#!/usr/bin/env bash
#
# Velociraptor server installation + client config generator.
#
# What it does:
#   1. Skips install if velociraptor is already on PATH.
#   2. Downloads the defined release, generates a fresh server config,
#      builds the .deb, installs it via dpkg.
#   3. Pulls the CA cert + nonce out of the generated server config and
#      emits a matching client config pointing at this host's IP.

set -euo pipefail

readonly VR_VERSION="0.75.6"
readonly VR_MINOR="0.75"
readonly VR_URL="https://github.com/Velocidex/velociraptor/releases/download/v${VR_MINOR}/velociraptor-v${VR_VERSION}-linux-amd64"
readonly WORK_DIR="${HOME}/velociraptor_setup"
readonly BIN="${WORK_DIR}/velociraptor"
readonly SERVER_CFG="${WORK_DIR}/server.config.yaml"
readonly CLIENT_CFG="${WORK_DIR}/client.config.yaml"

log()  { printf '[+] %s\n' "$*"; }
warn() { printf '[!] %s\n' "$*" >&2; }
info() { printf '[=] %s\n' "$*"; }
die()  { printf '[-] %s\n' "$*" >&2; exit 1; }

already_installed() {
    command -v velociraptor >/dev/null 2>&1
}

prep_workdir() {
    log "Preparing ${WORK_DIR}"
    mkdir -p "${WORK_DIR}"
    cd "${WORK_DIR}"
}

fetch_binary() {
    log "Downloading Velociraptor v${VR_VERSION}"
    wget -q --show-progress -O "${BIN}" "${VR_URL}"
    chmod +x "${BIN}"
}

generate_server_config() {
    log "Generating server configuration"
    "${BIN}" config generate > "${SERVER_CFG}"

    # Bind frontend to 0.0.0.0 so exploited endpoints can connect remotely
    sed -i 's/bind_address: 127\.0\.0\.1/bind_address: 0.0.0.0/' "${SERVER_CFG}"
}

install_server() {
    log "Building and installing server .deb (requires sudo)"
    "${BIN}" debian server --config "${SERVER_CFG}"
    local deb
    deb="$(ls -t velociraptor-server-*.deb 2>/dev/null | head -n1)"
    [[ -n "${deb}" ]] || die "Could not find generated .deb file"
    sudo dpkg -i "${deb}"
}

show_status() {
    printf "\n\n"
    systemctl status velociraptor_server.service --no-pager || true
}

create_admin_user() {

    log "Adding admin user with password 'admin'. This requires sudo."
    sudo -u velociraptor /usr/local/bin/velociraptor --config /etc/velociraptor/server.config.yaml user add admin admin --role administrator
    systemctl restart velociraptor_server.service
}


# Extract the Client: block verbatim from the server config. 
# (server_urls, ca_certificate, nonce, writeback paths, etc.)
build_client_config() {
    log "Building client configuration"
    local local_ip
    local_ip="$(hostname -I | awk '{print $1}')"  # Just first IP
    [[ -n "${local_ip}" ]] || die "Could not determine local IP"
    
    # Extract the Client: block from server config
    # Everything from "Client:" until the next top-level key (non-indented line)
    awk '
        /^Client:/ { in_block=1; print; next }
        in_block && /^[A-Za-z]/ { in_block=0 }
        in_block { print }
    ' "${SERVER_CFG}" > "${CLIENT_CFG}"
    
    # Replace localhost with actual IP
    sed -i "s|https://localhost:8000/|https://${local_ip}:8000/|" "${CLIENT_CFG}"
}

show_client_config() {
    printf '\n\n'
    echo "========== START OF CLIENT CONFIG =========="
    cat "${CLIENT_CFG}"
    echo "=========== END OF CLIENT CONFIG ==========="
    info "On Windows targets, install at: C:\\Program Files\\Velociraptor\\client.config.yaml"
}

main() {

    if [[ "${1:-}" == "--client-only" ]]; then
        prep_workdir
        build_client_config
        show_client_config
        return
    fi

    if already_installed; then
        warn "Velociraptor is already installed. Skipping install steps."
        warn "Run with --client-only to output a configuration."
        exit 0
    fi

    prep_workdir
    fetch_binary
    generate_server_config
    install_server
    create_admin_user
    show_status
    build_client_config
    show_client_config
}

main "$@"