#!/usr/bin/env bash
# Installation OpenCanary version TEST (mode local — pas de forward UniSOC).
# Pour la version production avec mTLS forward, utiliser /backend/honeypot/provisioning/install.sh
#
# Usage sur la VM :
#   curl -sL https://client.unisoc.fr/downloads/honeypot/install-test.sh | bash
set -euo pipefail

LOG=/var/log/unisoc-canary-install.log
exec > >(tee -a "$LOG") 2>&1
echo "[$(date -u +%FT%TZ)] === UniSOC Canary TEST install start ==="

if [ "$(id -u)" -ne 0 ]; then
    echo "ERREUR : exécuter en root (sudo bash)"; exit 1
fi

# 1. Dépendances
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y --no-install-recommends \
    python3 python3-pip python3-venv python3-pyasn1-modules \
    rsyslog libssl-dev libffi-dev build-essential \
    curl jq ca-certificates iproute2

# 2. SSH admin sur port 2222 (le 22 va être OpenCanary !)
if grep -q "^#Port 22" /etc/ssh/sshd_config; then
    sed -i 's/^#Port 22/Port 2222/' /etc/ssh/sshd_config
elif ! grep -q "^Port 2222" /etc/ssh/sshd_config; then
    echo "Port 2222" >> /etc/ssh/sshd_config
fi
systemctl restart ssh || true
echo "  → SSH admin déplacé sur port 2222 (le 22 sera OpenCanary)"

# 3. User dédié
id -u opencanary >/dev/null 2>&1 || useradd --system --create-home --shell /bin/false opencanary

# 4. Install OpenCanary
mkdir -p /opt/opencanary
python3 -m venv /opt/opencanary/venv
/opt/opencanary/venv/bin/pip install --upgrade pip --quiet
/opt/opencanary/venv/bin/pip install --quiet opencanary scapy pcapy-ng

# 5. Config OpenCanary — banners crédibles (faux DC + file server)
mkdir -p /etc/opencanary /var/log/opencanary
HOSTNAME_FAKE="${HOSTNAME:-srvdomaine}"
cat > /etc/opencanary/opencanaryd.conf <<EOF
{
    "device.node_id": "unisoc-canary-${HOSTNAME_FAKE}",
    "ip.ignorelist": [],
    "git.enabled": false,
    "ftp.enabled": true,
    "ftp.port": 21,
    "ftp.banner": "FTP server ready.",
    "http.enabled": true,
    "http.port": 80,
    "http.banner": "Microsoft-IIS/10.0",
    "http.skin": "nasLogin",
    "https.enabled": false,
    "ssh.enabled": true,
    "ssh.port": 22,
    "ssh.version": "SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.6",
    "smb.enabled": true,
    "smb.netbiosname": "SRVDOMAINE",
    "smb.serverstring": "srvdomaine corp.local PDC",
    "telnet.enabled": true,
    "telnet.port": 23,
    "telnet.banner": "Welcome to srvdomaine",
    "mysql.enabled": true,
    "mysql.port": 3306,
    "mssql.enabled": true,
    "mssql.port": 1433,
    "redis.enabled": true,
    "redis.port": 6379,
    "vnc.enabled": true,
    "vnc.port": 5900,
    "snmp.enabled": false,
    "logger": {
        "class": "PyLogger",
        "kwargs": {
            "handlers": {
                "console": {
                    "class": "logging.StreamHandler",
                    "stream": "ext://sys.stdout"
                },
                "file": {
                    "class": "logging.FileHandler",
                    "filename": "/var/log/opencanary/opencanary.log"
                }
            }
        }
    }
}
EOF
chown -R opencanary:opencanary /var/log/opencanary /etc/opencanary

# 6. Service systemd OpenCanary
cat > /etc/systemd/system/opencanary.service <<'EOF'
[Unit]
Description=UniSOC OpenCanary Honeypot (TEST mode)
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=opencanary
Group=opencanary
ExecStart=/opt/opencanary/venv/bin/opencanaryd --dev
Restart=always
RestartSec=10
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/log/opencanary
PrivateTmp=true
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target
EOF

# 7. Démarrage
systemctl daemon-reload
systemctl enable --now opencanary
sleep 3

echo
echo "[+] Service status :"
systemctl status opencanary --no-pager -l | head -20

echo
echo "[+] Ports en écoute :"
ss -tlnp 2>/dev/null | grep -E ':21|:22 |:23 |:80 |:445|:1433|:3306|:5900|:6379|:2222' | head -15 || true

echo
echo "[+] Logs récents :"
tail -10 /var/log/opencanary/opencanary.log 2>/dev/null || echo "  (pas encore de logs)"

echo
echo "==================================================="
echo "[$(date -u +%FT%TZ)] OpenCanary TEST installé avec succès"
echo "Hostname : $HOSTNAME_FAKE"
echo "SSH admin : port 2222 (login root + ton mdp Debian)"
echo "OpenCanary écoute : 21 (FTP) 22 (SSH) 23 (Telnet) 80 (HTTP)"
echo "                    445 (SMB) 1433 (MSSQL) 3306 (MySQL)"
echo "                    5900 (VNC) 6379 (Redis)"
echo
echo "Logs : /var/log/opencanary/opencanary.log"
echo "Status : systemctl status opencanary"
echo "==================================================="