshfs \
    systemd-container \
    ufw \
    virtualbox \
    ;
apt dist-upgrade --yes --purge
apt autoremove --purge --yes
apt autoclean

notify 'Install toolbox.'
wget https://git.shore.co.il/shore/toolbox-build/-/jobs/artifacts/master/raw/toolbox.tar.gz?job=build -O - | tar -xzC /usr/local/

notify 'Setup the firewall.'
ufw limit ssh
ufw allow in on docker0
ufw allow in on vboxnet0
ufw allow 8080
ufw default deny
ufw enable

notify 'Mounting a tmpfs under /tmp'
sed -i '/\/tmp/d' /etc/fstab
echo 'tmpfs   /tmp    tmpfs   defaults,nodev,nosuid   0   0' >> /etc/fstab

notify 'Disabling swap'
sed -i '/swap/d' /etc/fstab

notify 'Set UID/GID mapping'
echo 'nimrod:100000:65536' | tee /etc/subgid | tee /etc/subuid

notify 'Install Flaptpaks.'
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
echo '
com.belmoussaoui.Authenticator
com.github.louis77.tuner
com.github.subhadeepjasu.pebbles
com.github.xournalpp.xournalpp
com.gitlab.bitseater.meteo
com.nextcloud.desktopclient.nextcloud
com.rafaelmardojai.Blanket
com.skype.Client
com.slack.Slack
org.chromium.Chromium
org.equeim.Tremotesf
org.gimp.GIMP
org.gnome.Epiphany
org.gnome.Geary
org.gnome.Mahjongg
org.gnome.PasswordSafe
org.libreoffice.LibreOffice
org.mozilla.firefox
org.raspberrypi.rpi-imager
org.remmina.Remmina
org.videolan.VLC
us.zoom.Zoom
' | xargs -n1 flatpak install --noninteractive flathub

notify 'Configure Docker'
mkdir -p /etc/systemd/system/docker.socket.d /etc/systemd/system/docker.service.d
wget https://git.shore.co.il/-/snippets/13/raw/main/nimrod-group.conf -O /etc/systemd/system/docker.socket.d/nimrod-group.conf
wget https://git.shore.co.il/-/snippets/13/raw/main/after-mount.conf -O /etc/systemd/system/docker.service.d/after-mount.conf
systemctl daemon-reload
systemctl restart docker.socket

notify 'Yoga C930 specifics'
if dmidecode | grep --silent 'YOGA C930'
then
    sed -i '/dmic_detect/d' /etc/modprobe.d/alsa-base.conf
    echo 'options snd-hda-intel dmic_detect=0' >> /etc/modprobe.d/alsa-base.conf
fi

notify 'Setup pam-mount for mounting the encrypted volume at login'
wget https://git.shore.co.il/-/snippets/13/raw/main/pam_mount.conf.xml | tee /etc/security/pam_mount.conf.xml

notify 'Finished.'