mdm-scripts/install-linux.sh

  #!/usr/bin/env bash
  # ControlD MDM Agent — Linux Installer
  # Usage: sudo bash install-linux.sh <CONTROLD_TOKEN> <DASHBOARD_URL> <EMPLOYEE_NAME>
  set -euo pipefail

  CONTROLD_TOKEN="${1:?Usage: $0 <CONTROLD_TOKEN> <DASHBOARD_URL> <EMPLOYEE_NAME>}"
  DASHBOARD_URL="${2:?Usage: $0 <CONTROLD_TOKEN> <DASHBOARD_URL> <EMPLOYEE_NAME>}"
  EMPLOYEE_NAME="${3:?Usage: $0 <CONTROLD_TOKEN> <DASHBOARD_URL> <EMPLOYEE_NAME>}"

  CTRLD_DIR="/opt/controld"
  CTRLD_BIN="${CTRLD_DIR}/ctrld"
  CTRLD_CONFIG="${CTRLD_DIR}/ctrld.toml"
  DEVICE_ID="$(cat /proc/sys/kernel/random/uuid)"
  HOSTNAME="$(hostname)"

  echo "[*] Installing ControlD MDM agent for ${EMPLOYEE_NAME} on ${HOSTNAME}..."

  # 1. Download ctrld binary
  echo "[*] Downloading ctrld..."
  mkdir -p "${CTRLD_DIR}"
  ARCH="$(uname -m)"
  case "${ARCH}" in
      x86_64)  CTRLD_URL="https://github.com/Control-D-Inc/ctrld/releases/latest/download/ctrld-linux-amd64" ;;
      aarch64) CTRLD_URL="https://github.com/Control-D-Inc/ctrld/releases/latest/download/ctrld-linux-arm64" ;;
      armv7l)  CTRLD_URL="https://github.com/Control-D-Inc/ctrld/releases/latest/download/ctrld-linux-arm" ;;
      *)       echo "[!] Unsupported architecture: ${ARCH}"; exit 1 ;;
  esac
  curl -fsSL -o "${CTRLD_BIN}" "${CTRLD_URL}"
  chmod +x "${CTRLD_BIN}"

  # 2. Write config
  echo "[*] Writing ctrld.toml..."
  cat > "${CTRLD_CONFIG}" <<TOML
  [upstream.0]
    endpoint = "https://dns.controld.com/${CONTROLD_TOKEN}"
    type = "doh"
    timeout = 5000

  [listener.0]
    ip = "127.0.0.1"
    port = 53
  TOML

  # 3. Install systemd service
  echo "[*] Installing systemd service..."
  cat > /etc/systemd/system/controld-agent.service <<SVC
  [Unit]
  Description=ControlD MDM Agent
  After=network-online.target
  Wants=network-online.target

  [Service]
  Type=simple
  ExecStart=${CTRLD_BIN} run --config ${CTRLD_CONFIG}
  Restart=always
  RestartSec=5

  [Install]
  WantedBy=multi-user.target
  SVC

  systemctl daemon-reload
  systemctl enable --now controld-agent.service

  # 4. Set system DNS to 127.0.0.1
  echo "[*] Configuring system DNS..."
  if command -v resolvectl &>/dev/null; then
      mkdir -p /etc/systemd/resolved.conf.d
      cat > /etc/systemd/resolved.conf.d/controld.conf <<DNS
  [Resolve]
  DNS=127.0.0.1
  DNSStubListener=no
  DNS
      systemctl restart systemd-resolved
  elif command -v nmcli &>/dev/null; then
      CONN=$(nmcli -t -f NAME connection show --active | head -1)
      if [ -n "${CONN}" ]; then
          nmcli connection modify "${CONN}" ipv4.dns "127.0.0.1"
          nmcli connection modify "${CONN}" ipv4.ignore-auto-dns yes
          nmcli connection up "${CONN}" >/dev/null 2>&1
      fi
  else
      cp /etc/resolv.conf /etc/resolv.conf.bak
      echo "nameserver 127.0.0.1" > /etc/resolv.conf
  fi

  # 5. Register with MDM backend
  echo "[*] Registering device with MDM backend..."
  curl -fsSL -X POST "${DASHBOARD_URL}/api/register" \
      -H "Content-Type: application/json" \
      -d "{
          \"device_id\": \"${DEVICE_ID}\",
          \"hostname\": \"${HOSTNAME}\",
          \"employee\": \"${EMPLOYEE_NAME}\",
          \"os\": \"linux\",
          \"resolver_id\": \"${CONTROLD_TOKEN}\"
      }" || echo "[!] Warning: Could not reach MDM backend."

  # 6. Install heartbeat cron (every 5 min)
  echo "[*] Setting up heartbeat..."
  HEARTBEAT_SCRIPT="${CTRLD_DIR}/heartbeat.sh"
  cat > "${HEARTBEAT_SCRIPT}" <<BEAT
  #!/usr/bin/env bash
  IP=\$(curl -fsSL ifconfig.me 2>/dev/null || echo "unknown")
  curl -fsSL -X POST "${DASHBOARD_URL}/api/heartbeat" \
      -H "Content-Type: application/json" \
      -d "{\"device_id\": \"${DEVICE_ID}\", \"ip\": \"\${IP}\"}" >/dev/null 2>&1
  BEAT
  chmod +x "${HEARTBEAT_SCRIPT}"

  (crontab -l 2>/dev/null | grep -v "${HEARTBEAT_SCRIPT}"; echo "*/5 * * * * ${HEARTBEAT_SCRIPT}") | crontab -

  echo "[+] Installation complete!"
  echo "    Device ID: ${DEVICE_ID}"
  echo "    Config:    ${CTRLD_CONFIG}"
  echo "    DNS:       127.0.0.1 -> ControlD (DoH)"