Untitled

#!/bin/bash
AVDC_STEP=

#Check if root, if else let the user login as root.
if [[ $EUID -ne 0 ]] ; then
    sudo su root
fi

#Check if this has already been executed
if [[ 130 -gt $AVDC_STEP ]] || [ -z ${AVDC_STEP+x} ] ; then
#Copy this script to a location. To sustain reboots until the script has finished running.
mkdir -p /etc/avorix/
cd "$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" || exit
cp "$0" /etc/avorix/avdc_install.sh
chmod +x /etc/avorix/avdc_install.sh
#touch /etc/avorix/avdc_install_variables.sh
#echo '#!/bin/bash' >> /etc/avorix/avdc_install_variables.sh
#chmod +x /etc/avorix/avdc_install_variables.sh
fi

###########################################################
#                Avorix Domain Controller                 #
###########################################################
#
# This is currently in development!
# I recommend to execute this script per command in
# a CLEAN RASPBIAN installation!
#
# The Avorix Domain Controller uses SAMBA, NTP, DHCPD to
# mimic Microsoft Active Directory Domain Services
# (MS ADDS) on Raspberry Pi's running Raspbian while
# keeping it's configuration on a USB-memory device.
#
# This allows us to manage computers, users, shares,
# and policies using the RSAT-tools.
#
# This script was built upon best practices and experiences.
# ~ Rik Heijmann

###########################################################
#                     Development notes!                  #
###########################################################
#
# 1. Don't use multiple tabs! Just 1 to seperate the first
#    if/else statements. Or it will trigger output similar
#    to the "ls"-command and skip the next characters.
#    Note that "cat"-commands to write text are not
#    affected by this problem.
#

###########################################################
#                       Versions                          #
###########################################################
DC_SCRIPT_VERSION="1.0-RC9"
DC_RELEASE_DATE="25-12-2017"
# Major update: Can break your current installation.
# Minor update: Will not break your current installation.
#
# 1.0: First release.


###########################################################
#                         To Do                           #
###########################################################
# - Make this script work with CentOS and Ubuntu.
# - Integrate a GUI for configuration.
# - Automaticly detect removable storage.
# - Find a way to make AUDITD to work.
# - Make the SELinux rules portable.
# - Integrate Nitrobit Update Server for distributing Windows Updates.
# - PXE: Set the permissions on the "users"-share automaticly.

###########################################################
#                       Summary                           #
###########################################################
# 1. The configuration fase.
# 1.1. Settings.
# 1.2. System Specific Variables.
# 1.2.1. System Specific Variables for Raspbian.
# 1.2.2. System Specific Variables for CentOS.
# 1.3. Check the configuration.
# 1.4. Show a summary of the settings.

# 2. The fase of compatibility.
# 2.1. Test the internet connection.
# 2.2. Update the complete system.
# 2.3. (Optional) Configure USBmount.
# 2.4. Build the Location-Of-Important-Files directorystructure.

# 3. The fase of installation
# 3.1. (Optional) Install & Temporarely disable SELinux.
# 3.2. Install the main components.
# 3.3. Configure the timezone.
# 3.4. Configure the hosts file.
# 3.5. Change the hostname.
# 3.6. Configure a static IP-address.
#! As of the above all the other steps are being treated as if is no internet connection
# 3.7. Configure the NTP-server.
# 3.8. Configure the Domain Controller.

# 4. The fase of adaption
# 4.1. (Optional) Configure SSH.
# 4.2. (Optional) Configure the DHCP-server.
# 4.3. (Optional) Configure the PXE-server.
# 4.4. (Optional) Configure SELinux.
# 4.5. (Optional) Configure automatic security updates.
# 4.6. (Optional) Test & Enable the Firewall.
# 4.7. Configure log in/out messages and EULA.

# 5. The fase of finishing up.
# 5.1. Log the current installation.
# 5.2. Display a summary of the installation.


###########################################################
#                                                         #
# 1.             The configuration fase                   #
#                                                         #
###########################################################

###########################################################
# 1.1.                 Settings                           #
###########################################################
# All these settings are important!
# Make sure that everything is setup correctly.

#Operating system:
OS=RASPBIAN
#1: RASPBIAN: Raspbian: Debian Stretch
#Not working yet ! 2: CENTOS7: CentOS 7

#Script settings: Set to 1 to enable.
SKIP_BEGINNING_SUMMARY=1 #Set this to 1 to fully automate the script.
SKIP_END_SUMMARY=1 #Set this to 1 to fully automate the script.
SKIP_INSTALLATION_CHECK=1 #Set this to 1 to disable checking if the packages are correctly installed.
SKIP_SERVICES_CHECK=1 #Set this to 1 to disable checking if the services work.
BRANDING=1 #RECOMMENDED! Configures log-in/out messages with an EULA. Might need some of your own customization as it probably does not represent the complete environment and law of the server.

#Storage Settings
CENTRALIZED_STORAGE=0 #Enable this to save al configuration files in 1 place.
    LOCATION_OF_IMPORTANT_FILES=/media/usb1 #Will only work if PORTABLE_CONFIGURATION is set to 0.
    #Portable Config is not working yet!
    PORTABLE_CONFIGURATION=0 #Store the configuration and the databases files on a removable drive. Will include scripts to automaticly detect the removable drive.
    BACKUP_LOIP=0 #Set this to 1 to automaticly backup the users and groups.
    BACKUP_LOIP_TIMING="0 2 * * *" #Enter here using the CRON-format at which time a backup should be made.
    # Quick CRON tutorial:
    # Every day at 2AM: 0 2 * * *
    # Every first day of the month at 2AM: 0 2 1 * *
    BACKUP_LOIP_DESTINATION="$LOCATION_OF_IMPORTANT_FILES/Backup/"

#Network Settings
IP_ADDRESS=192.168.192.40
SUBNETMASKBITS=24
GATEWAY=192.168.192.168
DNSSERVER1=127.0.0.1
DNSSERVER2=192.168.192.168

#Time Settings
REGION=Europe
TIMEZONE=Amsterdam
NTPSERVER1=0.pool.ntp.org
NTPSERVER2=1.pool.ntp.org
NTPSERVER3=2.pool.ntp.org

#Domain Controller Settings
#Not Working yet! JOIN_A_DOMAIN=0 #Set this to 1 to join a domain. Leave it to 0 to create a domain. Installing replication for DHCP, PXE, the GPO's and other functions will be done using a different script, that is still in development.

#Before you begin, please take a look at: https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ
FQDN=D.local #This is your domain name.
#EXTENSION=.local
NBIOS=D
 #This is the second level domain name capitalized.
DCNAME=DC
BACKUP_DC=1 #Set this to 1 to automaticly backup the users and groups.
    BACKUP_DC_TIMING="0 2 * * *" #Enter here using the CRON-format at which time a backup should be made.
    # Quick CRON tutorial:
    # Every day at 2AM: 0 2 * * *
    # Every first day of the month at 2AM: 0 2 1 * *
    BACKUP_DC_DESTINATION="$LOCATION_OF_IMPORTANT_FILES/SAMBA/Backup/"

#Note please only use Alpha-Numeric passwords. Special characters will cause problems.
ADMINPWD='P4ssw0rd' #This is the password of the Active Directory "Administrator"-account.

#Security Functions: Set to 1 to enable.
FIREWALL=1 #RECOMMENDED! Enables the built-in firewall and adds support for the selected functions.
ANTIVIRUS=1 #RECOMMENDED! Installs ClamAV antivirus to scan through your shares.
SELINUX=1 #RECOMMENDED! Enables SELINUX (Will first start permissive and collect data. The next day that data will be used to create a policy)
AUTOMATIC_SECURITY_UPDATES=1 #RECOMMENDED! Will daily check for security updates.

#Additional Modules: Set to 1 to enable.
WEBMIN=0
    WEBMIN_VERSION=1.840
DHCP_SERVER=0 #Enable this only if you know that this is needed.
    DHCP_SUBNET=192.168.192.0
    DHCP_SUBNETMASK=255.255.255.0
    DHCP_BROADCASTADDRESS=192.168.192.255
    DHCP_GATEWAY=$GATEWAY
    DHCP_DNSSERVER1=$IP_ADDRESS #By using $IP_ADDRESS the DHCP server will instruct new clients to use the DNS-server of this Domain controller.
    DHCP_DNSSERVER2=$DNSSERVER2 #By using $DNSSERVER2 the DHCP server will instruct new clients to use the second preferred DNS-server of this Domain controller. Which in most cases is the router or the DNS-server provided by the internet provider..
    DHCP_NETBIOSSERVER=$IP_ADDRESS
    DHCP_NTPSERVER1=$IP_ADDRESS
    DHCP_NTPSERVER2=0.pool.ntp.org
    DHCP_MAX_LEASE_TIME=1800
    DHCP_FIRST_IP_ADDRESS=192.168.192.10
    DHCP_LAST_IP_ADDRESS=192.168.192.200

    PXE_SERVER=0 #Requires DHCP! #Enable PXE to deliver minimal network environments such as WinPE to computers.
    PXE_TFTP_ROOT=$LOCATION_OF_IMPORTANT_FILES/Data/TFTP/Root #This location is for the WinPE .WIM-file.
    PXE_HTTP_ROOT=$LOCATION_OF_IMPORTANT_FILES/Data/Apache/Root #This location is for the Windows Installer.

SSH_SERVER=1 #Enable this to add a user and allow it to be used to mange the server remotely.
    SSH_PORT=22
    SSH_USER=Administrator #Future users have to be added to the "ssh"-group to use "ssh".
    SSH_USER_PASSWORD='P4ssw0rd'
    SSH_USER_SUDO=1 #Set to 1 to give this user permission to run administrator commands using "sudo".
    SSH_PORTKNOCKING=1 #Enable this to only provide the SSH service when a sequence of numbers is knocked.
    SSH_PORTKNOCKING_OPEN_SEQ1=7999 #Sequence number 1 for opening the openssh Portknock.
    SSH_PORTKNOCKING_OPEN_SEQ2=8181
    SSH_PORTKNOCKING_OPEN_SEQ3=1821
    SSH_PORTKNOCKING_CLOSE_SEQ1=7997 #Sequence number 1 for closing the openssh Portknock.
    SSH_PORTKNOCKING_CLOSE_SEQ2=8121
    SSH_PORTKNOCKING_CLOSE_SEQ3=5821

    SSH_FAIL2BAN=1 #Requires FIREWALL! Enable this to block an IP-address when a configurable amount of failed attempts has been reached.
    SSH_FAIL2BAN_MAXRETRY=3 #How many attempts can be made to access the server from a single IP before a ban is imposed.
    SSH_FAIL2BAN_FINDTIME=900 #The length of time between login attempts before a ban is set. For example, if Fail2Ban is set to ban an IP after three failed log-in attempts, those three attempts must occur within the set findtime limit. The findtime value should be a set number of seconds.
    SSH_FAIL2BAN_BANTIME=900 #The length of time in seconds that the IP Address will be banned for. In my example I used ‘900’ seconds which would be 15 minutes. If you want to ban an IP Address permanently then you will set the bantime to ‘-1’.

    SSH_2FA=1 #Enable this to login usign Two-Factor-Authentication using Google-Authenticator. After installation run 'google-authenticator' as the user which will be using 2FA. During prompts choose 'y'. Afterwards restart SSH.
    SSH_2FA_FORCE=0 #Enable this option to force users to use 2FA, if disabled only the users that have installed 2FA will have to use 2FA.


###########################################################
# 1.2.         System  Specific Variables                 #
###########################################################
# These different sets of variables ensure compatibility over multiple Linux-distributions.
# Please do not change these!
# If you would like to add compatibility for a different Linux-distribution (or even a different Unix-distribution)
# then copy the template and fill it in with the correct parameters of the target dsitrbution.

if [ "$OS" == "RASPBIAN" ] ; then
# For Raspbian Stretch
#Patches
REORDER_AVAHI_DNS=1 #Avahi interupts the domain name translation if the FQDN ends with .local. This fixes the problem by prioritizing the default DNS over Avahi.

# Tools
PM_UPDATE='apt update'
PM_UPGRADE='apt upgrade -y'
PM_SYSUPGRADE='apt dist-upgrade -y'
PM_INSTALL='apt install'
PM_INSTALL_ENDING_VARIABLES='-y'

# Packages:
PACKAGE_SAMBA='samba'
PACKAGE_NTP='ntp'
PACKAGE_FIREWALLD='firewalld'
PACKAGE_SELINUX='selinux-basics'
PACKAGE_SELINUX_POLICY_DEFAULT='selinux-policy-default'
PACKAGE_DHCPD='isc-dhcp-server'
PACKAGE_CLAMAV='clamav'
PACKAGE_CLAMAV_FRESHCLAM='clamav-freshclam'
PACKAGE_OPENSSHD='openssh-server'
PACKAGE_TFTPD='tftpd-hpa'
PACKAGE_APACHE='apache2'
PACKAGE_USBMOUNT='usbmount'
PACKAGE_KNOCKD='knockd'
PACKAGE_FAIL2BAN='fail2ban'
PACKAGE_LIBPAM_GOOGLE_AUTHENTICATOR='libpam-google-authenticator'

#Daemons
DAEMON_SSH='ssh'
DAEMON_FIREWALLD='firewalld'
DAEMON_TFTPD='tftpd-hpa'
DAEMON_APACHE='apache2'
DAEMON_DHCPCD='dhcpcd'
DAEMON_KNOCKD='knockd'
DAEMON_FAIL2BAN='fail2ban'
DAEMON_NTP='ntp'
DAEMON_SMBD='smbd'
DAEMON_NMBD='nmbd'
DAEMON_SAMBA_AD_DC='samba-ad-dc'
DAEMON_DHCPD='isc-dhcp-server'

# Paths to folders:
OR_PATH_FOLDER_CRON_DAILY='/etc/cron.daily'
OR_PATH_FOLDER_CRON_HOURLY='/etc/cron.hourly'
OR_PATH_FOLDER_APACHE_SITES_ENABLED='/etc/apache2/sites-enabled'
OR_PATH_FOLDER_SSH_KEYS='/etc/ssh'
OR_PATH_FOLDER_SAMBA_VAR_LIB='/var/lib/samba'
OR_PATH_FOLDER_SAMBA_SETUP='/usr/share/samba/setup'
OR_PATH_FOLDER_SAMBA_CACHE='/var/cache/samba'
OR_PATH_FOLDER_SAMBA_LOG='/var/log/samba'
OR_PATH_FOLDER_SELINUX_POLICY='/etc/selinux/avorix_rules'

# Paths to files:
OR_PATH_FILE_AUDIT_LOG='/var/log/audit/audit.log'
OR_PATH_FILE_SELINUX_CONF='/etc/selinux/conf'
OR_PATH_FILE_SELINUX_CONF_REPLACER='/etc/selinux/config.replacer'
OR_PATH_FILE_DHCPD_CONF='/etc/dhcp/dhcpd.conf'
OR_PATH_FILE_DHCPCD_CONF='/etc/dhcpcd.conf'
OR_PATH_FILE_KRB5_CONF_EXAMPLE='/var/lib/samba/private/krb5.conf'
OR_PATH_FILE_KRB5_CONF='/etc/krb5.conf'
OR_PATH_FILE_SAMBA_CONF='/etc/samba/smb.conf'
OR_PATH_FILE_NTP_CONF='/etc/ntp.conf'
OR_PATH_FILE_NTP_DRIFT='/var/lib/ntp/ntp.drift'
OR_PATH_FILE_NTP_LOG='/var/log/ntp'
OR_PATH_FILE_NTP_SOCKET='/usr/local/samba/var/lib/ntp_signd/'
OR_PATH_FILE_SSH_CONF='/etc/ssh/sshd_config'
OR_PATH_FILE_SUDO_CONF='/etc/sudoers'
OR_PATH_FILE_HOSTNAME_CONF='/etc/hostname'
OR_PATH_FILE_HOSTS_CONF='/etc/hosts'
OR_PATH_FILE_TFTPD_CONF='/etc/default/tftpd-hpa'
OR_PATH_FILE_USBMOUNT_CONF='/etc/usbmount/usbmount.conf'
OR_PATH_FILE_KNOCKD_DEFAULT='/etc/default/knockd'
OR_PATH_FILE_KNOCKD_CONF='/etc/knockd.conf'
OR_PATH_FILE_FAIL2BAN_JAIL='/etc/fail2ban/jail.local'
OR_PATH_FILE_PAMD_SSHD='/etc/pam.d/sshd'
OR_PATH_FILE_ISSUE='/etc/issue'
OR_PATH_FILE_ISSUENET='/etc/issue.net'
OR_PATH_FILE_MOTD='/etc/motd'

elif [ "$OS" == "CENTOS7" ] ; then
# Has not been finished!
# For CentOS 7
# Tools
PM_UPDATE='yum check-update' #This is actually not neccesary as most yum commands will run this automaticly.
PM_UPGRADE='yum update -y'
PM_SYSUPGRADE='yum upgrade -y' #Correct
PM_INSTALL='yum install' #Correct
PM_INSTALL_ENDING_VARIABLES='-y' #Correct

# Packages:
PACKAGE_SAMBA='samba samba-dc'
PACKAGE_NTP='ntp'
PACKAGE_FIREWALLD='firewalld'
PACKAGE_SELINUX='' #Not required, it is allready within Centos 7
PACKAGE_SELINUX_POLICY_DEFAULT=''
PACKAGE_DHCPD='dhcp'
PACKAGE_CLAMAV='epel-release && yum install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd -y'
PACKAGE_CLAMAV_FRESHCLAM=''
PACKAGE_OPENSSHD='openssh'
PACKAGE_TFTPD='tftp-server' #!Might be different from the debian variety.
PACKAGE_APACHE='httpd'
PACKAGE_USBMOUNT='' #!Not for CentOS!
PACKAGE_KNOCKD='knock' #!Requires EPEL, not verified.
PACKAGE_FAIL2BAN='fail2ban' #Requires EPEL
PACKAGE_LIBPAM_GOOGLE_AUTHENTICATOR='google-authenticator'

#Daemons
DAEMON_SSH=''
DAEMON_FIREWALLD=''
DAEMON_TFTPD=''
DAEMON_APACHE=''
DAEMON_DHCPCD=''
DAEMON_KNOCKD=''
DAEMON_FAIL2BAN=''
DAEMON_NTP=''
DAEMON_SMBD=''
DAEMON_NMBD=''
DAEMON_SAMBA_AD_DC=''
DAEMON_DHCPD=''

# Paths to folders:
PATH_FOLDER_CRON_DAILY='/etc/cron.daily'
PATH_FOLDER_CRON_HOURLY='/etc/cron.hourly'
PATH_FOLDER_APACHE_SITES_ENABLED=''
PATH_FOLDER_SSH_KEYS=''

# Paths to files:
PATH_FILE_AUDIT_LOG=''
PATH_FILE_SELINUX_CONF=''
PATH_FILE_SELINUX_CONF_REPLACER=''
PATH_FILE_DHCPD_CONF=''
PATH_FILE_DHCPCD_CONF=''
PATH_FILE_KRB5_CONF_EXAMPLE=''
PATH_FILE_KRB5_CONF=''
PATH_FILE_SAMBA_CONF=''
PATH_FILE_NTP_CONF=''
PATH_FILE_SSH_CONF=''
PATH_FILE_SUDO_CONF=''
PATH_FILE_HOSTNAME_CONF=''
PATH_FILE_HOSTS_CONF=''
PATH_FILE_TFTPD_CONF=''
PATH_FILE_USBMOUNT_CONF=''
PATH_FILE_KNOCKD_DEFAULT=''
PATH_FILE_KNOCKD_CONF=''
PATH_FILE_FAIL2BAN_JAIL=''
PATH_FILE_PAMD_SSHD=''

else
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Warning: The inputted operating system is currently     #"
    echo "#          unsupported, please check script settings!     #"
    echo "###########################################################"
    echo "# Suported operating systems:"
    echo "#          - Raspbian Stretch (RASPBIAN)"
    echo "###########################################################"
    read -r fackEnterKey
    setterm -default
    exit
fi

if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
# Paths to folders:
PATH_FOLDER_CRON_DAILY="$LOCATION_OF_IMPORTANT_FILES/Configuration/Cron/Daily"
PATH_FOLDER_CRON_HOURLY="$LOCATION_OF_IMPORTANT_FILES/Configuration/Cron/Hourly"
PATH_FOLDER_APACHE_SITES_ENABLED="$LOCATION_OF_IMPORTANT_FILES/Apache/Sites-Enabled"
PATH_FOLDER_SSH_KEYS="$LOCATION_OF_IMPORTANT_FILES/Configuration/SSH/Configuration/Keys"
PATH_FOLDER_SAMBA_VAR_LIB="$LOCATION_OF_IMPORTANT_FILES/Configuration/SAMBA_VAR_LIB"
PATH_FOLDER_SAMBA_SETUP="$LOCATION_OF_IMPORTANT_FILES/Configuration/SAMBA/Setup"
PATH_FOLDER_SAMBA_CACHE="$LOCATION_OF_IMPORTANT_FILES/Configuration/SAMBA/Cache"
PATH_FOLDER_SAMBA_LOG="$LOCATION_OF_IMPORTANT_FILES/Logs/Samba"
PATH_FOLDER_SELINUX_POLICY="$LOCATION_OF_IMPORTANT_FILES/Configuration/SELinux/Policy"

# Paths to files:
PATH_FILE_AUDIT_LOG="$LOCATION_OF_IMPORTANT_FILES/Logs/AuditD/audit.log"
PATH_FILE_SELINUX_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/SELinux/conf"
PATH_FILE_SELINUX_CONF_REPLACER="$LOCATION_OF_IMPORTANT_FILES/Configuration/SELinux/conf-replacer"
PATH_FILE_DHCPD_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/DHCPD/dhcpd.conf"
PATH_FILE_DHCPCD_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/DHCPCD/dhcpcd.conf"
#PATH_FILE_KRB5_CONF_EXAMPLE="$LOCATION_OF_IMPORTANT_FILES"
PATH_FILE_KRB5_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/KRB5/krb5.conf"
PATH_FILE_SAMBA_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/SAMBA/smb.conf"
PATH_FILE_NTP_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/NTP/ntp.conf"
PATH_FILE_NTP_DRIFT="$LOCATION_OF_IMPORTANT_FILES/Configuration/NTP/ntp.drift"
PATH_FILE_NTP_LOG="$LOCATION_OF_IMPORTANT_FILES/Logs/NTP/ntp.log"
PATH_FILE_NTP_SOCKET="$LOCATION_OF_IMPORTANT_FILES/Configuration/NTP/ntp_signd"
PATH_FILE_SSH_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/SSH/sshd_config"
PATH_FILE_SUDO_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/General/sudoers"
PATH_FILE_HOSTNAME_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/General/hostname"
PATH_FILE_HOSTS_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/General/hosts"
PATH_FILE_TFTPD_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/TFTPD/tftpd-hpa"
PATH_FILE_USBMOUNT_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/USBMount/usbmount.conf"
PATH_FILE_KNOCKD_DEFAULT="$LOCATION_OF_IMPORTANT_FILES/Configuration/KnockD/knockd.default.conf"
PATH_FILE_KNOCKD_CONF="$LOCATION_OF_IMPORTANT_FILES/Configuration/KnockD/knockd.conf"
PATH_FILE_FAIL2BAN_JAIL="$LOCATION_OF_IMPORTANT_FILES/Configuration/Fail2Ban/jail.local"
PATH_FILE_PAMD_SSHD="$LOCATION_OF_IMPORTANT_FILES/Configuration/PAMD/sshd"
PATH_FILE_ISSUE="$LOCATION_OF_IMPORTANT_FILES/Configuration/General/issue"
PATH_FILE_ISSUENET="$LOCATION_OF_IMPORTANT_FILES/Configuration/General/issue.net"
PATH_FILE_MOTD="$LOCATION_OF_IMPORTANT_FILES/Configuration/General/motd"

else
# Paths to folders:
PATH_FOLDER_CRON_DAILY="$OR_PATH_FOLDER_CRON_DAILY"
PATH_FOLDER_CRON_HOURLY="$OR_PATH_FOLDER_CRON_HOURLY"
PATH_FOLDER_APACHE_SITES_ENABLED="$OR_PATH_FOLDER_APACHE_SITES_ENABLED"
PATH_FOLDER_SSH_KEYS="$OR_PATH_FOLDER_SSH_KEYS"
PATH_FOLDER_SAMBA_VAR_LIB="$OR_PATH_FOLDER_SAMBA_VAR_LIB"
PATH_FOLDER_SAMBA_SETUP="$OR_PATH_FOLDER_SAMBA_SETUP"
PATH_FOLDER_SAMBA_CACHE="$OR_PATH_FOLDER_SAMBA_CACHE"
PATH_FOLDER_SAMBA_LOG="$OR_PATH_FOLDER_SAMBA_LOG"
PATH_FOLDER_SELINUX_POLICY="$OR_PATH_FOLDER_SELINUX_POLICY"

# Paths to files:
PATH_FILE_AUDIT_LOG="$OR_PATH_FILE_AUDIT_LOG"
PATH_FILE_SELINUX_CONF="$OR_PATH_FILE_SELINUX_CONF"
PATH_FILE_SELINUX_CONF_REPLACER="$OR_PATH_FILE_SELINUX_CONF_REPLACER"
PATH_FILE_DHCPD_CONF="$OR_PATH_FILE_DHCPD_CONF"
PATH_FILE_DHCPCD_CONF="$OR_PATH_FILE_DHCPCD_CONF"
#PATH_FILE_KRB5_CONF_EXAMPLE="$OR_PATH_FILE_KRB5_CONF_EXAMPLE"
PATH_FILE_KRB5_CONF="$OR_PATH_FILE_KRB5_CONF"
PATH_FILE_SAMBA_CONF="$OR_PATH_FILE_SAMBA_CONF"
PATH_FILE_NTP_CONF="$OR_PATH_FILE_NTP_CONF"
PATH_FILE_NTP_DRIFT="$OR_PATH_FILE_NTP_DRIFT"
PATH_FILE_NTP_LOG="$OR_PATH_FILE_NTP_LOG"
PATH_FILE_NTP_SOCKET="$OR_PATH_FILE_NTP_SOCKET"
PATH_FILE_SSH_CONF="$OR_PATH_FILE_SSH_CONF"
PATH_FILE_SUDO_CONF="$OR_PATH_FILE_SUDO_CONF"
PATH_FILE_HOSTNAME_CONF="$OR_PATH_FILE_HOSTNAME_CONF"
PATH_FILE_HOSTS_CONF="$OR_PATH_FILE_HOSTS_CONF"
PATH_FILE_TFTPD_CONF="$OR_PATH_FILE_TFTPD_CONF"
PATH_FILE_USBMOUNT_CONF="$OR_PATH_FILE_USBMOUNT_CONF"
PATH_FILE_KNOCKD_DEFAULT="$OR_PATH_FILE_KNOCKD_DEFAULT"
PATH_FILE_KNOCKD_CONF="$OR_PATH_FILE_KNOCKD_CONF"
PATH_FILE_FAIL2BAN_JAIL="$OR_PATH_FILE_FAIL2BAN_JAIL"
PATH_FILE_PAMD_SSHD="$OR_PATH_FILE_PAMD_SSHD"
PATH_FILE_ISSUE="$OR_PATH_FILE_ISSUE"
PATH_FILE_ISSUENET="$OR_PATH_FILE_ISSUENET"
PATH_FILE_MOTD="$OR_PATH_FILE_MOTD"
fi

###########################################################
# 1.3.               Check the configuration              #
###########################################################

if [ "$CENTRALIZED_STORAGE" -eq "0" ] ; then
LOCATION_OF_IMPORTANT_FILES=/etc/avorix
fi

# Not Needed anymore! This was written when step where being stored in seperate files. #To provide step control. Check if the AVDC_STEP variabel exists, and if delete it.
#clear_exported_avdc_step(){
#   sed -i '/AVDC_STEP/d' /etc/avorix/avdc_install_variables.sh
#}

#Create a few functions to enable the script to pause the installation and wait for the user to confirm the further going of the installation.
pause(){
    read -r fackEnterKey
}

pause_with_msg(){
    read -r -p "Press [Enter] to continue..." fackEnterKey
}

#Since the PXE-module requires the DHCP-modules, check if both the DHCP- & PXE-modules have been enabled and if not warn the user that if the user wants to use PXE they have to enable the DHCP-module.
if [ "$DHCP_SERVER" -eq "1" ] && [ "$PXE_SERVER" -eq "1" ] ; then
    PXE_SERVER=2
elif [ "$PXE_SERVER" -eq "1" ] ; then
    PXE_SERVER=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Warning: To use PXE enable the DHCP Server              #"
    echo "#          in the settings section of this script!        #"
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
fi

if [ "$SSH_FAIL2BAN" -eq "1" ] && [ "$FIREWALL" -eq "1" ] ; then
    SSH_FAIL2BAN=2
elif [ "$PXE_SERVER" -eq "1" ] ; then
    SSH_FAIL2BAN=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Warning: To use FAIL2BAN enable the FIREWALL            #"
    echo "#          in the settings section of this script!        #"
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
fi

#Check if this step has already been executed.
if [[ 130 -gt $AVDC_STEP ]] || [ -z ${AVDC_STEP+x} ] ; then

#Copy this script to a static location
#mkdir -p $LOCATION_OF_IMPORTANT_FILES/Tools/
#CURRENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
#cp "$(readlink -f $0" "$LOCATION_OF_IMPORTANT_FILES/Tools/avdc_install.sh"

#Check if the command afterwards has allready been added.
#sed -i '/avdc_install_variables.sh/d' /root/.bashrc
#Run this script, to add the permanently stored variables, whenever the root user logs in.
#echo '/etc/avorix/avdc_install_variables.sh' >> /root/.bashrc

#Check if the command afterwards has allready been added.
sed -i '/avdc_install.sh/d' /root/.bashrc
#Run the script whenever the root user logs in.
echo '/etc/avorix/avdc_install.sh' >> /root/.bashrc

AVDC_STEP=140; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=140/' /etc/avorix/avdc_install.sh
fi


###########################################################
# 1.4.        Show a summary of the settings              #
###########################################################
if [[ $AVDC_STEP -eq 140 ]] ; then

clear
if [ "$SKIP_BEGINNING_SUMMARY" -eq "0" ] ; then
    echo "###########################################################";
    echo "#       A quick summary of the installed settings         #";
    echo "###########################################################";
    echo "# You can change these settings"
    echo "# by opening this script in a texteditor"
    echo "# and change the variables that start from line 110."
    echo ""
    echo "This script will $(if [ "$JOIN_A_DOMAIN" -eq "0" ] ; then echo "create a standalone domaincontroller!" ; fi);$(if [ "$JOIN_A_DOMAIN" -eq "1" ] ; then echo "join a domain!" ; fi)"
    echo "";
    echo "Will be installed: $(if [ "$DHCP_SERVER" -eq "1" ] ; then echo "DHCP" ; fi);$(if [ "$PXE_SERVER" -eq "2" ] ; then echo "(with PXE)" ; fi)$(if [ "$SSH_SERVER" -eq "1" ]; then echo "SSH" ; fi);$(if [ "$SSH_2FA" -eq "1" ] || [ "$SSH_PORTKNOCKING" -eq "1" ] || [ "$SSH_FAIL2BAN" -eq "2" ]; then echo " (with $(if [ "$SSH_2FA" -eq "1" ] ; then echo "2-Factor-Authentication"; fi)$(if [ "$SSH_PORTKNOCKING" -eq "1" ] ; then echo "Portknocking"; fi)$(if [ "$SSH_FAIL2BAN" -eq "2" ] ; then echo "Fail2Ban"; fi)" ; fi)"
    echo "";
    echo "Will be configured: $(if [ "$AUTOMATIC_SECURITY_UPDATES" -eq "1" ]; then echo "Automatic_Security_Updates"; else echo ""; fi) $(if [ "$FIREWALL" -eq "1" ]; then echo "Firewall"; else echo ""; fi) $(if [ "$SELINUX" -eq "1" ]; then echo "SELinux"; else echo ""; fi)"

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    pause_with_msg;
    echo "";
    echo "Storage Settings:";
    echo "1. Files will be stored in: $LOCATION_OF_IMPORTANT_FILES";
#   echo "2. Files will be stored on removable USB storage: $(if [ "$PORTABLE_CONFIGURATION" -eq "1" ]; then echo "Yes"; else echo "No"; fi)";
    fi

    pause_with_msg;
    echo "";
    echo "Network settings:";
    echo "1. IP address: $IP_ADDRESS";
    echo "2. Subnetmaskbits: $SUBNETMASKBITS";
    echo "3. Gateway: $GATEWAY";
    echo "4. Preferred DNS-server: $DNSSERVER1";
    echo "5. Alternate DNS-server: $DNSSERVER2";

    pause_with_msg;
    echo "";
    echo "Domain Controller Settings:";
    echo "1. Fully Qualified Domain Name: $FQDN";
    echo "2. NetBIOS name: $NBIOS";
    echo "3. Name of the Domain Controller: $DCNAME";
    echo "4. Administrator User: Administrator (can not be changed)";
    echo "5. Administrator Password: $(if [ "$ADMINPWD" = 'P455w0RD' ]; then echo 'P455w0RD'; else echo "Hidden! "; fi)";

    pause_with_msg;
    echo "";
    echo "Time settings:";
    echo "1. Region: $REGION";
    echo "2. Timezone: $TIMEZONE";
    echo "3. NTP-Server 1: $NTPSERVER1";
    echo "4. NTP-Server 2: $NTPSERVER2";
    echo "5. NTP-Server 3: $NTPSERVER3";

    if [ "$DHCP_SERVER" -eq "1" ] ; then
    pause_with_msg;
    echo "";
    echo "DHCP Settings:";
    echo "1. Subnet: $DHCP_SUBNET";
    echo "2. Subnetmask: $DHCP_SUBNETMASK";
    echo "3. Broadcastaddress: $DHCP_BROADCASTADDRESS";
    echo "4. Gateway: $DHCP_GATEWAY";
    echo "5. Preferred DNS-Server: $DHCP_DNSSERVER1";
    echo "6. Alternate DNS-Server: $DHCP_DNSSERVER2";

    pause_with_msg;
    echo "7. NetBIOS-Server: $DHCP_NETBIOSSERVER";
    echo "8. NTP-Server 1: $DHCP_NTPSERVER1";
    echo "9. NTP-Server 2: $DHCP_NTPSERVER2";
    echo "10. Max Lease Time: $DHCP_MAX_LEASE_TIME";
    echo "11. First IP Address: $DHCP_FIRST_IP_ADDRESS";
    echo "12. Last IP Address: $DHCP_LAST_IP_ADDRESS";

    if [ "$PXE_SERVER" -eq "2" ] ; then
    pause_with_msg
    echo "";
    echo "PXE Settings:";
    echo "1. HTTP Folder: $PXE_HTTP_ROOT (This location is for the Windows Installer files)";
    echo "2. TFTP Folder: $PXE_TFTP_ROOT (This location is for the Windows PE .WIM-file.)";
    fi
    fi

    if [ "$SSH_SERVER" -eq "1" ] ; then
    pause_with_msg;
    echo "";
    echo "SSH Settings:";
    echo "SSH Port: $SSH_PORT";
    echo "SSH User: $SSH_USER";
    echo "SSH Password: $(if [ "$SSH_USER_PASSWORD" = 'P455w0RD' ]; then echo 'P455w0RD'; else echo "Hidden! "; fi)";
    echo "SSH User has Admin rights: $(if [ "$SSH_USER_SUDO" -eq "1" ]; then echo "Yes"; else echo "No"; fi)";

    if [ "$SSH_2FA" -eq "1" ] ; then
    pause_with_msg
    echo "";
    echo "Two-Factor-Authentication: $(if [ "$SSH_2FA" -eq "1" ]; then echo "Yes"; else echo "No"; fi)";
    fi

    if [ "$SSH_PORTKNOCKING" -eq "1" ] ; then
    pause_with_msg
    echo ""
    echo "Portknocking: Yes";
    echo "Portknocking Opening sequence: $SSH_PORTKNOCKING_OPEN_SEQ1, $SSH_PORTKNOCKING_OPEN_SEQ2, $SSH_PORTKNOCKING_OPEN_SEQ3";
    echo "Portknocking Closing sequence: $SSH_PORTKNOCKING_CLOSE_SEQ1, $SSH_PORTKNOCKING_CLOSE_SEQ2, $SSH_PORTKNOCKING_CLOSE_SEQ3";
    fi

    if [ "$SSH_FAIL2BAN" -eq "2" ] ; then
    pause_with_msg
    echo ""
    echo "Fail2Ban: Yes";
    echo "Fail2Ban Bantime: $SSH_FAIL2BAN_BANTIME";
    echo "Fail2Ban Time between login attempts: $SSH_FAIL2BAN_FINDTIME";
    echo "Fail2Ban Max login retries: $SSH_FAIL2BAN_MAXRETRY";
    fi
    fi
    pause_with_msg
    clear

    setterm -term linux -back black -fore green
    echo "###########################################################"
    echo "#                 Confirm these settings                  #"
    echo "###########################################################"
    echo "Are these settings correct?"
    echo ""
    echo "Note: You can bypass this in the future by setting"
    echo "'SKIP_BEGINNING_SUMMARY' to 1"
    echo ""
    pause_with_msg
    setterm -default
    clear
fi

AVDC_STEP=220; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=220/' /etc/avorix/avdc_install.sh
fi


###########################################################
#                                                         #
# 2.            The fase of compatibility                 #
#                                                         #
###########################################################

###########################################################
# 2.1.         Test the internet connection               #
###########################################################

#Should run everytime till the script has executed step
if [[ 370 -gt $AVDC_STEP ]] ; then

echo -e "GET http://google.com HTTP/1.0\n\n" | nc google.com 80 > /dev/null 2>&1

if [ $? -eq 0 ]; then
    echo "Your device is connected to the internet."
else
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Warning: This script requires an internet connection!   #"
    echo "###########################################################"
    pause
    setterm -default
    exit
fi

fi


###########################################################
# 2.2.          Update the complete system                #
###########################################################
if [[ $AVDC_STEP -eq 220 ]] ; then

$PM_UPDATE
$PM_UPGRADE
$PM_SYSUPGRADE
$PM_UPGRADE # Just to make sure that every system installs the newest packages without limitations of the OS-version.

AVDC_STEP=230; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=230/' /etc/avorix/avdc_install.sh
reboot
fi

###########################################################
# 2.3.           (Optional) Configure USBmount            #
###########################################################
if [[ $AVDC_STEP -eq 230 ]] ; then

if [ "$PORTABLE_CONFIGURATION" -eq "1" ] ; then
    "$PM_INSTALL" "$PACKAGE_USBMOUNT" "$PM_INSTALL_ENDING_VARIABLES"

    if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
    if [ "$(dpkg-query -W -f='${Status}' $PACKAGE_USBMOUNT 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    USBMOUNT_INSTALLATION_STATUS=1
    echo "The '$PACKAGE_USBMOUNT'-package is succesfully installed!"
    else
    USBMOUNT_INSTALLATION_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_USBMOUNT'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi

    #USBMount: Configuring.
    mv "$PATH_FILE_USBMOUNT_CONF" "$PATH_FILE_USBMOUNT_CONF.original"
    touch "$PATH_FILE_USBMOUNT_CONF"

cat <<EOT >> "$PATH_FILE_USBMOUNT_CONF"
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

ENABLED=1
MOUNTPOINTS="/media/usb1 /media/usb2 /media/usb3
             /media/usb4 /media/usb5 /media/usb6 /media/usb7 /media/usb8"

FILESYSTEMS="vfat ext2 ext3 ext4 hfsplus"
MOUNTOPTIONS="sync,noexec,nodev,noatime,nodiratime"
FS_MOUNTOPTIONS=""
VERBOSE=no
EOT

    clear

    #Inform the user to insert their USB-device.
    setterm -term linux -back red -fore white
    read -r -p "Insert your removable drive and press [Enter] to continue..." fackEnterKey
    setterm -default

    #USBMount: Make sure that the removable drive is mounted else copy the files to a temporary folder.
    #It would be better if we listed the drives using mountusb.
    if [ "$PORTABLE_CONFIGURATION" -eq "1" ] ; then
    if mount | grep /media/usb1 > /dev/null || mount | grep /media/usb2 > /dev/null || mount | grep /media/usb3 > /dev/null || mount | grep /media/usb4 > /dev/null || mount | grep /media/usb5 > /dev/null || mount | grep /media/usb6 > /dev/null || mount | grep /media/usb7 > /dev/null || mount | grep /media/usb8 > /dev/null ; then
    LOCATION_OF_IMPORTANT_FILES=/media/usb1
    setterm -term linux -back green -fore white
    echo "###########################################################"
    echo "#           Your USB-device has been found!               #"
    echo "###########################################################"
    setterm -default
    else
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - Your USB-storage device could not be mounted."
    echo ""
    echo "Solution:"
    echo " - Prepare your USB-storage device:"
    echo "  - Find your USB-device by executing the command: lsblk"
    echo "  - Format your device by executing: mkfs.ext4 /dev/Your_Device"
    echo "    As an example: mkfs.ext4 /dev/sda"
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi
fi

AVDC_STEP=240; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=240/' /etc/avorix/avdc_install.sh
fi


###########################################################
# 2.4.       Build the LOIF directory structure           #
###########################################################
if [[ $AVDC_STEP -eq 240 ]] ; then

if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
#Creating folders for the $LOCATION_OF_IMPORTANT_FILES
mkdir -p "$LOCATION_OF_IMPORTANT_FILES/Configuration" "$LOCATION_OF_IMPORTANT_FILES/Logs" "$LOCATION_OF_IMPORTANT_FILES/Data" "$LOCATION_OF_IMPORTANT_FILES/Configuration/Cron" "$LOCATION_OF_IMPORTANT_FILES/Configuration/Cron/Daily" "$LOCATION_OF_IMPORTANT_FILES/Configuration/Cron/Hourly"  "$LOCATION_OF_IMPORTANT_FILES/Data/SAMBA" "$LOCATION_OF_IMPORTANT_FILES/Logs" "$LOCATION_OF_IMPORTANT_FILES/Logs/General" "$LOCATION_OF_IMPORTANT_FILES/Logs/SAMBA" "$LOCATION_OF_IMPORTANT_FILES/Logs/NTP" "$LOCATION_OF_IMPORTANT_FILES/Logs/AuditD" "$LOCATION_OF_IMPORTANT_FILES/Configuration/KRB5" "$LOCATION_OF_IMPORTANT_FILES/Configuration/SAMBA" "$LOCATION_OF_IMPORTANT_FILES/Configuration/General" "$LOCATION_OF_IMPORTANT_FILES/Configuration/NTP" "$LOCATION_OF_IMPORTANT_FILES/Data/SAMBA/Cache"  "$LOCATION_OF_IMPORTANT_FILES/Data/NTP" "$LOCATION_OF_IMPORTANT_FILES/Configuration/SAMBA_VAR_LIB" "$LOCATION_OF_IMPORTANT_FILES/Data/SAMBA/Shares/Users"

#Linking folder to folders on the USB, as we want to capture all these files!
ln -sdf "$PATH_FOLDER_SAMBA_VAR_LIB" "$OR_PATH_FOLDER_SAMBA_VAR_LIB"
ln -sdf "$PATH_FOLDER_SAMBA_SETUP" "$OR_PATH_FOLDER_SAMBA_SETUP"
ln -sdf "$PATH_FOLDER_SAMBA_CACHE" "$OR_PATH_FOLDER_SAMBA_CACHE"
ln -sdf "$PATH_FOLDER_SAMBA_LOG" "$OR_PATH_FOLDER_SAMBA_LOG"

if [ "$SELINUX" -eq "0" ]; then
    mkdir -p "$LOCATION_OF_IMPORTANT_FILES/Configuration/SELinux/Rules" "$LOCATION_OF_IMPORTANT_FILES/Configuration/SELinux/Policy"
fi

if [ "$DHCP_SERVER" -eq "1" ]; then
    mkdir -p "$LOCATION_OF_IMPORTANT_FILES/Configuration/DHCP"
    #PXE has to be 2, unlike the others.
    if [ "$PXE_SERVER" -eq "2" ]; then
    mkdir -p "$LOCATION_OF_IMPORTANT_FILES/Configuration/PXE" "$LOCATION_OF_IMPORTANT_FILES/Configuration/Apache/Sites-Enabled" "$LOCATION_OF_IMPORTANT_FILES/Data/TFTP/Root" "$LOCATION_OF_IMPORTANT_FILES/Data/Apache/Root" "$LOCATION_OF_IMPORTANT_FILES/PXE/Logs"
    fi
else

mkdir PATH_FOLDER_SELINUX_POLICY
fi

if [ "$SSH_SERVER" -eq "1" ]; then
    mkdir -p "$LOCATION_OF_IMPORTANT_FILES/Configuration/SSH/Keys"
    if [ "$SSH_PORTKNOCKING" -eq "1" ] ; then
    mkdir -p "$LOCATION_OF_IMPORTANT_FILES/Logs/KnockD/" "$LOCATION_OF_IMPORTANT_FILES/Configuration/KNOCKD/default"
    fi
    if [ "$SSH_FAIL2BAN" -eq "2" ] ; then
    mkdir -p "$LOCATION_OF_IMPORTANT_FILES/Logs/Fail2Ban/" "$LOCATION_OF_IMPORTANT_FILES/Configuration/Fail2Ban"
    fi
fi

fi

AVDC_STEP=310; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=310/' /etc/avorix/avdc_install.sh
fi

###########################################################
#                                                         #
# 3.            The fase of installation                  #
#                                                         #
###########################################################

###########################################################
# 3.1. (Optional) Install & Temporarely disable SELinux   #
###########################################################
if [[ $AVDC_STEP -eq 310 ]] ; then

#Temporary disable SELinux, will be enabled the next day with exclusions for DNS, SAMBA, DHCP and DHCP.
if [ "$SELINUX" -eq "1" ]; then
    "$PM_INSTALL" "$PACKAGE_SELINUX" "$PACKAGE_SELINUX_POLICY_DEFAULT" "$PM_INSTALL_ENDING_VARIABLES"

    if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
    if [ "$(dpkg-query -W -f='${Status}' $PACKAGE_SELINUX 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    SELINUXBASICS_INSTALLATION_STATUS=1
    echo "The '$PACKAGE_SELINUX'-package is succesfully installed!"
    else
    SELINUXBASICS_INSTALLATION_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_SELINUX'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi

    if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
    if [ "$(dpkg-query -W -f='${Status}' $PACKAGE_SELINUX_POLICY_DEFAULT 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    SELINUXPOLICYDEFAULT_INSTALLATION_STATUS=1
    echo "The '$PACKAGE_SELINUX_POLICY_DEFAULT'-package is succesfully installed!"
    else
    SELINUXPOLICYDEFAULT_INSTALLATION_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_SELINUX_POLICY_DEFAULT'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi

    selinux-activate

    #If SELinux is enabled go to step 3.15.
    AVDC_STEP=315; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=315/' /etc/avorix/avdc_install.sh
    reboot
    fi

    #If SELinux is not enabled go to step 3.15.
    AVDC_STEP=315; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=315/' /etc/avorix/avdc_install.sh
fi

if [[ $AVDC_STEP -eq 315 ]] ; then

    if [ "$SELINUX" -eq "1" ]; then

    cp "$PATH_FOLDER_SELINUX_POLICY" "$PATH_FOLDER_SELINUX_POLICY.bak"
    mv "$PATH_FILE_SELINUX_CONF" "$PATH_FILE_SELINUX_CONF.original"
    touch "$PATH_FILE_SELINUX_CONF"

cat <<EOT >> "$PATH_FILE_SELINUX_CONF"
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=permissive
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=strict

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
EOT

    fi
    AVDC_STEP=320; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=320/' /etc/avorix/avdc_install.sh
fi


###########################################################
# 3.2.             Install the main components            #
###########################################################
if [[ $AVDC_STEP -eq 320 ]] ; then

if [ "$DHCP_SERVER" -eq "1" ]; then
   "$PM_INSTALL" "$PACKAGE_DHCPD" "$PM_INSTALL_ENDING_VARIABLES"

    if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
    if [ "$(dpkg-query -W -f='${Status}' $PACKAGE_DHCPD 2>/dev/null >/dev/null)" -eq "1" ] ; then
    ISCDHCPSERVER_INSTALLATION_STATUS=1
    echo "The '$PACKAGE_DHCPD'-package is succesfully installed!"
    else
    ISCDHCPSERVER_INSTALLATION_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_DHCPD'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi
fi

if [ "$ANTIVIRUS" -eq "1" ]; then
    "$PM_INSTALL" "$PACKAGE_CLAMAV" "$PACKAGE_CLAMAV_FRESHCLAM" "$PM_INSTALL_ENDING_VARIABLES"
    touch "$PATH_FOLDER_CRON_HOURLY/ClamAV"

#Variables are not properly being pasted.
cat <<'EOT' >> "$PATH_FOLDER_CRON_HOURLY/ClamAV"
#!/bin/bash
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

# Email subject
SUBJECT="VIRUS DETECTED ON `hostname`!!!"
# Email To ?
EMAIL="root@localhost"
# Log location
LOG=/var/log/clamav/scan.log

check_scan () {

    # Check the last set of results. If there are any "Infected" counts that aren't zero, we have a problem.
    if [ `tail -n 12 ${LOG}  | grep Infected | grep -v 0 | wc -l` != 0 ]
    then
        EMAILMESSAGE=`mktemp /tmp/virus-alert.XXXXX`
        echo "To: ${EMAIL}" >>  ${EMAILMESSAGE}
EOT

#We want it to translate these parts
cat <<EOT >> "$PATH_FOLDER_CRON_HOURLY/ClamAV"
        echo "From: antivirus@$DCNAME.$FQDN" >> \
EOT

cat <<'EOT' >> "$PATH_FOLDER_CRON_HOURLY/ClamAV"
${EMAILMESSAGE}
        echo "Subject: ${SUBJECT}" >>  ${EMAILMESSAGE}
        echo "Importance: High" >> ${EMAILMESSAGE}
        echo "X-Priority: 1" >> ${EMAILMESSAGE}
        echo "`tail -n 50 ${LOG}`" >> ${EMAILMESSAGE}
        sendmail -t < ${EMAILMESSAGE}
    fi

}

find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -mmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG}
check_scan

find / -not -wholename '/sys/*' -and -not -wholename '/proc/*' -cmin -61 -type f -print0 | xargs -0 -r clamscan --exclude-dir=/proc/ --exclude-dir=/sys/ --quiet --infected --log=${LOG}
check_scan
EOT

    chmod +x "$PATH_FOLDER_CRON_HOURLY/ClamAV"

    if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
    if [ "$(dpkg-query -W -f='${Status}' "$PACKAGE_CLAMAV" 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    CLAMAV_INSTALLATION_STATUS=1
    echo "The '$PACKAGE_CLAMAV'-package is succesfully installed!"
    else
    CLAMAV_INSTALLATION_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_CLAMAV'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi

    if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
    if [ "$(dpkg-query -W -f='${Status}' $PACKAGE_CLAMAV_FRESHCLAM 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    CLAMAVFRESHCLAM_INSTALLATION_STATUS=1
    echo "The '$PACKAGE_CLAMAV_FRESHCLAM'-package is succesfully installed!"
    else
    CLAMAVFRESHCLAM_INSTALLATION_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_CLAMAV_FRESHCLAM'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi
fi

if [ "$FIREWALL" -eq "1" ]; then
    "$PM_INSTALL" "$PACKAGE_FIREWALLD" "$PM_INSTALL_ENDING_VARIABLES"

    if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
    if [ "$(dpkg-query -W -f='${Status}' $PACKAGE_FIREWALLD 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    FIREWALLD_INSTALLATION_STATUS=1
    echo "The '$PACKAGE_FIREWALLD'-package is succesfully installed!"
    else
    FIREWALLD_INSTALLATION_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_FIREWALLD'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi

    systemctl start $DAEMON_FIREWALLD
fi

if [ "$SSH_SERVER" -eq "1" ] ; then
    "$PM_INSTALL" "$PACKAGE_OPENSSHD" "$PM_INSTALL_ENDING_VARIABLES"

    if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
    if [ "$(dpkg-query -W -f='${Status}' $PACKAGE_OPENSSHD 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    OPENSSHSERVER_INSTALLATION_STATUS=1
    eche "The '$PACKAGE_OPENSSHD'-package is succesfully installed!"
    else
    OPENSSHSERVER_INSTALLATION_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_OPENSSHD'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi

    if [ "$SSH_PORTKNOCKING" -eq "1" ] ; then
    "$PM_INSTALL" "$PACKAGE_KNOCKD" "$PM_INSTALL_ENDING_VARIABLES"
    fi
    if [ "$SSH_FAIL2BAN" -eq "2" ] ; then
    "$PM_INSTALL" "$PACKAGE_FAIL2BAN" "$PM_INSTALL_ENDING_VARIABLES"
    fi
    if [ "$SSH_2FA" -eq "1" ] ; then
    "$PM_INSTALL" "$PACKAGE_LIBPAM_GOOGLE_AUTHENTICATOR" "$PM_INSTALL_ENDING_VARIABLES"
    fi
fi

if [ "$PXE_SERVER" -eq "2" ]; then
    "$PM_INSTALL" "$PACKAGE_TFTPD" "$PACKAGE_APACHE" "$PM_INSTALL_ENDING_VARIABLES"

    if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
    if [ "$(dpkg-query -W -f='${Status}' '$PACKAGE_TFTPD' 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    TFTPDHPA_INSTALLATION_STATUS=0
    echo "The '$PACKAGE_TFTPD'-package is succesfully installed!"
    else
    TFTPDHPA_INSTALLATION_STATUS=1
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_TFTPD'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi

    if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
    if [ "$(dpkg-query -W -f='${Status}' "$PACKAGE_APACHE" 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    TFTPDHPA_INSTALLATION_STATUS=0
    echo "The '$PACKAGE_APACHE'-package is succesfully installed!"
    else
    TFTPDHPA_INSTALLATION_STATUS=1
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_APACHE'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi
fi

"$PM_INSTALL" "$PACKAGE_SAMBA" "$PACKAGE_NTP" "$PM_INSTALL_ENDING_VARIABLES"

if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
if [ "$(dpkg-query -W -f='${Status}' $PACKAGE_SAMBA 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    SAMBA_INSTALLATION_STATUS=1
    echo "The '$PACKAGE_SAMBA'-package is succesfully installed!"
else
    SAMBA_INSTALLATION_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_SAMBA'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
fi
fi

if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
if [ "$(dpkg-query -W -f='${Status}' $PACKAGE_NTP 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    NTP_INSTALLATION_STATUS=1
    echo "The '$PACKAGE_NTP'-package is succesfully installed!"
else
    NTP_INSTALLATION_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_NTP'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
fi
fi

#Won't have: Convert this to support other OS.
if [ "$WEBMIN" -eq "1" ] ; then
    apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
    cd /root || exit
    wget "http://prdownloads.sourceforge.net/webadmin/webmin_$(WEBMIN_VERSION)_all.deb"
    dpkg --install "webmin_$(WEBMIN_VERSION)_all.deb"
    rm "webmin_$(WEBMIN_VERSION)_all.deb"
    wget "http://www.webmin.com/jcameron-key.asc"
    apt-key add jcameron-key.asc
    sh -c "echo 'deb http://download.webmin.com/download/repository sarge contrib' >> /etc/apt/sources.list"
fi

AVDC_STEP=330; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=330/' /etc/avorix/avdc_install.sh
fi


###########################################################
# 3.3.                Configure the timezone              #
###########################################################
if [[ $AVDC_STEP -eq 330 ]] ; then

timedatectl set-timezone $REGION/$TIMEZONE
timedatectl

AVDC_STEP=340; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=340/' /etc/avorix/avdc_install.sh
fi

###########################################################
# 3.4.            Configure the hosts file                #
###########################################################
if [[ $AVDC_STEP -eq 340 ]] ; then

mv "$PATH_FILE_HOSTS_CONF" "$PATH_FILE_HOSTS_CONF.original"

touch "$PATH_FILE_HOSTS_CONF"

if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
ln -sf "$PATH_FILE_HOSTS_CONF" "$OR_PATH_FILE_HOSTS_CONF"
fi

cat <<EOT >> "$PATH_FILE_HOSTS_CONF"
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

#Localhost
127.0.0.1     localhost localhost $DCNAME.$FQDN $DCNAME
::1           localhost ip6-localhost ip6-loopback ip6-$DCNAME.$FQDN ip6-$DCNAME

#Might not be needed.
ff02::1       ip6-allnodes
ff02::2       ip6-allrouters
EOT

AVDC_STEP=350; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=350/' /etc/avorix/avdc_install.sh
fi


###########################################################
# 3.5.                 Change the hostname                #
###########################################################
if [[ $AVDC_STEP -eq 350 ]] ; then

#Change the hostname and backup the original.
mv "$PATH_FILE_HOSTNAME_CONF" "$PATH_FILE_HOSTNAME_CONF.original"

touch "$PATH_FILE_HOSTNAME_CONF"

if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
ln -sf "$PATH_FILE_HOSTNAME_CONF" "$OR_PATH_FILE_HOSTNAME_CONF"
fi

cat <<EOT >> "$PATH_FILE_HOSTNAME_CONF"
$DCNAME.$FQDN
EOT

#Make the hostname for the current session active.
hostname $DCNAME.$FQDN

AVDC_STEP=360; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=360/' /etc/avorix/avdc_install.sh
fi


###########################################################
# 3.6.         Configure a static IP-address              #
###########################################################
if [[ $AVDC_STEP -eq 360 ]] ; then

#Change the IP-address to static.
#First create a backup.
mv "$PATH_FILE_DHCPCD_CONF" "$PATH_FILE_DHCPCD_CONF.original"
#Create an empty file.

touch "$PATH_FILE_DHCPCD_CONF"
#Link that file to the file that wil be used by DHCPCD.
if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
ln -sf "$PATH_FILE_DHCPCD_CONF" "$OR_PATH_FILE_DHCPCD_CONF"
fi

cat <<EOT >> "$PATH_FILE_DHCPCD_CONF"
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION.
# Generated on $(date)
#

# See dhcpcd.conf(5) for details.

# Allow users of this group to interact with dhcpcd via the control socket.
#controlgroup wheel

# Inform the DHCP server of our hostname for DDNS.
hostname

# Use the hardware address of the interface for the Client ID.
clientid
# or
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
#duid

# Persist interface configuration when dhcpcd exits.
persistent

# Rapid commit support.
# Safe to enable by default because it requires the equivalent option set
# on the server to actually work.
option rapid_commit

# A list of options to request from the DHCP server.
option domain_name_servers, domain_name, domain_search, host_name
option classless_static_routes
# Most distributions have NTP support.
option ntp_servers
# Respect the network MTU.
# Some interface drivers reset when changing the MTU so disabled by default.
#option interface_mtu

# A ServerID is required by RFC2131.
require dhcp_server_identifier

# Generate Stable Private IPv6 Addresses instead of hardware based ones
slaac private

# A hook script is provided to lookup the hostname if not set by the DHCP
# server, but it should not be run by default.
nohook lookup-hostname

interface eth0
static ip_address=$IP_ADDRESS/$SUBNETMASKBITS
static routers=$GATEWAY
static domain_name_servers=$DNSSERVER1, $DNSSERVER2
EOT

#After this step the user could lose internet connectivity.
ifconfig eth0 $IP_ADDRESS/$SUBNETMASKBITS
systemctl stop $DAEMON_DHCPCD
sleep 5s
systemctl start $DAEMON_DHCPCD
systemctl daemon-reload

#Check if the DHCPCD configuration passes DHCPCD's test.
if [ $(systemctl is-active $DAEMON_DHCPCD) = "active" ] ; then
    DHCPCD_SERVICE_STATUS=1
    systemctl enable $DAEMON_DHCPCD
else
    DHCPCD_SERVICE_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - Your Network (DHCPCD) settings are incorrect."
    echo ""
    echo "Solution:"
    echo " - Make sure that the settings abide to:"
    echo "  - Not containing any illegal characters!"
    echo "  - Correct IP-addresses."
    echo "  - Correct Subnetmaskbits: Calculate one at: http://jodies.de/ipcalc"
    echo "  - Check: systemctl $DAEMON_DHCPCD status -l, for more details."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
fi

AVDC_STEP=370; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=370/' /etc/avorix/avdc_install.sh
fi


###########################################################
# 3.7.          Configure the NTP-server                  #
###########################################################
if [[ $AVDC_STEP -eq 370 ]] ; then

#If function FIREWALL is enabled then allow NTP to send and recieve over the network.
if [ "$FIREWALL" -eq "1" ]; then
    firewall-cmd --permanent --zone=public --add-port=123/udp
fi

mv "$PATH_FILE_NTP_CONF" "$PATH_FILE_NTP_CONF.original"

touch "$PATH_FILE_NTP_CONF"

if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
ln -sf "$PATH_FILE_NTP_CONF" "$OR_PATH_FILE_NTP_CONF"
fi

cat <<EOT >> "$PATH_FILE_NTP_CONF"
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge  127.127.1.0 stratum 10

# Where to retrieve the time from
server $NTPSERVER1     iburst prefer
server $NTPSERVER2     iburst prefer
server $NTPSERVER3     iburst prefer
EOT

if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FILE_NTP_CONF"

driftfile       $PATH_FILE_NTP_DRIFT
logfile         $PATH_FILE_NTP_LOG
ntpsigndsocket  $PATH_FILE_NTP_SOCKET
EOT

else
cat <<EOT >> "$PATH_FILE_NTP_CONF"

driftfile       $PATH_FILE_NTP_DRIFT
logfile         $PATH_FILE_NTP_LOG
ntpsigndsocket  $PATH_FILE_NTP_SOCKET
EOT

fi

cat <<EOT >> "$PATH_FILE_NTP_CONF"

# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp

# No restrictions for "localhost"
restrict 127.0.0.1

# Enable the time sources to only provide time to this host
restrict $NTPSERVER1   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict $NTPSERVER2   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict $NTPSERVER3   mask 255.255.255.255    nomodify notrap nopeer noquery
EOT

systemctl stop $DAEMON_NTP
sleep 5s
systemctl start $DAEMON_NTP

#Check if the NTP configuration passes NTP's test.
if [ "$SKIP_SERVICES_CHECK" -eq "0" ] ; then
if [ "$(systemctl is-active $DAEMON_NTP)" = "active" ] ; then
    NTP_SERVICE_STATUS=1
    systemctl enable $DAEMON_NTP
else
    NTP_SERVICE_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - Your Time (NTP) settings are incorrect."
    echo ""
    echo "Solution:"
    echo " - Make sure that the settings abide to:"
    echo "  - Not containing any illegal characters!"
    echo "  - Containing a correct Timezone/Region:"
    echo "    Display all Timezones using: ls /usr/share/zoneinfo"
    echo "    Display all Regions within a timezone using:"
    echo "     ls /usr/share/zoneinfo/Your_timezone/"
    echo ""
    echo "  - Check: systemctl $DAEMON_NTP status -l, for more details."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
fi
fi

AVDC_STEP=380; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=380/' /etc/avorix/avdc_install.sh
fi


###########################################################
# 3.8.       Configure the Domain Controller              #
###########################################################
if [[ $AVDC_STEP -eq 380 ]] ; then

if [ "$FIREWALL" -eq "1" ] ; then
    #SAMBA: DNS
    firewall-cmd --permanent --zone=public --add-port=53/tcp
    firewall-cmd --permanent --zone=public --add-port=53/udp

    #SAMBA: Kerberos
    firewall-cmd --permanent --zone=public --add-port=88/tcp
    firewall-cmd --permanent --zone=public --add-port=88/udp

    #SAMBA: End Point Mapper (DCE\RPC Locator Service)
    firewall-cmd --permanent --zone=public --add-port=135/tcp

    #SAMBA: NetBIOS Name Service
    firewall-cmd --permanent --zone=public --add-port=137/udp

    #SAMBA: NetBIOS Datagram
    firewall-cmd --permanent --zone=public --add-port=138/udp

    #SAMBA: NetBIOS Session
    firewall-cmd --permanent --zone=public --add-port=139/udp

    #SAMBA: LDAP
    firewall-cmd --permanent --zone=public --add-port=389/tcp
    firewall-cmd --permanent --zone=public --add-port=389/udp
    #firewall-cmd --permanent --zone=public --add-port=636/tcp #For TLS-encryption

    #SAMBA: SMB over TCP
    firewall-cmd --permanent --zone=public --add-port=445/tcp

    #SAMBA: Kerberos kpasswd
    firewall-cmd --permanent --zone=public --add-port=464/tcp
    firewall-cmd --permanent --zone=public --add-port=464/udp

    #SAMBA: Global Catalog
    firewall-cmd --permanent --zone=public --add-port=3268/tcp
    #firewall-cmd --permanent --zone=public --add-port=3269/tcp #For TLS-encryption

    #SAMBA: Dynamic RPC Ports
    firewall-cmd --permanent --add-port=1024-5000/tcp
    firewall-cmd --permanent --add-port=1024-5000/udp
fi

#Linking the configs to the USB and creating the DC.
mv "$PATH_FILE_SAMBA_CONF" "$PATH_FILE_SAMBA_CONF.original"

if [ "$JOIN_A_DOMAIN" -eq "1" ] ; then

    mv "$PATH_FILE_SAMBA_CONF" "$PATH_FILE_SAMBA_CONF.before_provision"

    samba-tool domain join $FQDN DC -U "$NBIOS\administrator" --dns-backend=SAMBA_INTERNAL

    cp "$PATH_FILE_KRB5_CONF_EXAMPLE" "$PATH_FILE_KRB5_CONF"

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    ln -sf "$PATH_FILE_SAMBA_CONF" "$OR_PATH_FILE_SAMBA_CONF"
    ln -sf "$PATH_FILE_KRB5_CONF" "$OR_PATH_FILE_KRB5_CONF"
    fi

cat <<EOT >> "$PATH_FILE_KRB5_CONF"

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = $FQDN

EOT

else

    mv "$PATH_FILE_SAMBA_CONF" "$PATH_FILE_SAMBA_CONF.before_provision"

    samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=$FQDN --domain=$NBIOS --host-name=$DCNAME --adminpass="$ADMINPWD" --host-ip=$IP_ADDRESS

    cp "$PATH_FILE_KRB5_CONF_EXAMPLE" "$PATH_FILE_KRB5_CONF"

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    ln -sf "$PATH_FILE_SAMBA_CONF" "$OR_PATH_FILE_SAMBA_CONF"
    ln -sf "$PATH_FILE_KRB5_CONF" "$OR_PATH_FILE_KRB5_CONF"
    fi

cat <<'EOT' >> "$PATH_FILE_SAMBA_CONF"

[users]
       path = $LOCATION_OF_IMPORTANT_FILES/SAMBA/Shares/Users

       read only = no
EOT

fi

if [ "$PXE_SERVER" -eq "2" ] ; then
cat <<EOT >> "$PATH_FILE_SAMBA_CONF"

[wininstall]
    comment = Windows Installers
EOT
fi

if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FILE_SAMBA_CONF"
    path = $PATH_FOLDER_SAMBA_SETUP
EOT

else
cat <<EOT >> "$PATH_FILE_SAMBA_CONF"
    path = $PATH_FOLDER_SAMBA_SETUP
EOT

fi

cat <<EOT >> "$PATH_FILE_SAMBA_CONF"
    guest ok = yes
    writable = no
    browsable = yes
EOT

fi

#Not neccesary. All these daemons are combined in later versions in 1 specialized daemon for Samba Active Directory.
#systemctl stop $DAEMON_SMBD
#sleep 5s
#systemctl start $DAEMON_SMBD
#sleep 1s
#systemctl stop $DAEMON_NMBD
#sleep 5s
#systemctl start $DAEMON_NMBD
#sleep 1s

if [ "$REORDER_AVAHI_DNS" -eq "1" ] ; then
    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    sed -i -e 's#TFTP_DIRECTORY="/srv/tftp"#TFTP_DIRECTORY="$PXE_TFTP_ROOT"#g' "$PATH_FILE_AVAHI_CONF"
    else
    sed -i -e "s#TFTP_DIRECTORY="/srv/tftp"#TFTP_DIRECTORY="$PXE_TFTP_ROOT"#g" "$PATH_FILE_AVAHI_CONF"

fi

systemctl unmask "$DAEMON_SAMBA_AD_DC"
systemctl start "$DAEMON_SAMBA_AD_DC"

#Check if the SAMBA configuration passes SAMBA's test.
if [ "$SKIP_SERVICES_CHECK" -eq "0" ] ; then
if [ "$(systemctl is-active $DAEMON_NMBD)" = "active" ] ; then
    SAMBA_SERVICE_STATUS=1
#   systemctl enable $DAEMON_SMBD
#   systemctl enable $DAEMON_NMBD
    systemctl enable "$DAEMON_SAMBA_AD_DC"
else
    SAMBA_SERVICE_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - Your SAMBA settings are incorrect."
    echo ""
    echo "Solution:"
    echo " - Make sure that the settings abide to:"
    echo "  - Not containing any illegal characters!"
    echo "  - Containing a correct FQDN, NetBiosname and DCName."
#   echo "  - Check: systemctl $DAEMON_SMBD status -l, for more details."
#   echo "  - Check: systemctl $DAEMON_NMBD status -l, for more details."
    echo "  - Check: systemctl $DAEMON_SAMBA_AD_DC status -l, for more details."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
fi
fi
AVDC_STEP=410; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=410/' /etc/avorix/avdc_install.sh
fi


###########################################################
#                                                         #
# 4.                The fase of adaption                  #
#                                                         #
###########################################################

###########################################################
# 4.1. (Optional)          Configure SSH                  #
###########################################################
if [[ $AVDC_STEP -eq 410 ]] ; then

#SSH allows us to remotely open a terminal shell.
#Within a terminal shell we are able to completely modify the system.
#But if you are only in to modifying Active Directory just install the RSAT-tools, you won't need SSH.

if [ "$SSH_SERVER" -eq "1" ] ; then
    #If the SSH user needs SSH access, create the SSH group and the SSH user.
    if [ "$SSH_USER_SUDO" -eq "1" ] ; then
    groupadd ssh
    echo '%ssh  ALL=(ALL:ALL) ALL' >> "$PATH_FILE_SUDO_CONF"
    useradd $SSH_USER -p "$SSH_USER_PASSWORD" -d "/home/$SSH_USER" -g ssh -g sudo -m
    else
    groupadd ssh
    mkdir /home/$SSH_USER
    useradd $SSH_USER -p "$SSH_USER_PASSWORD" -d "/home/$SSH_USER" -g ssh -m
    fi

    if [ "$FIREWALL" -eq "1" ] ; then
    if [ "$SSH_PORTKNOCKING" -eq "1" ] ; then
    #cp "$PATH_FILE_KNOCKD_CONF" "$LOCATION_OF_IMPORTANT_FILES/KNOCKD/Configuration"

    mv "$PATH_FILE_KNOCKD_CONF" "$PATH_FILE_KNOCKD_CONF.original"
    mv "$PATH_FILE_KNOCKD_DEFAULT" "$PATH_FILE_KNOCKD_DEFAULT.original"

    touch "$PATH_FILE_KNOCKD_CONF"
    touch "$PATH_FILE_KNOCKD_DEFAULT"

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    ln -sf "$PATH_FILE_KNOCKD_CONF" "$OR_PATH_FILE_KNOCKD_CONF"
    ln -sf "$PATH_FILE_KNOCKD_DEFAULT" "$OR_PATH_FILE_KNOCKD_DEFAULT"
    fi

cat <<EOT >> "$PATH_FILE_KNOCKD_CONF"

# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

[options]
EOT

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FILE_KNOCKD_CONF"
    logfile = $PATH_FILE_KNOCKD_LOG
EOT

    else
cat <<EOT >> "$PATH_FILE_KNOCKD_CONF"
    logfile = $PATH_FILE_KNOCKD_LOG
EOT

    fi

cat <<EOT >> "$PATH_FILE_KNOCKD_CONF"

[openSSH]
    sequence    = $SSH_PORTKNOCKING_OPEN_SEQ1,$SSH_PORTKNOCKING_OPEN_SEQ2,$SSH_PORTKNOCKING_OPEN_SEQ3
    seq_timeout = 10
    command     = /usr/sbin/firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="%IP%" port protocol="tcp" port="$SSH_PORT" accept'
    tcpflags    = syn

[closeSSH]
    sequence    = $SSH_PORTKNOCKING_CLOSE_SEQ1,$SSH_PORTKNOCKING_CLOSE_SEQ1,$SSH_PORTKNOCKING_CLOSE_SEQ1
    seq_timeout = 10
    command     = /usr/sbin/firewall-cmd --permanent --zone=public --remove-rich-rule='rule family="ipv4" source address="%IP%" port protocol="tcp" port="$SSH_PORT" accept'
    tcpflags    = syn
EOT

    sed -i -e 's/START_KNOCKD=0/START_KNOCKD=1/g' "$PATH_FILE_KNOCKD_CONF"

    systemctl start $DAEMON_KNOCKD
    systemctl enable $DAEMON_KNOCKD
    firewall-cmd --permanent --zone=public --add-port=$SSH_PORT/tcp
    fi

    if [ "$SSH_FAIL2BAN" -eq "2" ] ; then
    mv "$PATH_FILE_FAIL2BAN_JAIL" "$PATH_FILE_FAIL2BAN_JAIL.original"
    touch "$PATH_FILE_FAIL2BAN_JAIL"

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    ln -sf "$PATH_FILE_FAIL2BAN_JAIL" "$OR_PATH_FILE_FAIL2BAN_JAIL"
    fi

cat <<EOT >> "$PATH_FILE_FAIL2BAN_JAIL"

# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

[ssh]

enabled = true
port = $SSH_PORT
filter = sshd
EOT

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FILE_FAIL2BAN_JAIL"
logpath = $LOCATION_OF_IMPORTANT_FILES/FAIL2BAN/Logs/auth.log
EOT

    else
cat <<EOT >> "$PATH_FILE_FAIL2BAN_JAIL"
logpath = $LOCATION_OF_IMPORTANT_FILES/FAIL2BAN/Logs/auth.log
EOT

    fi
cat <<EOT >> "$PATH_FILE_FAIL2BAN_JAIL"

bantime = $SSH_FAIL2BAN_BANTIME
banaction = iptables-allports
findtime = $SSH_FAIL2BAN_FINDTIME
maxretry = $SSH_FAIL2BAN_MAXRETRY
EOT

    systemctl start $DAEMON_FAIL2BAN
    systemctl enable $DAEMON_FAIL2BAN
    fi

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    mv "$OR_PATH_FOLDER_SSH_KEYS/ssh_host_*" "$PATH_FOLDER_SSH_KEYS/"
    fi

    mv "$PATH_FILE_SSH_CONF" "$PATH_FILE_SSH_CONF.original"
    touch "$PATH_FILE_SSH_CONF"

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    ln -sf "$PATH_FILE_SSH_CONF" "$OR_PATH_FILE_SSH_CONF"
    fi

cat <<EOT >> "$PATH_FILE_SSH_CONF"
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port $SSH_PORT
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
EOT

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FILE_SSH_CONF"
HostKey $PATH_FOLDER_SSH_KEYS/ssh_host_rsa_key
HostKey $PATH_FOLDER_SSH_KEYS/ssh_host_dsa_key
HostKey $PATH_FOLDER_SSH_KEYS/ssh_host_ecdsa_key
HostKey $PATH_FOLDER_SSH_KEYS/ssh_host_ed25519_key
EOT

    else
cat <<EOT >> "$PATH_FILE_SSH_CONF"
HostKey $PATH_FOLDER_SSH_KEYS/ssh_host_rsa_key
HostKey $PATH_FOLDER_SSH_KEYS/ssh_host_dsa_key
HostKey $PATH_FOLDER_SSH_KEYS/ssh_host_ecdsa_key
HostKey $PATH_FOLDER_SSH_KEYS/ssh_host_ed25519_key
EOT

    fi

cat <<EOT >> "$PATH_FILE_SSH_CONF"
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
EOT


    if [ "$SSH_2FA" -eq "1" ] ; then
    if [ "$SSH_2FA_FORCE" -eq "1" ] ; then
    sed -i '1s/^/auth   required   pam_google_authenticator.so\n/' "$PATH_FILE_PAMD_SSHD"
    else
    sed -i '1s/^/auth   required   pam_google_authenticator.so   nullok\n/' "$PATH_FILE_PAMD_SSHD"
    fi

cat <<EOT >> "$PATH_FILE_SSH_CONF"
ChallengeResponseAuthentication yes
EOT

cat <<EOT >> "/etc/avorix/avdc_generate_2fa.sh"
pause_with_msg(){
    read -r -p "Press [Enter] to continue..." fackEnterKey
}

google-authenticator -t --qr-mode=utf8
google-authenticator --emergency-codes=5 > $LOCATION_OF_IMPORTANT_FILES/Google_Authenticator_Emergency_Codes_$USER.txt
pause_with_msg
EOT

chmod +x /etc/avorix/avdc_generate_2fa.sh
sed -i '//etc/avorix/avdc_generate_2fa.sh/d' "/$SSH_USER/.bashrc"

    else
cat <<EOT >> "$PATH_FILE_SSH_CONF"
ChallengeResponseAuthentication no
EOT

    fi

cat <<EOT >> "$PATH_FILE_SSH_CONF"

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60

EOT

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FILE_SSH_CONF"
Banner $PATH_FILE_ISSUENET
EOT

    else
cat <<EOT >> "$PATH_FILE_SSH_CONF"
Banner $PATH_FILE_ISSUENET
EOT

    fi

cat <<EOT >> "$PATH_FILE_SSH_CONF"
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# Automaticly kick the user after 5 minutes of inactivity.
# ClientAliveInterval 300
# ClientAliveCountMax 0

# Only allow users that are in the SSH-group.
# AllowGroups ssh
EOT

systemctl stop $DAEMON_SSH
sleep 5s
systemctl start $DAEMON_SSH

#Check if the SSH configuration passes SSH's test.
    if [ "$SKIP_SERVICES_CHECK" -eq "0" ] ; then
    if [ "$(systemctl is-active $DAEMON_SSH)" = "active" ] ; then
    SSH_SERVICE_STATUS=1
    systemctl enable $DAEMON_SSH
    else
    SSH_SERVICE_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - Your SSH settings are incorrect."
    echo ""
    echo "Solution:"
    echo " - Make sure that the settings abide to:"
    echo "  - Not containing any illegal characters!"
    echo "  - Containing a correct portnumber."
    echo "  - Check: systemctl $DAEMON_SSH status -l, for more details."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi
fi
fi
AVDC_STEP=420; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=420/' /etc/avorix/avdc_install.sh
fi


###########################################################
# 4.2.     (Optional) Configure the DHCP server           #
###########################################################
if [[ $AVDC_STEP -eq 420 ]] ; then

#In some situations and environments you do not want to have an additional DHCP-server.
#As there can only be 1 DHCP-server in a network. Having multiple will cause network failure.
#But to make the Domain Controller reachable you will need to let the DHCP-server instruct the devices on the network
#to use the DNS, NTP and the NetBIOS server of the Domain Controller.
if [ "$DHCP_SERVER" -eq "1" ] && [ "$FIREWALL" -eq "1" ] ; then
    firewall-cmd --permanent --zone=public --add-port=67/udp
fi

if [ "$DHCP_SERVER" -eq "1" ] ; then
    mv "$PATH_FILE_DHCPD_CONF" "$PATH_FILE_DHCPD_CONF.original"
    touch "$PATH_FILE_DHCPD_CONF"

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    ln -sf "$PATH_FILE_DHCPD_CONF" "$OR_PATH_FILE_DHCPD_CONF"
    fi

cat <<EOT >> "$PATH_FILE_DHCPD_CONF"
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)

EOT

    if [ "$PXE_SERVER" -eq "2" ] ; then
cat <<EOT >> "$PATH_FILE_DHCPD_CONF"
  option space ipxe;
  option ipxe-encap-opts code 175 = encapsulate ipxe;
  option ipxe.priority code 1 = signed integer 8;
  option ipxe.keep-san code 8 = unsigned integer 8;
  option ipxe.skip-san-boot code 9 = unsigned integer 8;
  option ipxe.syslogs code 85 = string;
  option ipxe.cert code 91 = string;
  option ipxe.privkey code 92 = string;
  option ipxe.crosscert code 93 = string;
  option ipxe.no-pxedhcp code 176 = unsigned integer 8;
  option ipxe.bus-id code 177 = string;
  option ipxe.bios-drive code 189 = unsigned integer 8;
  option ipxe.username code 190 = string;
  option ipxe.password code 191 = string;
  option ipxe.reverse-username code 192 = string;
  option ipxe.reverse-password code 193 = string;
  option ipxe.version code 235 = string;
  option iscsi-initiator-iqn code 203 = string;

  # Feature indicators
  option ipxe.pxeext code 16 = unsigned integer 8;
  option ipxe.iscsi code 17 = unsigned integer 8;
  option ipxe.aoe code 18 = unsigned integer 8;
  option ipxe.http code 19 = unsigned integer 8;
  option ipxe.https code 20 = unsigned integer 8;
  option ipxe.tftp code 21 = unsigned integer 8;
  option ipxe.ftp code 22 = unsigned integer 8;
  option ipxe.dns code 23 = unsigned integer 8;
  option ipxe.bzimage code 24 = unsigned integer 8;
  option ipxe.multiboot code 25 = unsigned integer 8;
  option ipxe.slam code 26 = unsigned integer 8;
  option ipxe.srp code 27 = unsigned integer 8;
  option ipxe.nbi code 32 = unsigned integer 8;
  option ipxe.pxe code 33 = unsigned integer 8;
  option ipxe.elf code 34 = unsigned integer 8;
  option ipxe.comboot code 35 = unsigned integer 8;
  option ipxe.efi code 36 = unsigned integer 8;
  option ipxe.fcoe code 37 = unsigned integer 8;
  option ipxe.vlan code 38 = unsigned integer 8;
  option ipxe.menu code 39 = unsigned integer 8;
  option ipxe.sdi code 40 = unsigned integer 8;
  option ipxe.nfs code 41 = unsigned integer 8;
  option ipxe.no-pxedhcp 1;

EOT

cat <<EOT >> "$PATH_FILE_DHCPD_CONF"
autorative;

subnet $DHCP_SUBNET netmask $DHCP_SUBNETMASK {
  max-lease-time $DHCP_MAX_LEASE_TIME; # 30 minutes
  range $DHCP_FIRST_IP_ADDRESS $DHCP_LAST_IP_ADDRESS;
  option subnet-mask $DHCP_SUBNETMASK;
  option broadcast-address $BROADCASTADDRESS;
  option time-offset 0;
  option routers $DHCP_GATEWAY;
  option domain-name "$FQDN";
  option domain-name-servers $DHCP_DNSSERVER1, $DHCP_DNSSERVER2;
  option netbios-name-servers $DHCP_NETBIOSSERVER;
  option ntp-servers $DHCP_NTPSERVER1, $DHCP_NTPSERVER2;
EOT

    #Had to split these up as Cat doesn't like some characters.
cat <<EOT >> "$PATH_FILE_DHCPD_CONF"
  next-server $IP_ADDRESS;
EOT

cat <<'EOT' >> "$PATH_FILE_DHCPD_CONF"
  option client-arch code 93 = unsigned integer 16;
  if option client-arch != 0 {
     filename "ipxe.efi";
  } else {
     filename "undionly.kpxe";
  }

  if exists user-class and option user-class = "iPXE" {
EOT

cat <<EOT >> "$PATH_FILE_DHCPD_CONF"
    filename = "http://$IP_ADDRESS/boot.ipxe";
EOT

cat <<'EOT' >> "$PATH_FILE_DHCPD_CONF"
  } else {
    filename = "undionly.kpxe";
  }
EOT

cat <<EOT >> "$PATH_FILE_DHCPD_CONF"
}
EOT

cat <<'EOT' >> "$PXE_TFTP_ROOT/boot.ipxe"
  #!ipxe

  cpuid --ext 29 && set arch amd64 || set arch x86
  kernel wimboot
  initrd ${arch}/media/Boot/BCD                     BCD
  initrd ${arch}/media/Boot/boot.sdi                boot.sdi
  initrd ${arch}/media/sources/boot.wim             boot.wim
  boot
EOT

    fi

    systemctl stop $DAEMON_DHCPD
    sleep 5s
    systemctl start $DAEMON_DHCPD

#Check if the ISC-DHCP-Server configuration passes ISC-DHCP-Server's test.
    if [ "$SKIP_SERVICES_CHECK" -eq "0" ] ; then
    if [ "$(systemctl is-active $DAEMON_DHCPD)" = "active" ] ; then
    DHCPD_SERVICE_STATUS=1
    systemctl enable $DAEMON_DHCPD
    else
    DHCPD_SERVICE_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - Your DHCP settings are incorrect."
    echo ""
    echo "Solution:"
    echo " - Make sure that the settings abide to:"
    echo "  - Not containing any illegal characters!"
    echo "  - Containing a correct FQDN, NetBiosname and DCName."
    echo "  - Check: systemctl $DAEMON_DHCPD status -l, for more details."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi
    fi
AVDC_STEP=430; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=430/' "/etc/avorix/avdc_install.sh"
fi


###########################################################
# 4.3.       (Optional) Configure the PXE-server          #
###########################################################
if [[ $AVDC_STEP -eq 430 ]] ; then

if [ "$PXE_SERVER" -eq "1" ] ; then
    if [ "$FIREWALL" -eq "1" ]; then
    firewall-cmd --permanent --zone=public --add-port=69/udp
    firewall-cmd --permanent --zone=public --add-port=80/udp
    fi

    if [ "$SKIP_INSTALLATION_CHECK" -eq "0" ] ; then
    if [ "$(dpkg-query -W -f='${Status}' $PACKAGE_TFTPD 2>/dev/null | grep -c "ok installed")" -eq 0 ] ; then
    SSH_INSTALLATION_STATUS=1
    echo "The '$PACKAGE_TFTPD'-package is succesfully installed!"
    else
    SSH_INSTALLATION_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - The '$PACKAGE_TFTPD'-package could not be installed."
    echo ""
    echo "Solution:"
    echo " - Make sure that:"
    echo "  - You have a stable internet connection!"
    echo "  - Install it manually."
    echo "  - Skip this part."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi

    curl http://boot.ipxe.org/undionly.kpxe -o "$PXE_TFTP_ROOT/undionly.kpxe"
    curl http://boot.ipxe.org/ipxe.efi -o "$PXE_TFTP_ROOT/ipxe.efi"
    mkdir /avorix_temp/dc -f
    curl http://git.ipxe.org/releases/wimboot/wimboot-latest.tar.gz /avorix-temp/dc/wimboot-latest.tar.gz
    tar xvf wimboot-latest.tar.gz -C /avorix-temp/dc/wimboot
    find /avorix-temp/dc/wimboot -name 'wimboot' -exec cp {} "$PXE_HTTP_ROOT/"  \;
    rm -Rf /avorix-temp

    touch "$PXE_TFTP_ROOT/boot.ipxe"

    systemctl start $DAEMON_TFTPD
    sleep 5s
    systemctl stop $DAEMON_TFTPD

    mv "$PATH_FILE_TFTPD_CONF" "$PATH_FILE_TFTPD_CONF.original"
    touch "$PATH_FILE_TFTPD_CONF"

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    ln -sf "$LOCATION_OF_IMPORTANT_FILES/PXE/Configuration/tftpd-hpa.conf" "$PATH_FILE_TFTPD_CONF"
    fi

# Uses # as a delimiter.
    sed -i -e 's#TFTP_DIRECTORY="/srv/tftp"#TFTP_DIRECTORY="$PXE_TFTP_ROOT"#g' "$PATH_FILE_TFTPD_CONF"
    systemctl start $DAEMON_TFTPD
    systemctl enable $DAEMON_TFTPD

    touch "$PATH_FOLDER_APACHE_SITES_ENABLED/Apache_iPXE.conf"

cat <<EOT >> "$PATH_FOLDER_APACHE_SITES_ENABLED/Apache_iPXE.conf"
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION.
# Generated on $(date)

    <VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerSignature Off
    ServerTokens Prod
    FileETag None

    <Directory />
    Options None
    Order allow,deny
    Allow from all
    </Directory>

    ServerAdmin webmaster@localhost
EOT

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FOLDER_APACHE_SITES_ENABLED/Apache_iPXE.conf"
    DocumentRoot $PXE_HTTP_ROOT
EOT

    else
cat <<EOT >> "$PATH_FOLDER_APACHE_SITES_ENABLED/Apache_iPXE.conf"
    DocumentRoot $PXE_HTTP_ROOT
EOT

    fi

    cat <<EOT >> "$PATH_FOLDER_APACHE_SITES_ENABLED/Apache_iPXE.conf"
    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    #ErrorLog ${APACHE_LOG_DIR}/error.log
    #CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
    </VirtualHost>
    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
EOT

    systemctl start $DAEMON_APACHE
    systemctl enable $DAEMON_APACHE
fi

AVDC_STEP=440; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=440/' "/etc/avorix/avdc_install.sh"
fi


###########################################################
# 4.4.          (Optional) Configure SELinux              #
###########################################################
if [[ $AVDC_STEP -eq 440 ]] ; then
#SELinux is a security module for the Linux kernel.
#It allows us to create security policy for each process.
#The policies include: Allowing files to be accessed, Allowing services to be run.

if [ "$SELINUX" -eq "1" ] ; then
    #Creates a script that wil check the next day which permissions NTP, SAMBA and DHCP need.
    touch "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"

cat <<EOT >> "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
#!/bin/bash
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

EOT

if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
grep samba "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/samba"
grep smbd "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/smbd"
grep nmbd "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/nmbd"
grep samba-ad-dc "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/samba-ad-dc"
grep ntp "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/ntp"
EOT

else
cat <<EOT >> "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
grep samba "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/samba"
grep smbd "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/smbd"
grep nmbd "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/nmbd"
grep samba-ad-dc "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/samba-ad-dc"
grep ntp "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/ntp"
EOT

fi

    if [ "$DHCP_SERVER" -eq "1" ] ; then
    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
grep dhcp "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/dhcp"
EOT

    else
cat <<EOT >> "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
grep dhcp "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/dhcp"
EOT

    fi
    if [ "$PXE_SERVER" -eq "1" ] ; then
    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
grep tftpd "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/tftpd"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/tftpd"
EOT

    else
cat <<EOT >> "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
grep tftpd "$PATH_FILE_AUDIT_LOG" | audit2allow -M "$PATH_FOLDER_SELINUX_POLICY/tftpd"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/tftpd"
EOT

    fi
    fi
    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/dhcp"
EOT

    else
cat <<EOT >> "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/dhcp"
EOT

    fi
    fi

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
cat <<'EOT' >> "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/samba"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/smbd"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/nmbd"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/samba-ad-dc"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/ntp"

mv -Rf "$PATH_FILE_SELINUX_CONF_REPLACER" "$PATH_FILE_SELINUX_CONF"
rm -Rf "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
EOT

    else
cat <<EOT >> "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/samba"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/smbd"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/nmbd"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/samba-ad-dc"
semodule -i "$PATH_FOLDER_SELINUX_POLICY/ntp"

mv -Rf "$PATH_FILE_SELINUX_CONF_REPLACER" "$PATH_FILE_SELINUX_CONF"
rm -Rf "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"
EOT

    fi

    chmod +x "$PATH_FOLDER_CRON_DAILY/Configure-SELinux"

    #This file will be replaced with the original /etc/selinux/config once the above script is ran.
    touch "$PATH_FILE_SELINUX_CONF_REPLACER"

cat <<EOT >> "$PATH_FILE_SELINUX_CONF_REPLACER"
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=enforced
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=strict

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
EOT

fi

AVDC_STEP=450; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=450/' "/etc/avorix/avdc_install.sh"
fi

###########################################################
# 4.5.  (Optional) Configure automatic security updates   #
###########################################################
if [[ $AVDC_STEP -eq 450 ]] ; then

if [ "$AUTOMATIC_SECURITY_UPDATES" -eq "1" ]; then
    #Check daily for updates and install the security updates.

if [ "$CENTRALIZED_STORAGE" -eq "1" ]; then
cat <<'EOT' >> "$PATH_FOLDER_CRON_DAILY/Install-Security-Updates"
#!/bin/bash
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

echo "**************" >> "$LOCATION_OF_IMPORTANT_FILES/Logs/General/Security-Updates.log"
date >> "$LOCATION_OF_IMPORTANT_FILES/Logs/General/Security-Updates.log"
aptitude update >> "$LOCATION_OF_IMPORTANT_FILES/Logs/General/Security-Updates.log"
aptitude safe-upgrade -o Aptitude::Delete-Unused=false --assume-yes --target-release `lsb_release -cs`-security >> "$LOCATION_OF_IMPORTANT_FILES/General/Logs/Security-Updates.log"
echo "Security updates (if any) installed"
EOT


    else
cat <<EOT >> "$PATH_FOLDER_CRON_DAILY/Install-Security-Updates"
#!/bin/bash
# Generated by the Avorix Domain Controller install script $DC_SCRIPT_VERSION
# Generated on $(date)
#

echo "**************" >> "$LOCATION_OF_IMPORTANT_FILES/Logs/General/Security-Updates.log"
date >> "$LOCATION_OF_IMPORTANT_FILES/Logs/General/Security-Updates.log"
aptitude update >> "$LOCATION_OF_IMPORTANT_FILES/Logs/General/Security-Updates.log"
aptitude safe-upgrade -o Aptitude::Delete-Unused=false --assume-yes --target-release `lsb_release -cs`-security >> "$LOCATION_OF_IMPORTANT_FILES/Logs/General/Security-Updates.log"
echo "Security updates (if any) installed"
EOT

    fi
    chmod +x "$PATH_FOLDER_CRON_DAILY/Install-Security-Updates"
fi

AVDC_STEP=460; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=460/' "/etc/avorix/avdc_install.sh"
fi

###########################################################
# 4.6.      (Optional) Test & Enable the Firewall         #
###########################################################
if [[ $AVDC_STEP -eq 460 ]] ; then

if [ "$FIREWALL" -eq "1" ]; then
    systemctl stop $DAEMON_FIREWALLD
    sleep 5s
    systemctl start $DAEMON_FIREWALLD

    if [ "$SKIP_SERVICES_CHECK" -eq "0" ] ; then
    if [ "$(systemctl is-active $DAEMON_FIREWALLD)" = "active" ] ; then
    FIREWALL_SERVICE_STATUS=1
    systemctl enable $DAEMON_FIREWALLD
    else
    FIREWALL_SERVICE_STATUS=0
    setterm -term linux -back red -fore white
    echo "###########################################################"
    echo "# Error: Installation stopped!                            #"
    echo "###########################################################"
    echo "Reason:"
    echo " - Your port settings are incorrect."
    echo ""
    echo "Solution:"
    echo " - Make sure that the port numbers abide to:"
    echo "  - Not containing any illegal characters!"
    echo "  - Containing a port number between 1 - 65535."
    echo "  - Containing a port number that is not reserved."
    echo "  - Check: systemctl $DAEMON_FIREWALLD status -l, for more details."
    echo "###########################################################"
    pause_with_msg
    setterm -default
    exit
    fi
    fi
fi

AVDC_STEP=470; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=470/' "/etc/avorix/avdc_install.sh"
fi


###########################################################
# 4.7.               Configure a the backups              #
###########################################################
if [[ $AVDC_STEP -eq 470 ]] ; then

if [ "$BACKUP_DC" -eq "1" ] ; then
#Won't fix: Needs updating for other systems.
    crontab -l | { cat; echo "$BACKUP_DC_TIMING" /usr/sbin/samba_backup /usr/local/samba $BACKUP_DC_DESTINATION; } | crontab -
fi

if [ "$BACKUP_LOIP" -eq "1" ] && [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    crontab -l | { cat; echo "$BACKUP_LOIP_TIMING tar cjf $LOCATION_OF_IMPORTANT_FILES/* $BACKUP_LOIP_DESTINATION/loip_$(date +%d%m%y).tar.bz2 --exclude $BACKUP_LOIP_DESTINATION/*"; } | crontab -
fi

AVDC_STEP=480; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=480/' "/etc/avorix/avdc_install.sh"

fi


###########################################################
# 4.8.        Configure log in/out messages and EULA      #
###########################################################
if [[ $AVDC_STEP -eq 480 ]] ; then

if [ "$BRANDING" -eq "1" ] ; then
    #Will be displayed after a SSH user had logged in.

    mv "$PATH_FILE_ISSUE" "$PATH_FILE_ISSUE.original"
    touch "$PATH_FILE_ISSUE"

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    ln -sf "$PATH_FILE_ISSUE" "$OR_PATH_FILE_ISSUE"
    fi

cat <<EOT >> "$PATH_FILE_ISSUE"
                           _      _____   _____   __   ___
       /\                 (_)    |  __ \ / ____| /_ | / _ \
      /  \__   _____  _ __ ___  _| |  | | |       | || | | |
     / /\ \ \ / / _ \| '__| \ \/ / |  | | |       | || | | |
    / ____ \ V / (_) | |  | |>  <| |__| | |____   | || |_| |
   /_/    \_\_/ \___/|_|  |_/_/\_\_____/ \_____|  |_(_)___/

    For more: Github.com/RHeijmann/Avorix-Domain-Controller


 _____________________________________________________________
|
| ####          Version: $DC_SCRIPT_VERSION
| ####      Released at: $DC_RELEASE_DATE
|_____________________________________________________________
 _____________________________________________________________
|
| ####           Domain: $FQDN
| ####      Server name: $NBIOS
|_____________________________________________________________
 _____________________________________________________________
|
|  Current date: %d , %t
|_____________________________________________________________
 _____________________________________________________________
|#############################################################
| This private computer system is only for the use
| of authorized users. If you are not authorized by its owners
| you must log out immediately.
|#############################################################
|_____________________________________________________________
EOT


    #Will be displayed after a login using the interface.
    mv "$PATH_FILE_MOTD" "$PATH_FILE_MOTD.original"
    touch "$PATH_FILE_MOTD"

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    ln -sf "$PATH_FILE_MOTD" "$OR_PATH_FILE_MOTD"
    fi

cat <<EOT >> "$PATH_FILE_MOTD"
                           _      _____   _____   __   ___
       /\                 (_)    |  __ \ / ____| /_ | / _ \
      /  \__   _____  _ __ ___  _| |  | | |       | || | | |
     / /\ \ \ / / _ \| '__| \ \/ / |  | | |       | || | | |
    / ____ \ V / (_) | |  | |>  <| |__| | |____   | || |_| |
   /_/    \_\_/ \___/|_|  |_/_/\_\_____/ \_____|  |_(_)___/

    For more: Github.com/RHeijmann/Avorix-Domain-Controller


 _____________________________________________________________
|
| ####          Version: $DC_SCRIPT_VERSION
| ####      Released at: $DC_RELEASE_DATE
|_____________________________________________________________
 _____________________________________________________________
|
| ####           Domain: $FQDN
| ####      Server name: $NBIOS
|_____________________________________________________________
 _____________________________________________________________
|
|  Current date: %d , %t
|_____________________________________________________________
 _____________________________________________________________
|#############################################################
| This private computer system is only for the use
| of authorized users. If you are not authorized by its owners
| you must log out immediately.
|#############################################################
|_____________________________________________________________
EOT

    #Will be displayed after a SSH-authenticator has entered its loginname but still has to enter its password.
    mv "$PATH_FILE_ISSUENET" "$PATH_FILE_ISSUENET.original"
    touch "$PATH_FILE_ISSUENET"

    if [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    ln -sf "$PATH_FILE_ISSUENET" "$OR_PATH_FILE_ISSUENET"
    fi

cat <<EOT >> "$PATH_FILE_ISSUENET"
                           _      _____   _____   __   ___
       /\                 (_)    |  __ \ / ____| /_ | / _ \
      /  \__   _____  _ __ ___  _| |  | | |       | || | | |
     / /\ \ \ / / _ \| '__| \ \/ / |  | | |       | || | | |
    / ____ \ V / (_) | |  | |>  <| |__| | |____   | || |_| |
   /_/    \_\_/ \___/|_|  |_/_/\_\_____/ \_____|  |_(_)___/

    For more: Github.com/RHeijmann/Avorix-Domain-Controller
 _____________________________________________________________
|                                                             |
|                           -EULA-                            |
|_____________________________________________________________|
 _____________________________________________________________
|                            -EN-                             |
|_____________________________________________________________|
|                                                             |
|                                                             |
|     This private computer system is for the use             |
|     of authorized users only. Individuals using             |
|     this computer system without authority,                 |
|     or in excess of their authority,                        |
|     are subject to having all of their activities           |
|     on this system monitored and recorded                   |
|     by system personnel.                                    |
|                                                             |
|     Authority can be obtained only with a written           |
|     authorization of the owners or administrators           |
|     of this system.                                         |
|     Owning a login name does not give authority to          |
|     use this system.                                        |
|     The use of potential exploits in order                  |
|     to gain access to this system does not provide          |
|     authorization to the use of this system.                |
|                                                             |
|     In the course of monitoring individuals                 |
|     improperly using this system, or in the                 |
|     course of system maintenance, the activities            |
|     of authorized users may also be monitored.              |
|                                                             |
|     Anyone using this system expressly consents             |
|     to such monitoring and is advised that if               |
|     such monitoring reveals possible evidence               |
|     of criminal activity, system personnel                  |
|     may provide the evidence of such                        |
|     monitoring to law enforcement officials.                |
|                                                             |
|_____________________________________________________________|


                           _      _____   _____   __   ___
       /\                 (_)    |  __ \ / ____| /_ | / _ \
      /  \__   _____  _ __ ___  _| |  | | |       | || | | |
     / /\ \ \ / / _ \| '__| \ \/ / |  | | |       | || | | |
    / ____ \ V / (_) | |  | |>  <| |__| | |____   | || |_| |
   /_/    \_\_/ \___/|_|  |_/_/\_\_____/ \_____|  |_(_)___/

    For more: Github.com/RHeijmann/Avorix-Domain-Controller
 _____________________________________________________________
|                                                             |
| ####      BEFORE YOU AUTHENTICATE READ OUR EULA!       #### |
| ###                                                     ### |
| ####         Scroll upwards to read our EULA.          #### |
|_____________________________________________________________|

EOT

fi

AVDC_STEP=510; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=510/' "/etc/avorix/avdc_install.sh"
fi


###########################################################
#                                                         #
# 5.           The fase of finishing up                   #
#                                                         #
###########################################################

###########################################################
# 5.1.          Log the current installation              #
###########################################################
if [[ $AVDC_STEP -eq 510 ]] ; then

cat <<EOT >> "$LOCATION_OF_IMPORTANT_FILES/info.avdc"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#
#!!!!!!!!!!!!!!! Do not Remove This File !!!!!!!!!!!!!!!!!#
#!!!!! By deleting this file, the developers will not !!!!#
#!!!!!!!!!!!!!! be able to provide support! !!!!!!!!!!!!!!#
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#

###########################################################
# 1.                      General                         #
###########################################################
1. Script version: $DC_SCRIPT_VERSION ($DC_RELEASE_DATE)
2. Installation date: $(date)
3. Operating System: $(cat /etc/*-release)
4. Location of the important files: $LOCATION_OF_IMPORTANT_FILES
5. Timezone and Region: $TIMEZONE / $REGION
6. Correct Network settings: $(if [ "$DHCPCD_STATUS" -eq "1" ]; then echo "Yes"; else echo "No"; fi)


###########################################################
# 2.                      Modules                         #
###########################################################
1. DHCP: $(if [ "$DHCP_SERVER" -eq "1" ]; then echo "Yes"; else echo "No"; fi)
    - With: $(if [ "$PXE_SERVER" -eq "2" ]; then echo "PXE"; fi)
2. SSH: $(if [ "$SSH_SERVER" -eq "1" ]; then echo "Yes"; else echo "No"; fi)
    - With: $(if [ "$SSH_PORTKNOCKING" -eq "1" ]; then echo "Portknocking,"; fi) $(if [ "$SSH_FAIL2BAN" -eq "2" ]; then echo "Fail2Ban,"; fi) $(if [ "$SSH_2FA" -eq "1" ]; then echo "2-Factor-Authentication"; fi)


###########################################################
# 3.                Security Functions                    #
###########################################################
1. Automatic Security Updates: $(if [ "$AUTOMATIC_SECURITY_UPDATES" -eq "1" ]; then echo "Yes"; else echo "No"; fi)
2. Firewall: $(if [ "$FIREWALL" -eq "1" ]; then echo "Yes"; else echo "No"; fi)
3. SELinux: $(if [ "$SELINUX" -eq "1" ]; then echo "Yes"; else echo "No"; fi)


###########################################################
# 4.                  Network Settings                    #
###########################################################
1. IP-Address: $IP_ADDRESS
2. Subnetmaskbits: $SUBNETMASKBITS
3. Gateway: $GATEWAY


###########################################################
# 3.                 Installed packages                   #
###########################################################

#############
### SAMBA ###
#############

Installed correctly: $(if [ "$SAMBA_STATUS" -eq "1" ]; then echo "Yes"; else echo "No"; fi)

### Installation Settings ###
1. Fully Qualified Domain Name: $FQDN
2. NetBIOS name: $NBIOS
3. Name of the Domain Controller: $DCNAME

### Packages ###

SAMBA:
    $(dpkg -p PACKAGE_SAMBA)


#############
###  NTP  ###
#############

Installed correctly: $(if [ "$NTP_STATUS" -eq "1" ]; then echo "Yes"; else echo "No"; fi)

### Installation Settings ###
1. First External NTP-Server: $NTPSERVER1
2. Second External NTP-Server: $NTPSERVER2
3. Third External NTP-Server: $NTPSERVER3

### Packages ###
NTP:
    $(dpkg -p ntp)


#########################
### Security Functions ##
#########################

$(if [ "$FIREWALL" -eq "1" ] ; then
    echo "##############"
    echo "###Firewall###"
    echo "##############"
    echo "";
    echo "Installed correctly: $(if [ "$FIREWALL_STATUS" -eq "1" ]; then echo "Yes"; else echo "No"; fi)"
    echo "";
    echo "### Packages ###"
    echo "FirewallD:"
    echo "  $(dpkg -p $PACKAGE_FIREWALLD)"
fi)

$(if [ "$SELINUX" -eq "1" ] ; then
    echo "##############"
    echo "###SELinux ###"
    echo "##############"
    echo "";
    echo "### Packages ###"
    echo "SELinux-Basics"
    echo "  $(dpkg -p $PACKAGE_SELINUX)"
    echo "";
    echo "SELinux-Policy-Default"
    echo "  $(dpkg -p $PACKAGE_SELINUX_POLICY_DEFAULT)"
fi)

#########################
######## Modules ########
#########################

$(if [ "$DHCP_SERVER" -eq "1" ] ; then
    echo "##############"
    echo "###  DHCP  ###"
    echo "##############"
    echo ""
    echo "Installed correctly: $(if [ "$DHCPD_STATUS" -eq "1" ]; then echo "Yes"; else echo "No"; fi)"
    echo ""
    echo "### Installation Settings ###"
    echo "DHCP Subnet ID: $DHCP_SUBNET"
    echo "DHCP Subnetmask: $DHCP_SUBNETMASK"
    echo "DHCP Broadcastaddress: $DHCP_BROADCASTADDRESS"
    echo "DHCP Gateway: $DHCP_GATEWAY"
    echo "DHCP First DNS-Server: $DHCP_DNSSERVER1"
    echo "DHCP Second DNS-Server: $DHCP_DNSSERVER2"
    echo "DHCP NetBIOS-Server: $DHCP_NETBIOSSERVER"
    echo "DHCP First NTP-Server: $DHCP_NTPSERVER1"
    echo "DHCP Second NTP-Server: $DHCP_NTPSERVER2"
    echo "DHCP Maximum Lease Time: $DHCP_MAX_LEASE_TIME"
    echo "DHCP First IP-adres: $DHCP_FIRST_IP_ADDRESS"
    echo "DHCP Last IP-adres: $DHCP_LAST_IP_ADDRESS"
    echo ""
    echo "### Packages ###"
    echo "ISC-DHCP-Server"
    dpkg -p $PACKAGE_DHCPD
fi)

$(if [ "$PXE_SERVER" -eq "2" ] ; then
    echo "##############"
    echo "###  PXE   ###"
    echo "##############"
    echo "";
    echo "Installed correctly: $(if [ "$PXE_STATUS" -eq "1" ]; then echo "Yes"; else echo "No"; fi)"
    echo ""
    echo "### Installation Settings ###"
    echo "HTTP Folder: $PXE_HTTP"
    echo "TFTP Folder: $PXE_TFTP"
    echo ""
    echo "### Packages ###"
    echo "TFTPd:"
    echo "  $(dpkg -p $PACKAGE_TFTPD)"
    echo ""
    echo "Apache:"
    echo "  $(dpkg -p $PACKAGE_APACHE)"
fi)

EOT

AVDC_STEP=520; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=520/' "/etc/avorix/avdc_install.sh"
fi


###########################################################
# 5.2.       Display a summary of the installatioon       #
###########################################################
if [[ $AVDC_STEP -eq 520 ]] ; then

if [ "$SKIP_END_SUMMARY" -eq "0" ] ; then
    if [ "$DHCP_SERVER" -eq "0" ] ; then
    clear
    echo "To connect a computer follow these steps:"
    echo "1. Search and open as admin 'control.exe'"
    echo "   on a Windows client PC that is on the same network."
    pause_with_msg
    echo "2. Within this control panel click on 'Network and internet'."
    pause
    echo "3. Click on 'Networkcenter'."
    pause
    echo "4. Click on the blue text next to 'Connections:'."
    pause
    echo "5. Click on in the opened popup on the 'Properties'-button."
    pause
    echo "6. Click on the text 'Internet Protocol version 4 (TCP/IPv4)'."
    pause
    echo "7. Click on the 'Properties'-button.."
    pause
    echo "8. Click on the text 'Use the following IP address:'."
    pause
    echo "9. Use the following data to fill this form:'."
    echo "  - IP address: $IP_ADDRESS"
    echo "  - Subnet mask: $SUBNETMASK"
    echo "  - Default gateway: $GATEWAY"
    pause
    echo "10. Click on the text 'Use the following DNS server addresses:'"
    pause
    echo "11. Use the following data to fill the next part of the form:"
    echo "  - Preferred DNS server: $DNSSERVER1"
    echo "  - Preferred DNS server: $DNSSERVER2"
    pause
    echo " If you followed these steps correctly you are now able to"
    echo " connect to this server and if you have entered a correct"
    echo " gateway address you are now able to reach the Internet."
    fi

    echo ""
    echo "To connect a computer follow these steps:"
    echo "1. Search and open as admin 'SystemPropertiesComputerName.exe'"
    pause_with_msg
    echo "   on a Windows client PC that is on the same network."
    pause
    echo "2. Select 'Domain'."
    pause
    echo "3. Enter '$FQDN' as your domain name."
    pause
    echo "4. Click on 'OK'."
    pause
    echo "5. Log in using these credentials:"
    echo "  - Username: $NBIOS\\Administrator"

    if [ "$ADMINPWD" = 'P455w0RD' ] ; then
    echo '  - Password: P455w0RD (Make sure to change this!).'
    else
    echo "  - Password: Your password!"
    fi

    pause_with_msg
    setterm -term linux -back black -fore green
    echo "###########################################################"
    echo " Congratulations! If you followed these steps correctly"
    echo " you now have correctly configured this domain controller! "
    echo " The next step is configuring users, computers and policies!"
    echo ""
    echo " We recommend this video tutorial: https://youtu.be/lFwek_OuYZ8"
    echo " Although the video is mainly foccused on Windows Server,"
    echo " ours does exactly the same thing."
    echo " But to manage ours follow this tutorial on the client:"
    echo " https://youtu.be/eBdEoczETDY"
    echo "###########################################################"
    pause_with_msg
    setterm -default
fi

AVDC_STEP=530; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=530/' /etc/avorix/avdc_install.sh
fi

###########################################################
# 5.3.              Generate the modulesfile              #
###########################################################
if [[ $AVDC_STEP -eq 530 ]] ; then

cat <<'EOT' >> "$LOCATION_OF_IMPORTANT_FILES/modules.avdc"
$(if [ "$SSH_SERVER" -eq "1" ]; then echo "SSH_SERVER" ; fi)
$(if [ "$SSH_PORTKNOCKING" -eq "1" ]; then echo "SSH_PORTKNOCKING" ; fi)
    - Test if there is knockd and its depends.
$(if [ "$SSH_FAIL2BAN" -eq "2" ]; then echo "SSH_FAIL2BAN" ; fi)
    - Test if there is fail2ban and its depends.
$(if [ "$DHCP_SERVER" -eq "1" ]; then echo "DHCP_SERVER" ; fi)
    - Test if there is ISC-DHCP-Server.
$(if [ "$PXE_SERVER" -eq "1" ]; then echo "PXE_SERVER" ; fi)
    - Test if there is Apache.
EOT

AVDC_STEP=540; sed -i '2s/AVDC_STEP=.*/AVDC_STEP=540/' "/etc/avorix/avdc_install.sh"
fi


###########################################################
# 5.4.             Generate the locationscript            #
###########################################################
if [[ $AVDC_STEP -eq 540 ]] ; then

# 1. Disable all services if this function is enabled.

if [ "$PORTABLE_CONFIGURATION" -eq "1" ] && [ "$CENTRALIZED_STORAGE" -eq "1" ] ; then
    systemctl disable $DAEMON_DHCPCD
    systemctl disable $DAEMON_NTP
    systemctl disable $DAEMON_SMBD
    systemctl disable $DAEMON_NMBD
    systemctl disable $DAEMON_SAMBA_AD_DC
    systemctl disable $DAEMON_KNOCKD
    systemctl disable $DAEMON_FAIL2BAN
    systemctl disable $DAEMON_SSH
    systemctl disable $DAEMON_DHCPD
    systemctl disable $DAEMON_TFTPD
    # systemctl disable $DAEMON_FIREWALLD

#Script starts here.
# 2. Check if the last LOIF still works.
cat <<'EOT' >> "/etc/avorix/avdc_locationscript.sh"
    read -r $LAST_LOIF < "/etc/avorix/avdc_loip"

    if ! [ -f $LAST_LOIF ]; then
    LOCATION_OF_IMPORTANT_FILES="$(find . -type f -iname 'info.avdc' -print -quit)"
    if [ "$LOCATION_OF_IMPORTANT_FILES" == "" ] ; then
    echo "The last device could not be found. Recreating "
    X + 1;
    Y + 2;
    sleep 60
    fi
else

LAST_LOIF=LOCATION_OF_IMPORTANT_FILES
mkdir /etc/avorix
touch /etc/avorix/loip.avdc
sed -i '1s/^/$LOCATION_OF_IMPORTANT_FILES\n/' /etc/avorix/avdc_loip
LOCATION_OF_IMPORTANT_FILES=${LOCATION_OF_IMPORTANT_FILES%"info.avdc"}; #Remove suffix

fi

#4. Test using the info.avdc-file if this is the right system.
#   - If not, display an error.

#if grep -xq "1. Script version: $DC_SCRIPT_VERSION ($DC_RELEASE_DATE)" $LOCATION_OF_IMPORTANT_FILES/info.avdc ; then
#   SSH_FAIL2BAN=2
#else
#   SSH_FAIL2BAN=0
#fi

#5. Test using the modules.avdc-file if this system has the correct dependencies (PXE, SSH...)
#   - If not, display error ask and the user to fix this by automaticly installing the dependencies for them.


if grep -xq "SSH_SERVER" $LOCATION_OF_IMPORTANT_FILES/modules.avdc ; then
    SSH_SERVER=1
else
    SSH_SERVER=0
fi

if grep -xq "SSH_PORTKNOCKING" $LOCATION_OF_IMPORTANT_FILES/modules.avdc ; then
    SSH_PORTKNOCKING=1
else
    SSH_PORTKNOCKING=0
fi

if grep -xq "SSH_FAIL2BAN" $LOCATION_OF_IMPORTANT_FILES/modules.avdc ; then
    SSH_FAIL2BAN=2
else
    SSH_FAIL2BAN=0
fi

if grep -xq "DHCP_SERVER" $LOCATION_OF_IMPORTANT_FILES/modules.avdc ; then
    DHCP_SERVER=1
else
    DHCP_SERVER=0
fi


if grep -xq "PXE_SERVER" $LOCATION_OF_IMPORTANT_FILES/modules.avdc ; then
    PXE_SERVER=1
else
    PXE_SERVER=0
fi
fi

if [ "$BRANDING" -eq "1" ] ; then
    ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/General/issue $PATH_FILE_ISSUE
    ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/General/motd $PATH_FILE_MOTD
    ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/General/issue.net $PATH_FILE_ISSUENET
fi


# 6. Link the files.
# - If an error occurs warn the user.
systemctl start $DAEMON_DHCPD
ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/DHCPCD/dhcpcd.conf $PATH_FILE_DHCPCD_CONF
ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/General/hosts $PATH_FILE_HOSTS_CONF
ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/General/hostname $PATH_FILE_HOSTNAME_CONF
ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/NTP/ntp.conf $PATH_FILE_NTP_CONF
ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/KRB5/krb5.conf $PATH_FILE_KRB5_CONF
ln -sdf $LOCATION_OF_IMPORTANT_FILES/Configuration/SAMBA_VAR_LIB $PATH_FOLDER_SAMBA_VAR_LIB
ln -sdf $LOCATION_OF_IMPORTANT_FILES/Configuration/SAMBA/Setup $PATH_FOLDER_SAMBA_SETUP
ln -sdf $LOCATION_OF_IMPORTANT_FILES/Configuration/SAMBA/Cache $PATH_FOLDER_SAMBA_CACHE
ln -sdf $LOCATION_OF_IMPORTANT_FILES/Logs/Samba $PATH_FOLDER_SAMBA_LOG
ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/SAMBA/smb.conf $PATH_FILE_SAMBA_CONF

systemctl start $DAEMON_NTP
systemctl start $DAEMON_SAMBA_AD_DC

if [ "$SSH_SERVER" -eq "1" ] ; then
ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/SSH/sshd_config $PATH_FILE_SSH_CONF

    if [ "$SSH_PORTKNOCKING" -eq "1" ] ; then
    ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/KnockD/knockd.conf $PATH_FILE_KNOCKD_CONF
    ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/KnockD/knockd.default.conf $PATH_FILE_KNOCKD_DEFAULT
    systemctl start $DAEMON_KNOCKD
    fi

    if [ "$SSH_FAIL2BAN" -eq "2" ] ; then
    ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/Fail2Ban/jail.local $PATH_FILE_FAIL2BAN_JAIL
    systemctl start $DAEMON_FAIL2BAN
    fi

    systemctl start $DAEMON_SSH
fi

if [ "$DHCP_SERVER" -eq "1" ] ; then
    ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/DHCPD/dhcpd.conf $PATH_FILE_DHCPD_CONF

    if [ "$PXE_SERVER" -eq "1" ] ; then
    ln -sdf $LOCATION_OF_IMPORTANT_FILES/Apache/Sites-Enabled $PATH_FOLDER_APACHE_SITES_ENABLED/Apache_iPXE.conf
    ln -sf $LOCATION_OF_IMPORTANT_FILES/Configuration/TFTPD/tftpd-hpa $PATH_FILE_TFTPD_CONF
    systemctl start $DAEMON_TFTPD
    fi
fi
EOT

chmod 744 "/etc/avorix/avdc_locationscript.sh"

touch "/lib/systemd/system/AVDC_LocationScript.service"
cat <<'EOT' >> "/lib/systemd/system/AVDC_LocationScript.service"
[Unit]
Description=Avorix DC LocationScript Service
After=multi-user.target

[Service]
Type=idle
ExecStart=/etc/avorix/avdc_locationscript.sh

[Install]
WantedBy=multi-user.target
EOT

chmod 644 "/lib/systemd/system/AVDC_LocationScript.service"
systemctl daemon-reload
systemctl enable "AVDC_LocationScript.service"

fi


clear_exported_avdc_step

#NOT Tested!
sed -i '/avdc_install.sh/d' "/root/.bashrc"
sed -i '/avdc_install_variables.sh/d' "/root/.bashrc"
reboot
fi

#NOTES:

#Useful Windows commands:
#Activate Windows using: slmgr -ipk $PRODUCT_KEY, followed by: slmgr -ato
#Join Active Directory domain: netdom.exe join %computername% /domain:%FQDN /UserD:$NBIOS\Administrator /Password:$ADMINPWD