#!/usr/bin/env bash
set -euo pipefail

if [[ "${EUID}" -ne 0 ]]; then
  echo "Bitte als root ausfuehren (z. B. mit sudo)."
  exit 1
fi

export DEBIAN_FRONTEND=noninteractive

APT_PACKAGES=(
  apt-transport-https
  ca-certificates
  curl
  wget
  gnupg
  lsb-release
  software-properties-common
  jq
  unzip
  git
  vim
  htop
  tmux
  ufw
  fail2ban
  unattended-upgrades
  apt-listchanges
  needrestart
  auditd
  rsyslog
  logrotate
  openssh-server
)

NODE_MAJOR="20"
CODEX_NPM_PACKAGE="@openai/codex"
SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
CONFIG_DIR="${SCRIPT_DIR}/../config"

log() {
  echo "[sicherheit-install] $*"
}

copy_cfg() {
  local src="$1"
  local dst="$2"
  if [[ -f "${src}" ]]; then
    install -D -m 0644 "${src}" "${dst}"
  fi
}

log "1/10 Paketindex aktualisieren"
apt-get update -y

log "2/10 Basispakete installieren"
apt-get install -y "${APT_PACKAGES[@]}"

log "3/10 Unattended-Upgrades konfigurieren"
copy_cfg "${CONFIG_DIR}/unattended-upgrades/20auto-upgrades" "/etc/apt/apt.conf.d/20auto-upgrades"
copy_cfg "${CONFIG_DIR}/unattended-upgrades/50unattended-upgrades" "/etc/apt/apt.conf.d/50unattended-upgrades"
dpkg-reconfigure -f noninteractive unattended-upgrades || true

log "4/10 fail2ban vorkonfigurieren"
copy_cfg "${CONFIG_DIR}/fail2ban/jail.local" "/etc/fail2ban/jail.local"
systemctl enable fail2ban || true
systemctl restart fail2ban || true

log "5/10 UFW vorkonfigurieren"
copy_cfg "${CONFIG_DIR}/ufw/after.rules" "/etc/ufw/after.rules"
ufw default deny incoming || true
ufw default allow outgoing || true
ufw logging medium || true
ufw limit OpenSSH || true
ufw allow 80/tcp || true
ufw allow 443/tcp || true
ufw --force enable || true

log "6/10 SSH-Basishardening setzen"
copy_cfg "${CONFIG_DIR}/ssh/sshd_config.d-sicherheit.conf" "/etc/ssh/sshd_config.d/99-sicherheit.conf"
sshd -t && systemctl restart ssh || true

log "7/10 sysctl Hardening setzen"
copy_cfg "${CONFIG_DIR}/sysctl/99-sicherheit.conf" "/etc/sysctl.d/99-sicherheit.conf"
sysctl --system || true

log "8/10 auditd Regeln setzen"
copy_cfg "${CONFIG_DIR}/auditd/hardening.rules" "/etc/audit/rules.d/hardening.rules"
augenrules --load || true
systemctl enable auditd || true
systemctl restart auditd || true

log "9/10 Node.js ${NODE_MAJOR} installieren"
if ! command -v node >/dev/null 2>&1; then
  mkdir -p /etc/apt/keyrings
  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" > /etc/apt/sources.list.d/nodesource.list
  apt-get update -y
  apt-get install -y nodejs
fi

log "10/10 npm aktualisieren und Codex installieren"
npm install -g npm@latest
npm install -g "${CODEX_NPM_PACKAGE}"

systemctl enable unattended-upgrades || true
systemctl restart unattended-upgrades || true

log "Install abgeschlossen"
node --version || true
npm --version || true
fail2ban-client status || true
ufw status verbose || true