emergency-access/install.sh

#!/bin/bash

# Emergency Access Server Installation Script
# Run as root or with sudo

set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Configuration
SERVICE_USER="emergency-access"
SERVICE_GROUP="emergency-access"
INSTALL_DIR="/opt/emergency-access"
CONFIG_DIR="/etc/emergency-access"
LOG_FILE="/var/log/emergency-access.log"
SERVICE_FILE="/etc/systemd/system/emergency-access.service"

print_status() {
    echo -e "${GREEN}[INFO]${NC} $1"
}

print_warning() {
    echo -e "${YELLOW}[WARNING]${NC} $1"
}

print_error() {
    echo -e "${RED}[ERROR]${NC} $1"
}

check_root() {
    if [[ $EUID -ne 0 ]]; then
        print_error "This script must be run as root"
        exit 1
    fi
}

install_dependencies() {
    print_status "Installing system dependencies..."

    # Detect package manager
    if command -v apt-get &> /dev/null; then
        apt-get update
        apt-get install -y python3 python3-pip python3-venv
    elif command -v yum &> /dev/null; then
        yum install -y python3 python3-pip
        # python3-venv not available in CentOS/RHEL, use built-in venv
    elif command -v dnf &> /dev/null; then
        dnf install -y python3 python3-pip
        # python3-venv not needed in newer Fedora, venv is built-in
    elif command -v pacman &> /dev/null; then
        pacman -S --noconfirm python python-pip
        # venv is built into Python 3.3+
    else
        print_error "Unsupported package manager. Please install Python 3 and pip manually."
        exit 1
    fi
}

create_user() {
    print_status "Creating service user and group..."

    if ! getent group "$SERVICE_GROUP" > /dev/null 2>&1; then
        groupadd --system "$SERVICE_GROUP"
        print_status "Created group: $SERVICE_GROUP"
    else
        print_warning "Group $SERVICE_GROUP already exists"
    fi

    if ! getent passwd "$SERVICE_USER" > /dev/null 2>&1; then
        useradd --system --gid "$SERVICE_GROUP" --home-dir "$INSTALL_DIR" \
                --shell /bin/false --comment "Emergency Access Service" "$SERVICE_USER"
        print_status "Created user: $SERVICE_USER"
    else
        print_warning "User $SERVICE_USER already exists"
    fi
}

setup_directories() {
    print_status "Setting up directories..."

    # Create installation directory
    mkdir -p "$INSTALL_DIR"
    mkdir -p "$CONFIG_DIR"

    # Set ownership
    chown "$SERVICE_USER:$SERVICE_GROUP" "$INSTALL_DIR"
    chown "$SERVICE_USER:$SERVICE_GROUP" "$CONFIG_DIR"

    # Set permissions
    chmod 755 "$INSTALL_DIR"
    chmod 750 "$CONFIG_DIR"  # More restrictive for config

    print_status "Created directories with proper permissions"
}

install_application() {
    print_status "Installing application files..."

    # Copy application files
    cp main.py "$INSTALL_DIR/"
    cp config.py "$INSTALL_DIR/"
    cp requirements.txt "$INSTALL_DIR/"

    # Copy key management scripts
    if [[ -f "add_key.py" ]]; then
        cp add_key.py "$INSTALL_DIR/"
        chmod 755 "$INSTALL_DIR/add_key.py"
        print_status "Installed key addition script"
    fi

    if [[ -f "manage_keys.py" ]]; then
        cp manage_keys.py "$INSTALL_DIR/"
        chmod 755 "$INSTALL_DIR/manage_keys.py"
        print_status "Installed key management script"
    fi

    if [[ -f "generate_passwords.py" ]]; then
        cp generate_passwords.py "$INSTALL_DIR/"
        chmod 755 "$INSTALL_DIR/generate_passwords.py"
        print_status "Installed password generation script"
    fi

    # Copy example config if config doesn't exist
    if [[ ! -f "$CONFIG_DIR/config.json" ]]; then
        cp config.json.example "$CONFIG_DIR/config.json"
        print_status "Copied example configuration to $CONFIG_DIR/config.json"
        print_warning "Please edit $CONFIG_DIR/config.json with your backend names and authentication credentials"
    else
        print_warning "Configuration file already exists, skipping copy"
    fi

    # Copy ntfy config if it doesn't exist
    if [[ ! -f "$CONFIG_DIR/ntfy.yml" ]]; then
        cp ntfy.yml "$CONFIG_DIR/"
        print_status "Copied example ntfy configuration to $CONFIG_DIR/ntfy.yml"
        print_warning "Please edit $CONFIG_DIR/ntfy.yml with your notification backends"
    else
        print_warning "ntfy configuration file already exists, skipping copy"
    fi

    # Set permissions
    chown -R "$SERVICE_USER:$SERVICE_GROUP" "$INSTALL_DIR"
    chown "$SERVICE_USER:$SERVICE_GROUP" "$CONFIG_DIR/config.json"
    chown "$SERVICE_USER:$SERVICE_GROUP" "$CONFIG_DIR/ntfy.yml"

    chmod 644 "$INSTALL_DIR"/*.py
    chmod 644 "$INSTALL_DIR/requirements.txt"
    chmod 640 "$CONFIG_DIR/config.json"  # Restrictive permissions for config
    chmod 640 "$CONFIG_DIR/ntfy.yml"     # Restrictive permissions for ntfy config
}

setup_python_environment() {
    print_status "Setting up Python virtual environment..."

    # Test if venv module is available
    if ! python3 -m venv --help > /dev/null 2>&1; then
        print_error "Python venv module not available. Please install python3-venv or equivalent."
        print_error "On Ubuntu/Debian: sudo apt install python3-venv"
        print_error "On CentOS/RHEL: venv is built-in with Python 3.3+"
        exit 1
    fi

    # Create virtual environment
    sudo -u "$SERVICE_USER" python3 -m venv "$INSTALL_DIR/venv"

    # Install dependencies
    sudo -u "$SERVICE_USER" "$INSTALL_DIR/venv/bin/pip" install --upgrade pip
    sudo -u "$SERVICE_USER" "$INSTALL_DIR/venv/bin/pip" install -r "$INSTALL_DIR/requirements.txt"

    print_status "Python environment setup complete"
}

setup_logging() {
    print_status "Setting up logging..."

    # Create log file
    touch "$LOG_FILE"
    chown "$SERVICE_USER:$SERVICE_GROUP" "$LOG_FILE"
    chmod 644 "$LOG_FILE"

    # Setup log rotation
    cat > /etc/logrotate.d/emergency-access << EOF
$LOG_FILE {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 644 $SERVICE_USER $SERVICE_GROUP
    postrotate
        systemctl reload emergency-access.service > /dev/null 2>&1 || true
    endscript
}
EOF

    print_status "Logging configuration complete"
}

install_systemd_service() {
    print_status "Installing systemd service..."

    # Copy service file
    cp emergency-access.service "$SERVICE_FILE"

    # Reload systemd
    systemctl daemon-reload

    print_status "Systemd service installed"
}

create_example_files() {
    print_status "Creating example key and dummy files..."

    # Create example key file
    if [[ ! -f "$CONFIG_DIR/key-part.txt" ]]; then
        echo "EXAMPLE_KEY_PART_$(openssl rand -hex 16)" > "$CONFIG_DIR/key-part.txt"
        chown "$SERVICE_USER:$SERVICE_GROUP" "$CONFIG_DIR/key-part.txt"
        chmod 600 "$CONFIG_DIR/key-part.txt"
        print_status "Created example key file: $CONFIG_DIR/key-part.txt"
        print_warning "Replace this with your actual key part!"
    fi

    # Create dummy file
    if [[ ! -f "$CONFIG_DIR/dummy.txt" ]]; then
        echo "system_healthy_$(date +%s)" > "$CONFIG_DIR/dummy.txt"
        chown "$SERVICE_USER:$SERVICE_GROUP" "$CONFIG_DIR/dummy.txt"
        chmod 644 "$CONFIG_DIR/dummy.txt"
        print_status "Created dummy file: $CONFIG_DIR/dummy.txt"
    fi
}



print_final_instructions() {
    print_status "Installation complete!"
    echo
    print_warning "IMPORTANT: Before starting the service:"
    echo "1. Edit $CONFIG_DIR/config.json with your backend names and authentication credentials"
    echo "2. Edit $CONFIG_DIR/ntfy.yml with your notification backend configurations"
    echo "3. Create key files for each configured key (e.g., backup-key.txt, master-key.txt)"
    echo "4. Use generate_passwords.py to create secure authentication credentials"
    echo "5. Test the configuration"
    echo
    print_status "Service management commands:"
    echo "  Start service:    sudo systemctl start emergency-access"
    echo "  Enable at boot:   sudo systemctl enable emergency-access"
    echo "  Check status:     sudo systemctl status emergency-access"
    echo "  View logs:        sudo journalctl -u emergency-access -f"
    echo "  View log file:    sudo tail -f $LOG_FILE"
    echo
    print_status "Configuration files:"
    echo "  Service config:   $CONFIG_DIR/config.json"
    echo "  ntfy config:      $CONFIG_DIR/ntfy.yml"
    echo "  Key files:        $CONFIG_DIR/[key-name]-key.txt (create as configured)"
    echo ""
    print_status "Key management tools:"
    echo "  Generate passwords: cd $INSTALL_DIR && python generate_passwords.py --keys backup master"
    echo "  Add new key:        cd $INSTALL_DIR && python add_key.py --interactive"
    echo "  Manage keys:        cd $INSTALL_DIR && python manage_keys.py --list-files"
    echo "  Test key access:    cd $INSTALL_DIR && python manage_keys.py --test-key KEY_ID"
    echo "  Dummy file:         $CONFIG_DIR/dummy.txt"
    echo "  Log file:           $LOG_FILE"
    echo
    print_warning "Security note: This server provides access to sensitive key material."
    print_warning "Ensure proper network security and monitoring are in place."
}

main() {
    print_status "Starting Emergency Access Server installation..."

    check_root
    install_dependencies
    create_user
    setup_directories
    install_application
    setup_python_environment
    setup_logging
    install_systemd_service
    create_example_files
    print_final_instructions

    print_status "Installation completed successfully!"
}

# Run main function
main "$@"