#!/usr/bin/env bash

# ──────────────────────────────────────────────────────────────────────────────
#  Secure-SSH Hardened Setup (OpenSSH ≥9.x)
#  ----------------------------------------
#  ✦ Minimal Defaults + Explizite Härtung
#  ✦ Unterstützt:
#    - Benutzer/Gruppen-Whitelisting
#    - Auto-Logoff (Idle-Timeouts)
#    - Brute-Force-Rate-Limiting
#    - Kein Forwarding (Agent/TCP/X11)
#  ✦ Dynamisches PAM-Handling
# ──────────────────────────────────────────────────────────────────────────────

printf "\033c"   # Clear terminal

# ─── Konfigurationsvariablen ─────────────────────────────────────────────────
SSH_CONFIG_DIR="/etc/ssh/sshd_config.d"
SSH_MAIN_CONFIG="/etc/ssh/sshd_config"
SSH_CONFIG_FILE="$SSH_CONFIG_DIR/secure.conf"
ED25519_KEY="/etc/ssh/ssh_host_ed25519_key"

# ─── ANSI Colors ─────────────────────────────────────────────────────────────
RED='\033[1;31m'; GREEN='\033[1;32m'; YELLOW='\033[1;33m'; BLUE='\033[1;34m'; WHITE='\033[1;37m'; RESET='\033[0m'
log()   { echo -e "${GREEN}[+] $1${RESET}"; }
warn()  { echo -e "${YELLOW}[!] $1${RESET}"; }
error() { echo -e "${RED}[✗] $1${RESET}"; }

# ─── Service Manager Detection ──────────────────────────────────────────────
detect_service_manager() {
  if command -v systemctl &>/dev/null; then echo "systemd"; return; fi
  command -v rc-service &>/dev/null && echo "openrc" || echo "sysvinit"
}

# ─── SSH Service Handling ──────────────────────────────────────────────────
restart_ssh_service() {
  local service=$1
  case $(detect_service_manager) in
    systemd)  sudo systemctl restart "$service" ;;
    openrc)   sudo rc-service "$service" restart ;;
    sysvinit) sudo "/etc/init.d/$service" restart 2>/dev/null ;;
    *)        sudo killall -HUP sshd 2>/dev/null ;;
  esac || { error "Failed to restart SSH"; return 1; }
}

# ─── Paketinstallation ──────────────────────────────────────────────────────
install_package() {
  local pkg=$1
  warn "Installing $pkg..."
  if command -v apt &>/dev/null; then
    sudo apt update -qq && sudo apt install -y "$pkg" -qq
  elif command -v dnf &>/dev/null; then
    sudo dnf install -y "$pkg" &>/dev/null
  elif command -v apk &>/dev/null; then
    sudo apk add "$pkg" &>/dev/null
  else
    error "Package manager not found. Install $pkg manually."
    return 1
  fi || { error "Installation failed"; return 1; }
  log "$pkg installed."
}

# ─── Hauptsetup ────────────────────────────────────────────────────────────
log "Starting Secure-SSH Setup..."

# ─── Voraussetzungen prüfen ────────────────────────────────────────────────
command -v sudo &>/dev/null || install_package sudo
command -v sshd &>/dev/null || install_package openssh-server
[ -d "$SSH_CONFIG_DIR" ] || { sudo mkdir -p "$SSH_CONFIG_DIR"; log "Created $SSH_CONFIG_DIR"; }

# ─── Host Key (Ed25519) ────────────────────────────────────────────────────
[ -f "$ED25519_KEY" ] || {
  warn "Generating Ed25519 host key..."
  sudo ssh-keygen -t ed25519 -f "$ED25519_KEY" -N "" -q && sudo chmod 600 "$ED25519_KEY"
  log "Host key generated."
}

# ─── Benutzer/Gruppen-Abfrage ──────────────────────────────────────────────
read -rp $'\e[1;34mAllowed SSH users (space-separated): \e[0m' SSH_USERS
read -rp $'\e[1;34mAllowed SSH group (leave empty if unused): \e[0m' SSH_GROUP

# ─── Konfigurationsdatei erstellen ─────────────────────────────────────────
warn "Generating hardened SSH config..."
sudo tee "$SSH_CONFIG_FILE" >/dev/null <<EOF
# ───────────────────────────────────────────────────────────────────────────
#  Hardened SSH Config (generated $(date +%Y-%m-%d))
#  OpenSSH ≥9.x | Auto-Logoff | Rate-Limiting | No Forwarding
# ───────────────────────────────────────────────────────────────────────────

# ─── Core Security ──────────────────────────────────────────────────────────
PermitRootLogin no
PermitEmptyPasswords no
HostKey $ED25519_KEY

# ─── Access Control ───────────────────────────────────────────────────────
AllowUsers ${SSH_USERS}
${SSH_GROUP:+AllowGroups $SSH_GROUP}  # Nur gesetzt, wenn Gruppe existiert
DenyUsers root admin administrator

# ─── Authentication ───────────────────────────────────────────────────────
PubkeyAuthentication yes
PasswordAuthentication no
AuthenticationMethods publickey
KbdInteractiveAuthentication no
ChallengeResponseAuthentication no

# ─── Session Hardening ────────────────────────────────────────────────────
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 30s
MaxAuthTries 3
MaxSessions 5
MaxStartups 10:30:60

# ─── Network Restrictions ──────────────────────────────────────────────────
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no
GatewayPorts no
PermitTunnel no

# ─── Logging & Auditing ───────────────────────────────────────────────────
LogLevel VERBOSE
PrintLastLog yes
SyslogFacility AUTH
EOF

# ─── PAM Handling (dynamisch) ──────────────────────────────────────────────
if [ -d /etc/pam.d ] && find / -name 'libpam.so*' -quit 2>/dev/null; then
  echo -e "UsePAM yes\nPrintMotd no" | sudo tee -a "$SSH_CONFIG_FILE" >/dev/null
  log "PAM support enabled."
fi

# ─── Konfiguration testen & neu starten ────────────────────────────────────
sudo sshd -t || { error "Invalid SSH config. Fix errors before restarting."; exit 1; }
restart_ssh_service $(basename "$(command -v sshd)") || exit 1

log "Hardened SSH setup complete!"
echo -e "\n${WHITE}→ Allowed users: ${SSH_USERS}${RESET}"
[ -n "$SSH_GROUP" ] && echo -e "${WHITE}→ Allowed group: ${SSH_GROUP}${RESET}"
echo -e "${WHITE}→ Active settings:${RESET}"
sudo sshd -T | grep -Ei "allowusers|allowgroups|permitroot|maxauthtries|clientalive"