#!/usr/bin/env bash
set -euo pipefail

if [[ "${EUID}" -ne 0 ]]; then
  echo "Bitte als root ausfuehren (z. B. mit sudo)."
  exit 1
fi

export DEBIAN_FRONTEND=noninteractive

APT_PACKAGES=(
  apt-transport-https
  ca-certificates
  curl
  wget
  gnupg
  lsb-release
  software-properties-common
  jq
  unzip
  git
  vim
  htop
  tmux
  ufw
  fail2ban
  unattended-upgrades
  apt-listchanges
  needrestart
  auditd
  rsyslog
  logrotate
)

NODE_MAJOR="20"
CODEX_NPM_PACKAGE="@openai/codex"

log() {
  echo "[sicherheit-install] $*"
}

log "1/8 Paketindex aktualisieren"
apt-get update -y

log "2/8 Basispakete installieren"
apt-get install -y "${APT_PACKAGES[@]}"

log "3/8 Automatische Sicherheitsupdates aktivieren"
dpkg-reconfigure -f noninteractive unattended-upgrades || true
cat > /etc/apt/apt.conf.d/20auto-upgrades <<'AUTOU'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
AUTOU

log "4/8 fail2ban konfigurieren"
SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
if [[ -f "${SCRIPT_DIR}/../config/fail2ban/jail.local" ]]; then
  install -m 0644 "${SCRIPT_DIR}/../config/fail2ban/jail.local" /etc/fail2ban/jail.local
fi
systemctl enable fail2ban || true
systemctl restart fail2ban || true

log "5/8 UFW Basisregeln setzen"
ufw allow OpenSSH || true
ufw allow 80/tcp || true
ufw allow 443/tcp || true
ufw --force enable || true

log "6/8 Node.js ${NODE_MAJOR} installieren"
if ! command -v node >/dev/null 2>&1; then
  mkdir -p /etc/apt/keyrings
  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" > /etc/apt/sources.list.d/nodesource.list
  apt-get update -y
  apt-get install -y nodejs
fi

log "7/8 npm aktualisieren und Codex installieren"
npm install -g npm@latest
npm install -g "${CODEX_NPM_PACKAGE}"

log "8/8 Dienste aktivieren"
systemctl enable unattended-upgrades || true
systemctl restart unattended-upgrades || true
systemctl enable auditd || true
systemctl restart auditd || true

log "Install abgeschlossen"
node --version || true
npm --version || true
fail2ban-client status || true