LemonSec/setup.ps1

#!/usr/bin/env pwsh
# LemonSec Setup Script
# Run this script to initialize the security stack

$ErrorActionPreference = "Stop"

Write-Host "========================================" -ForegroundColor Cyan
Write-Host "     LemonSec Security Stack Setup" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
Write-Host ""

# Check if running as administrator (not required for Docker Desktop)
# if (-NOT ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
#     Write-Warning "This script should be run as Administrator for some features."
# }

# Create necessary directories
Write-Host "[1/7] Creating directories..." -ForegroundColor Green
$dirs = @(
    "traefik/logs",
    "secrets",
    "crowdsec-data",
    "uptime-kuma-data"
)
foreach ($dir in $dirs) {
    if (!(Test-Path $dir)) {
        New-Item -ItemType Directory -Path $dir -Force | Out-Null
    }
}

# Generate secrets
Write-Host "[2/7] Generating secrets..." -ForegroundColor Green

function Generate-Secret {
    $bytes = New-Object byte[] 32
    $rng = [System.Security.Cryptography.RandomNumberGenerator]::Create()
    $rng.GetBytes($bytes)
    return [BitConverter]::ToString($bytes).Replace("-", "").ToLower()
}

if (!(Test-Path "secrets/authelia_jwt_secret.txt")) {
    Generate-Secret | Set-Content -Path "secrets/authelia_jwt_secret.txt" -NoNewline
    Write-Host "  ✓ Created authelia_jwt_secret.txt" -ForegroundColor Gray
}

if (!(Test-Path "secrets/authelia_session_secret.txt")) {
    Generate-Secret | Set-Content -Path "secrets/authelia_session_secret.txt" -NoNewline
    Write-Host "  ✓ Created authelia_session_secret.txt" -ForegroundColor Gray
}

if (!(Test-Path "secrets/authelia_storage_key.txt")) {
    Generate-Secret | Set-Content -Path "secrets/authelia_storage_key.txt" -NoNewline
    Write-Host "  ✓ Created authelia_storage_key.txt" -ForegroundColor Gray
}

# Set permissions (Windows doesn't have the same permission model, but we can set ACLs)
Write-Host "[3/7] Setting permissions..." -ForegroundColor Green
# Note: On Windows, Docker Desktop handles permissions differently

# Check if .env exists
Write-Host "[4/7] Checking configuration..." -ForegroundColor Green
if (!(Test-Path ".env")) {
    Write-Host "  ⚠ .env file not found!" -ForegroundColor Yellow
    Write-Host "  Copy .env.example to .env and fill in your values:" -ForegroundColor Yellow
    Write-Host "  cp .env.example .env" -ForegroundColor Yellow
    Write-Host "  nano .env  # or your preferred editor" -ForegroundColor Yellow
    exit 1
}

# Pull images
Write-Host "[5/7] Pulling Docker images..." -ForegroundColor Green
docker-compose pull

# Create external network if it doesn't exist
Write-Host "[6/7] Setting up Docker networks..." -ForegroundColor Green
$networks = docker network ls --format "{{.Name}}"
if ($networks -notcontains "traefik-external") {
    docker network create traefik-external
}

Write-Host "[7/7] Setup complete!" -ForegroundColor Green
Write-Host ""
Write-Host "Next steps:" -ForegroundColor Cyan
Write-Host "  1. Ensure .env is configured with your Cloudflare credentials" -ForegroundColor White
Write-Host "  2. Update authelia/users_database.yml with your users" -ForegroundColor White
Write-Host "  3. Start the stack: docker-compose up -d" -ForegroundColor White
Write-Host "  4. Check logs: docker-compose logs -f traefik" -ForegroundColor White
Write-Host "  5. Generate CrowdSec API key: docker-compose exec crowdsec cscli bouncers add traefik-bouncer" -ForegroundColor White
Write-Host "  6. Add the key to .env and restart: docker-compose up -d" -ForegroundColor White
Write-Host ""
Write-Host "Access points:" -ForegroundColor Cyan
Write-Host "  - External: https://auth.lemonlink.eu (after DNS setup)" -ForegroundColor White
Write-Host "  - Internal: https://traefik.local.lemonlink.eu:8443 (via Tailscale)" -ForegroundColor White