#!/bin/bash
# setup_hotspot_fixed.sh
# Full hotspot setup for Parrot RPi — handles special chars in password (escapes backslashes and #),
# saves iptables persistently, and enables hostapd/dnsmasq at boot.
set -euo pipefail

# ---------------- User-configurable ----------------
AP_IF="wlan0"
WAN_IF="wlan1"
AP_ADDR="10.0.0.1/24"
SSID="HackBox"
# put your exact passphrase here (can contain $, #, %, @, spaces, etc.)
PASS='pipass123'
DHCP_RANGE="10.0.0.10,10.0.0.100,12h"
# --------------------------------------------------

echo "[+] Starting hotspot setup (fixed) ..."

# Install required packages
echo "[+] Installing packages (hostapd dnsmasq iptables-persistent) ..."
export DEBIAN_FRONTEND=noninteractive
apt update
apt install -y hostapd dnsmasq iptables-persistent || true

# Stop services while we configure
echo "[+] Stopping hostapd/dnsmasq temporarily ..."
systemctl stop hostapd 2>/dev/null || true
systemctl stop dnsmasq 2>/dev/null || true

# Backup existing configs
echo "[+] Backing up existing configs (if present) ..."
mkdir -p /root/hotspot-backups
timestamp=$(date +%s)
[ -f /etc/hostapd/hostapd.conf ] && cp /etc/hostapd/hostapd.conf /root/hotspot-backups/hostapd.conf.bak.$timestamp || true
[ -f /etc/dnsmasq.conf ] && cp /etc/dnsmasq.conf /root/hotspot-backups/dnsmasq.conf.bak.$timestamp || true
[ -f /etc/dhcpcd.conf ] && cp /etc/dhcpcd.conf /root/hotspot-backups/dhcpcd.conf.bak.$timestamp || true
[ -f /etc/iptables/rules.v4 ] && cp /etc/iptables/rules.v4 /root/hotspot-backups/rules.v4.bak.$timestamp || true

# Configure static IP for AP interface using dhcpcd (ensure dhcpcd installed)
if ! command -v dhcpcd >/dev/null 2>&1; then
  echo "[+] dhcpcd not found; installing dhcpcd5 ..."
  apt install -y dhcpcd5 || true
  systemctl enable --now dhcpcd || true
fi

echo "[+] Writing /etc/dhcpcd.conf for $AP_IF ..."
# Keep other dhcpcd settings (append block). If file already contains an interface block for AP_IF, replace it.
# Remove any old interface block for AP_IF first
sudo awk -v ifname="$AP_IF" '
  BEGIN {skip=0}
  /^interface / { if ($2==ifname) { skip=1; next } }
  /^$/ { if (skip==1) { skip=0; next } }
  { if (skip==0) print }
' /etc/dhcpcd.conf > /tmp/dhcpcd.conf.clean || cp /etc/dhcpcd.conf /tmp/dhcpcd.conf.clean
cat > /etc/dhcpcd.conf <<EOF
$(cat /tmp/dhcpcd.conf.clean)

interface $AP_IF
    static ip_address=${AP_ADDR}
    nohook wpa_supplicant
EOF
rm -f /tmp/dhcpcd.conf.clean
systemctl restart dhcpcd || true

# Configure dnsmasq (simple)
echo "[+] Writing /etc/dnsmasq.conf ..."
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig.$timestamp 2>/dev/null || true
cat > /etc/dnsmasq.conf <<EOF
interface=$AP_IF
dhcp-range=$DHCP_RANGE
domain-needed
bogus-priv
EOF

# Prepare SAFE_PASS for hostapd:
# - escape backslashes first (so a single backslash becomes two backslashes)
# - escape '#' so it won't start a comment in hostapd conf
# Other characters (%, @, $, spaces, etc.) are fine.
echo "[+] Escaping passphrase for hostapd ..."
SAFE_PASS=$(printf '%s' "$PASS" | sed -e 's/\\/\\\\/g' -e 's/#/\\#/g')

# Write hostapd config (wpa_passphrase without surrounding quotes and with escaped chars)
echo "[+] Writing /etc/hostapd/hostapd.conf ..."
mv /etc/hostapd/hostapd.conf /etc/hostapd/hostapd.conf.orig.$timestamp 2>/dev/null || true
cat > /etc/hostapd/hostapd.conf <<EOF
interface=$AP_IF
driver=nl80211
ssid=$SSID
hw_mode=g
channel=6
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=$SAFE_PASS
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
EOF

# Ensure hostapd default points to our config
if grep -q '^DAEMON_CONF=' /etc/default/hostapd 2>/dev/null; then
  sed -i "s|^DAEMON_CONF=.*|DAEMON_CONF=\"/etc/hostapd/hostapd.conf\"|" /etc/default/hostapd
else
  echo 'DAEMON_CONF="/etc/hostapd/hostapd.conf"' >> /etc/default/hostapd
fi

# Enable IP forwarding
echo "[+] Enabling IP forwarding (sysctl) ..."
if ! grep -q '^net.ipv4.ip_forward=1' /etc/sysctl.conf 2>/dev/null; then
  sed -i 's/^#*\s*net.ipv4.ip_forward=.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf || echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
fi
sysctl -w net.ipv4.ip_forward=1 >/dev/null || true

# Apply iptables rules (idempotent-ish: remove duplicates if necessary)
echo "[+] Applying iptables NAT/forward rules ..."
# remove any identical rules first (to avoid duplicates)
iptables -t nat -C POSTROUTING -o "$WAN_IF" -j MASQUERADE 2>/dev/null || true
if ! iptables -t nat -C POSTROUTING -o "$WAN_IF" -j MASQUERADE 2>/dev/null; then
  iptables -t nat -A POSTROUTING -o "$WAN_IF" -j MASQUERADE
fi

iptables -C FORWARD -i "$WAN_IF" -o "$AP_IF" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
  iptables -A FORWARD -i "$WAN_IF" -o "$AP_IF" -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -C FORWARD -i "$AP_IF" -o "$WAN_IF" -j ACCEPT 2>/dev/null || \
  iptables -A FORWARD -i "$AP_IF" -o "$WAN_IF" -j ACCEPT

# Save iptables persistently
echo "[+] Saving iptables rules via netfilter-persistent (iptables-persistent)..."
netfilter-persistent save || iptables-save > /etc/iptables/rules.v4 || true

# Enable hostapd/dnsmasq
echo "[+] Enabling hostapd and dnsmasq at boot ..."
systemctl unmask hostapd 2>/dev/null || true
systemctl enable hostapd
systemctl enable dnsmasq

# Start services now
echo "[+] Starting hostapd and dnsmasq ..."
systemctl restart hostapd || systemctl start hostapd || true
systemctl restart dnsmasq || systemctl start dnsmasq || true

# Small final checks
echo
echo "=== SETUP FINISHED ==="
echo "SSID: $SSID"
echo "Password (raw): $PASS"
echo "AP IP: ${AP_ADDR%/*}  (ssh user@${AP_ADDR%/*})"
echo
echo "[*] AP interface info (iw):"
iw dev "$AP_IF" info || true
echo
echo "[*] IPTABLES NAT rules (nat POSTROUTING):"
iptables -t nat -L POSTROUTING -n -v || true
echo
echo "[*] If clients fail to connect: FORGET the HackBox network on the client and retry typing the password."
echo "[*] To watch hostapd auth logs live: sudo journalctl -u hostapd -f"
echo
echo "Backups written to /root/hotspot-backups/ (timestamp $timestamp)"