#!/bin/bash

# apt upgrade
option1() {
  sudo DEBIAN_FRONTEND=noninteractive apt update && apt upgrade -y
  echo "This need a reboot!"
}
# dist release upgrade
option2() {
  sudo do-release-upgrade -f DistUpgradeViewNonInteractive
  echo "This need a reboot!"
}
# ipv4first/packages/sysctl/rc.local/sshport/sshkey
option3() {
sudo sed -i 's/#precedence ::ffff:0:0\/96  100/precedence ::ffff:0:0\/96  100/' /etc/gai.conf
apt install -y python3-websockets python3-pip coreutils unzip net-tools vim systemd-cron nginx certbot python3-certbot-nginx curl lrzsz
pip install --upgrade websockets
systemctl disable nginx && systemctl stop nginx
cat <<EOF >>/etc/sysctl.conf
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.arp_announce = 2
net.ipv6.conf.default.forwarding = 1
net.ipv4.tcp_synack_retries = 3
net.ipv4.ip_forward = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.conf.all.rp_filter = 0
fs.file-max = 1024000
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_keepalive_time = 10
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_window_scaling = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.tcp_adv_win_scale = -2
net.ipv4.tcp_mtu_probing = 1
net.core.netdev_max_backlog = 250000
net.core.somaxconn = 1024000
net.ipv4.tcp_fack = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_notsent_lowat = 131072
net.ipv4.neigh.default.gc_stale_time = 120
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_sack = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.tcp_max_tw_buckets = 8192
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_ecn=0
net.ipv4.tcp_frto=0
net.ipv4.tcp_mtu_probing=0
net.ipv4.tcp_rfc1337=0
net.ipv4.tcp_sack=1
net.ipv4.tcp_fack=1
net.ipv4.tcp_window_scaling=1
net.ipv4.tcp_adv_win_scale=1
net.ipv4.tcp_moderate_rcvbuf=1
net.core.rmem_max=33554432
net.core.wmem_max=33554432
net.ipv4.tcp_rmem=4096 87380 33554432
net.ipv4.tcp_wmem=4096 16384 33554432
net.ipv4.udp_rmem_min=8192
net.ipv4.udp_wmem_min=8192
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr
vm.swappiness = 10
vm.dirty_ratio = 15
vm.dirty_background_ratio = 5
vm.overcommit_memory = 1
vm.min_free_kbytes = 65536
vm.vfs_cache_pressure = 50
kernel.sched_autogroup_enabled = 0
kernel.numa_balancing = 0
EOF
cat <<EOF > /etc/rc.local
#!/bin/bash
rm -f /tmp/rclocal.running
touch /tmp/rclocal.running
sleep 30
sysctl -p
rm -f /tmp/rclocal.running
exit 0
EOF
chmod +x /etc/rc.local
cat <<EOF > /etc/systemd/system/rc-local.service
[Unit]
Description=Local Startup Script

[Service]
Type=simple
ExecStart=/etc/rc.local

[Install]
WantedBy=multi-user.target
EOF
chmod 644 /etc/systemd/system/rc-local.service
systemctl enable rc-local.service
testsshport=$(grep "Port 22345" /etc/ssh/sshd_config|grep -v "#"|wc -l)
if [[ $testsshport -eq 0 ]]; then
  sed -i "s/Port 22/#Port 22/g" /etc/ssh/sshd_config
  echo "Port 22345" >> /etc/ssh/sshd_config
fi
testsshkey=$(grep "PasswordAuthentication no" /etc/ssh/sshd_config|grep -v "#"|wc -l)
if [[ $testsshkey -eq 0 ]]; then
  sed -i "s/PasswordAuthentication yes/#PasswordAuthentication yes/g" /etc/ssh/sshd_config
  echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
  sed -i "s/PubkeyAuthentication no/#PubkeyAuthentication no/g" /etc/ssh/sshd_config
  echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
  sed -i "s/PermitRootLogin yes/#PermitRootLogin yes/g" /etc/ssh/sshd_config
  echo "PermitRootLogin prohibit-password" >> /etc/ssh/sshd_config
  mkdir /root/.ssh
  echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDXrtRXD+lwQ65Skq/I8GHuWh2F/XjQ3ZrU0WLmF1wyxfI52N3arCur1r6VvJQbRdRrfxJpFZd4tS7byVp2X6DR+DmNhsj/DAxhGqBeAbWiPNlkeLPcLzTuwsM59yOU+mSPSJHDufH9mxIVO+W2B8soFEmnykNnVSGBMbqfHLgloqIK2UoT5EdXdKa9EAzvasqUV/n/QM+hIs3KU8ubdTFheoFN6Lu0Wtwjq0ts+9jOz7VUrFnzn1xs5uhHLgaIiGP/vrfQMwjl7PqLqT+OETef+qmk6Ug+JXaKPGDSX2r6gJmRLSDHQ1KSNT32GfyUpgiAC99yss3XEGPU1IkX/pwH" >> /root/.ssh/authorized_keys
  chmod 600 /root/.ssh/authorized_keys
  chmod 700 /root/.ssh
  echo "This need a reboot after changing SSH Port!"
fi
}
# danted
option4() {
  apt update
  apt install dante-server
  cat <<EOF > /etc/danted.conf
logoutput: syslog
user.privileged: root
user.unprivileged: nobody
 
# The listening network interface or address.
internal: 0.0.0.0 port=44944
 
# The proxying network interface or address.
external: eth0
 
# socks-rules determine what is proxied through the external interface.
socksmethod: username
 
# client-rules determine who can connect to the internal interface.
clientmethod: none
 
client pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}
 
socks pass {
    from: 0.0.0.0/0 to: 0.0.0.0/0
}
EOF
  sudo useradd -r -s /bin/false cml
  sudo passwd cml
  systemctl enable --now danted
  echo "change external ifname in /etc/danted.conf if it's not eth0"
}

#CN route blackhole
option5() {
# 生成处理路由黑洞的脚本
    cat << 'EOF' > /root/set_blackhole_routes.sh
#!/bin/sh

# 检查并安装必要的工具
install_dependencies() {
    if [ -f /etc/os-release ]; then
        . /etc/os-release
        case "$ID" in
            ubuntu|debian)
                apt update
                apt install -y curl iproute2 cron
                ;;
            centos|rhel|fedora)
                yum install -y curl iproute cronie
                ;;
            alpine)
                apk add --no-cache curl iproute2 coreutils cronie
                ;;
            *)
                echo "Unsupported OS: $ID"
                exit 1
                ;;
        esac
    else
        echo "Cannot determine OS type."
        exit 1
    fi
}

install_dependencies

# 下载 IPv4 和 IPv6 地址段列表
ipv4_url="https://file.bairuo.net/iplist/output/Aggregated_ChinaAllNetwork_IPv4.txt"
ipv6_url="https://file.bairuo.net/iplist/output/Aggregated_ChinaAllNetwork_IPv6.txt"

ipv4_tmpfile="/tmp/ipv4_blackhole.txt.tmp"
ipv6_tmpfile="/tmp/ipv6_blackhole.txt.tmp"
ipv4_file="/tmp/ipv4_blackhole.txt"
ipv6_file="/tmp/ipv6_blackhole.txt"

curl -s $ipv4_url -o $ipv4_tmpfile
curl -s $ipv6_url -o $ipv6_tmpfile

# 清除旧规则
iptables -t mangle -F OUTPUT
ip6tables -t mangle -F OUTPUT

# 检查文件大小
ipv4_size=$(stat -c%s "$ipv4_tmpfile")
ipv6_size=$(stat -c%s "$ipv6_tmpfile")

# 创建一个新的路由表
ip rule add fwmark 44 lookup 44

# 添加黑洞路由到新表中
ip route add blackhole default table 44

# 处理 IPv4 黑洞路由
if [ "$ipv4_size" -gt 92160 ]; then # 90KB
	cp -f "$ipv4_tmpfile" "$ipv4_file"
    while IFS= read -r line; do
        case "$line" in
            \#*) ;;
            *)
                iptables -t mangle -A OUTPUT -d "$line" -p tcp --tcp-flags SYN SYN -m conntrack --ctstate NEW -j MARK --set-mark 44
                ;;
        esac
    done < "$ipv4_tmpfile"
else
    echo "IPv4 地址段列表无效，使用历史版本。"
    while IFS= read -r line; do
        case "$line" in
            \#*) ;;
            *)
                iptables -t mangle -A OUTPUT -d "$line" -p tcp --tcp-flags SYN SYN -m conntrack --ctstate NEW -j MARK --set-mark 44
                ;;
        esac
    done < "$ipv4_file"
fi

# 处理 IPv6 黑洞路由
if [ "$ipv6_size" -gt 20480 ]; then # 20KB
	cp -f "$ipv6_tmpfile" "$ipv6_file"
    while IFS= read -r line; do
        case "$line" in
            \#*) ;;
            *)
                ip6tables -t mangle -A OUTPUT -d "$line" -p tcp --tcp-flags SYN SYN -m conntrack --ctstate NEW -j MARK --set-mark 44
                ;;
        esac
    done < "$ipv6_tmpfile"
else
    echo "IPv6 地址段列表无效，使用历史版本。"
    while IFS= read -r line; do
        case "$line" in
            \#*) ;;
            *)
                ip6tables -t mangle -A OUTPUT -d "$line" -p tcp --tcp-flags SYN SYN -m conntrack --ctstate NEW -j MARK --set-mark 44
                ;;
        esac
    done < "$ipv6_file"
fi

# 清理临时文件
rm -f "$ipv4_tmpfile" "$ipv6_tmpfile"

echo "策略路由设置完成。"
EOF

    chmod +x /root/set_blackhole_routes.sh

# 添加到 crontab
	apt install -y cron
    	yum install -y cronie
	apk add --no-cache cronie
	(crontab -l 2>/dev/null; echo "5 3 * * 1 /root/set_blackhole_routes.sh") | crontab -

}

# setup realm
option6() {
  echo "if this cause error, manually run: bash <(curl -sSL https://raw.githubusercontent.com/yancary/realm-script/refs/heads/main/realm.sh)"
  bash <(curl -sSL https://raw.githubusercontent.com/yancary/realm-script/refs/heads/main/realm.sh)
}

# change apt source
option19() {
  echo "if this make vps reboot, manually run: bash <(curl -sSL https://linuxmirrors.cn/main.sh)"
  bash <(curl -sSL https://linuxmirrors.cn/main.sh)
}


# reboot
option20() {
  sync && reboot
}

# Main menu loop
while true; do
  echo "Main Menu:"
  echo "1. apt upgrade"
  echo "2. dist release upgrade"
  echo "3. ipv4first/packages/sysctl/rc.local/sshport/sshkey"
  echo "4. install danted"
  echo "5. install cn route blackhole"
  echo "6. setup realm"
  echo "19. change apt source"
  echo "20. reboot"
  echo "21. exit"
  
  # Read user input
  read -p "Enter your choice (1-21): " choice
  
  if [[ "$choice" -eq 1 ]]; then
    option1
  elif [[ "$choice" -eq 2 ]]; then
    option2
  elif [[ "$choice" -eq 3 ]]; then
    option3
  elif [[ "$choice" -eq 4 ]]; then
    option4
  elif [[ "$choice" -eq 5 ]]; then
    option5
  elif [[ "$choice" -eq 6 ]]; then
    option6
  elif [[ "$choice" -eq 19 ]]; then
    option19
  elif [[ "$choice" -eq 20 ]]; then
    option20
  elif [[ "$choice" -eq 21 ]]; then
    echo "Exiting..."
    break
  else
    echo "Invalid choice. Please enter a number between 1 and 21."
  fi
done