#!/usr/bin/env bash
set -euo pipefail

if [[ "${EUID}" -ne 0 ]]; then
  echo "Bitte als root ausführen (z. B. mit sudo)."
  exit 1
fi

export DEBIAN_FRONTEND=noninteractive

APT_PACKAGES=(
  apt-transport-https
  ca-certificates
  curl
  wget
  gnupg
  lsb-release
  software-properties-common
  jq
  unzip
  git
  vim
  htop
  tmux
  ufw
  fail2ban
  unattended-upgrades
  apt-listchanges
  needrestart
  auditd
  rsyslog
  logrotate
)

NODE_MAJOR="20"
CODEx_NPM_PACKAGE="@openai/codex"

echo "[1/8] Paketindex aktualisieren..."
apt-get update -y

echo "[2/8] Basispakete installieren..."
apt-get install -y "${APT_PACKAGES[@]}"

echo "[3/8] Automatische Sicherheitsupdates aktivieren..."
dpkg-reconfigure -f noninteractive unattended-upgrades || true

cat > /etc/apt/apt.conf.d/20auto-upgrades <<'AUTOU'
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
AUTOU

echo "[4/8] Fail2ban konfigurieren..."
if [[ -f /opt/bootstrap/config/fail2ban/jail.local ]]; then
  install -m 0644 /opt/bootstrap/config/fail2ban/jail.local /etc/fail2ban/jail.local
elif [[ -f "$(dirname "$0")/../config/fail2ban/jail.local" ]]; then
  install -m 0644 "$(dirname "$0")/../config/fail2ban/jail.local" /etc/fail2ban/jail.local
fi

systemctl enable fail2ban || true
systemctl restart fail2ban || true

echo "[5/8] UFW Basisregeln setzen (SSH, HTTP, HTTPS)..."
ufw allow OpenSSH || true
ufw allow 80/tcp || true
ufw allow 443/tcp || true
ufw --force enable || true

echo "[6/8] Node.js ${NODE_MAJOR} installieren..."
if ! command -v node >/dev/null 2>&1; then
  mkdir -p /etc/apt/keyrings
  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" > /etc/apt/sources.list.d/nodesource.list
  apt-get update -y
  apt-get install -y nodejs
fi

echo "[7/8] npm aktualisieren und Codex CLI installieren..."
npm install -g npm@latest
npm install -g "${CODEx_NPM_PACKAGE}"

echo "[8/8] Dienste prüfen..."
systemctl enable unattended-upgrades || true
systemctl restart unattended-upgrades || true
systemctl enable auditd || true
systemctl restart auditd || true

echo
node --version || true
npm --version || true
fail2ban-client status || true

echo "Fertig. Empfohlen: SSH-Härtung und Benutzerrechte zusätzlich prüfen."