#!/bin/sh

## SECURITY

# clear the logs
find /var/log -type f -delete

# clean apt
apt-get clean all

# delete ssh host keys and ask cloud-init to regenerate them at first boot
# ssh host keys need to be unique
rm -rf /etc/ssh/*key*
mkdir -p /var/lib/cloud/scripts/per-once
echo dpkg-reconfigure openssh-server > /var/lib/cloud/scripts/per-once/sshkeys
chmod +x /var/lib/cloud/scripts/per-once/sshkeys

# delete the random seed
rm -f /var/lib/systemd/random-seed


## PERFORMANCE

# make kernel cmd line more friendly
sed -i s/'GRUB_CMDLINE_LINUX_DEFAULT="quiet"'/'GRUB_CMDLINE_LINUX_DEFAULT="vga=0x318 console=ttyS0,115200n8 console=hvc0 consoleblank=0 elevator=deadline biosdevname=0 net.ifnames=0"'/g /etc/default/grub
sed -i s/splash//g /etc/default/grub
sed -i s/\$vt_handoff//g /etc/default/grub
update-grub

# implementing some low level settings ad-labam, on CentOS tuned takes care of this - and more
echo kernel.sched_min_granularity_ns=10000000 >> /etc/sysctl.d/tuned.conf
echo kernel.sched_wakeup_granularity_ns=15000000 >> /etc/sysctl.d/tuned.conf
echo vm.dirty_ratio=40 >> /etc/sysctl.d/tuned.conf
echo vm.swappiness=30 >> /etc/sysctl.d/tuned.conf


# OTHER

# delete the udev rules for network devices
find /etc/udev/rules.d/ -name "*persistent*" -delete

# xs-tools
# workaround as debian installer can't mount a cdrom during install
wget -q http://jenkins.openvm.eu/cloudstack/xstools65/Linux.tar && tar xf Linux.tar
cd Linux
./install.sh -d debian -m 8 -n
cd .. ; rm -rfv Linux Linux.tar

# CLOUDSTACK

cat << "EOF" > /etc/cloud/cloud.cfg.d/99_cloudstack.cfg
datasource:
  CloudStack: {}
  None: {}
datasource_list:
  - CloudStack
EOF

# passwd auth
cat << "EOF" >  /etc/cloud/cloud.cfg.d/80_pwauth.cfg
ssh_pwauth: 1
EOF


# by default cloud-init locks the password of the user, rendering cloudstack passwd feature useless, working around it below
cat << "EOF" > /etc/cloud/cloud.cfg.d/99_unlock.cfg
system_info:
   # This will affect which distro class gets used
   distro: ubuntu
   # Default user name + that default users groups (if added/used)
   default_user:
     name: ubuntu
     lock_passwd: False
EOF


# let's set the password early from dhclient, before cloud-init gets to it
cat << "EOF" > /etc/dhcp/dhclient-exit-hooks.d/cloudstack-passwd
#!/bin/sh

# Set user password from CloudStack virtual router


user="ubuntu"

vr="$new_dhcp_server_identifier"
logger="logger -s -p daemon.warn -t cloudstack-passwd"
if command -v wget > /dev/null; then
  grab="wget -q -t 3 -T 20 -O -"
elif command -v curl > /dev/null; then
  grab="curl -s --retry 3 -m 20"
fi

if [ -z "$vr" ]; then
    $logger "Unable to get virtual router address"
elif [ -z "$grab" ]; then
    $logger "Neither curl nor wget installed"
else
    # Grab password
    password=$($grab --header "DomU_Request: send_my_password" ${vr}:8080 || true)
    password=$(echo $password | tr -d '\r')
    case "$password" in
        saved_password)
            $logger "Password already set"
            ;;
        ""|bad_request)
            $logger "Incorrect answer from ${vr}"
            ;;
        *)
            echo "$user:$password" | chpasswd && \
                $grab --header "DomU_Request: saved_password" ${vr}:8080 > /dev/null || true
            ;;
    esac
fi

cloudstackpasswd_config () {
 :
}
cloudstackpasswd_restore () {
 :
}

:
EOF


# lock root account
usermod --lock root