#!/bin/bash
# Automated setup script for XSS Canary Callback server

# Define color variables
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

# Print header banner without [+] in the logo
echo -e "${BLUE}"
echo "=============================================="
echo "       XSS Canary Callback Server Setup      "
echo "=============================================="
echo -e "${NC}"

# Ensure script is run as root
if [[ $EUID -ne 0 ]]; then
  echo -e "${RED}[!] This script must be run as root. Try: sudo $0${NC}"
  exit 1
fi

# Check for proper arguments: <callback_domain> <email>
if [ "$#" -ne 2 ]; then
  echo -e "${YELLOW}[+] Usage: $0 <callback_domain> <email>${NC}"
  exit 1
fi

# Prompt user to confirm running on a dedicated server
read -p "Are you running this script on a dedicated server? (y/n): " response
if [[ "$response" != "y" && "$response" != "Y" ]]; then
  echo -e "${RED}[!] Please run this script on a dedicated server. Exiting...${NC}"
  exit 1
fi

CALLBACK_DOMAIN="$1"
EMAIL="$2"

echo -e "${GREEN}[+] Creating /var/www if it doesn't exist...${NC}"
mkdir -p /var/www

echo -e "${GREEN}[+] Updating package lists and installing dependencies...${NC}"
apt-get update && apt-get install -y certbot git authbind openssl python3-pip python3-venv

# Define repository path
REPO_DIR="/var/www/XSS-Canary-Callback"

# Clone the repository if it doesn't already exist
if [ ! -d "$REPO_DIR" ]; then
  echo -e "${GREEN}[+] Cloning the repository...${NC}"
  cd /var/www || exit
  git clone https://github.com/ACK-J/XSS-Canary-Callback.git
  chown -R www-data:www-data XSS-Canary-Callback
else
  echo -e "${YELLOW}[+] Repository already exists at ${REPO_DIR}; skipping clone.${NC}"
fi

# Create the virtual environment inside the repository directory
VENV_DIR="${REPO_DIR}/venv"
echo -e "${GREEN}[+] Setting up Python virtual environment in ${VENV_DIR}...${NC}"
if [ ! -d "$VENV_DIR" ]; then
    python3 -m venv "$VENV_DIR"
fi

echo -e "${GREEN}[+] Activating virtual environment and installing Python dependencies...${NC}"
source "$VENV_DIR/bin/activate"
pip install --upgrade pip
pip install -r "$REPO_DIR/requirements.txt"
deactivate

echo -e "${GREEN}[+] Obtaining SSL certificate for ${CALLBACK_DOMAIN}...${NC}"
# Post-hook: adjust ownership and permissions on certificate archive files and live symlinks,
# and ensure directories are traversable.
certbot certonly --standalone --agree-tos --non-interactive --no-eff-email \
  --email "$EMAIL" --preferred-challenges http -d "$CALLBACK_DOMAIN" \
  --post-hook="chown -R root:www-data /etc/letsencrypt/ && chmod -R 750 /etc/letsencrypt/"

echo -e "${GREEN}[+] Generating secure dashboard password...${NC}"
DASHBOARD_PASSWORD=$(openssl rand -base64 32)
# Make the dashboard password output more prominent
echo -e "${YELLOW}"
echo "=============================================="
echo "   DASHBOARD PASSWORD: ${DASHBOARD_PASSWORD}"
echo "=============================================="
echo -e "${NC}"
echo -e "${YELLOW}[+] Make sure to store this password in a password manager!${NC}"

# Granting any user access to bind to ports 80 and 443
echo -e "${GREEN}[+] Configuring authbind for ports 80 and 443...${NC}"
touch /etc/authbind/byport/80
touch /etc/authbind/byport/443
chown root:www-data /etc/authbind/byport/80
chown root:www-data /etc/authbind/byport/443
chmod 770 /etc/authbind/byport/80
chmod 770 /etc/authbind/byport/443

GUNICORN="${VENV_DIR}/bin/gunicorn"

echo -e "${GREEN}[+] Creating systemd service file...${NC}"
cat > /etc/systemd/system/xsscanary.service <<EOF
[Unit]
Description=XSS Canary Gunicorn Service
After=network.target

[Service]
User=www-data
Group=www-data
WorkingDirectory=${REPO_DIR}
Environment="DASHBOARD_PASSWORD=${DASHBOARD_PASSWORD}"
ExecStart=authbind --deep ${GUNICORN} --bind 0.0.0.0:443 \\
  --certfile=/etc/letsencrypt/live/${CALLBACK_DOMAIN}/fullchain.pem \\
  --keyfile=/etc/letsencrypt/live/${CALLBACK_DOMAIN}/privkey.pem \\
  --workers 4 \\
  app:app
Restart=always

[Install]
WantedBy=multi-user.target
EOF

echo -e "${GREEN}[+] Reloading systemd daemon...${NC}"
systemctl daemon-reload

echo -e "${GREEN}[+] Enabling and starting xsscanary service...${NC}"
systemctl stop xsscanary.service
systemctl enable xsscanary.service
systemctl start xsscanary.service

echo
echo -e "${BLUE}[+] Setup complete. To check the service status, run:${NC}"
echo -e "${BLUE}[+]   sudo systemctl status xsscanary.service${NC}"
echo -e "${BLUE}[+]   sudo journalctl -u xsscanary.service -xe${NC}"
echo
echo -e "${GREEN}[+] You should now be able to access https://${CALLBACK_DOMAIN}/ in your browser.${NC}"