#!/usr/bin/env bash
set -euo pipefail

echo "=== Post-install hardening and VPN setup ==="
[[ -f .env ]] && source .env || true

sudo pacman -Syu --noconfirm ufw apparmor fail2ban wireguard-tools

# ── Firewall ──
sudo systemctl enable --now ufw
sudo ufw --force reset
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

# ── AppArmor & Fail2ban ──
sudo systemctl enable --now apparmor
sudo systemctl enable --now fail2ban

# ── Sysctl hardening ──
sudo tee /etc/sysctl.d/99-hardening.conf >/dev/null <<'EOF'
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
kernel.randomize_va_space = 2
EOF
sudo sysctl --system

# ── WireGuard (optional) ──
if [[ "${ENABLE_WIREGUARD:-no}" =~ ^[Yy][Ee]?[Ss]?$ ]] && [[ -f "${WIREGUARD_CONF_PATH:-./wg0.conf}" ]]; then
  echo "Setting up WireGuard..."
  sudo install -Dm600 "$WIREGUARD_CONF_PATH" /etc/wireguard/wg0.conf
  sudo systemctl enable --now wg-quick@wg0.service
else
  echo "WireGuard skipped (no config or disabled)."
fi

echo "✅ Post-install setup complete."