#!/bin/bash

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

set -e

if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
   source /usr/lib/helper-scripts/pre.bsh
fi

## Thanks to:
## http://mywiki.wooledge.org/BashFAQ/035

while :
do
      case $1 in
         --ssh)
            ssh=true
            shift
            ;;
         --nossh)
            ssh=false
            shift
            ;;
         --)
            shift
            break
            ;;
         -*)
            echo "$0 unknown option: $1" >&2
            exit 2
            ;;
         *)
            break
            ;;
      esac
done

## If there are input files (for example) that follow the options, they
## will remain in the "$@" positional parameters.

if [ "$ssh" = "" ]; then
   echo "${red}ERROR${reset}: must use either --ssh or --nossh. For example:" >&2
   echo "$0 --nossh" >&2
   exit 2
fi

echo "${bold}[Hide Hardware Info]${reset}"
echo "Enabling enable hide-hardware-info.service by running 'systemctl enable hide-hardware-info.service'..."

systemctl enable hide-hardware-info.service

echo "${green}Success.${reset}"
echo ""

echo "${bold}[NOEXEC]${reset}"
echo "Enabling noexec by creating file /etc/noexec ..."

touch /etc/noexec

echo "${green}Success.${reset}"
echo ""

echo "${bold}[LKRG - Linux Kernel Runtime Guard]${reset}"
echo "LKRG hardening by creating /etc/sysctl.d/40-security-misc-autogenerated.conf ..."

mkdir -p /etc/sysctl.d

echo "\
## This is an automatically generated file.
## This file was automatically generated by:
## $0
## Edits may be lost!

## https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG#Configuration
lkrg.ci_panic=1
lkrg.umh_lock=1" > /etc/sysctl.d/40-security-misc-autogenerated.conf

echo "${green}Success.${reset}"
echo ""

if [ "$ssh" = "false" ]; then
   echo "${bold}[Console Lockdown]${reset}"
   echo "Enabling Console Lockdown by removing user 'user' from group 'ssh'."

   delgroup user ssh &>/dev/null || true

   echo "${green}Success.${reset}"
   echo ""
fi