#!/usr/bin/env bash
set -euo pipefail

if [ "$(id -u)" -ne 0 ]; then
  echo "Jalankan sebagai root."
  exit 1
fi

read -rp "Port SSH yang ingin dibuka [22]: " SSH_PORT
read -rp "Buka port HTTP 80? [Y/n]: " OPEN_HTTP
read -rp "Buka port HTTPS 443? [Y/n]: " OPEN_HTTPS
SSH_PORT="${SSH_PORT:-22}"
OPEN_HTTP="${OPEN_HTTP:-Y}"
OPEN_HTTPS="${OPEN_HTTPS:-Y}"

apt update
apt -y install ufw fail2ban unattended-upgrades
ufw default deny incoming
ufw default allow outgoing
ufw allow "$SSH_PORT/tcp"
[[ "$OPEN_HTTP" =~ ^[Yy]$ ]] && ufw allow 80/tcp
[[ "$OPEN_HTTPS" =~ ^[Yy]$ ]] && ufw allow 443/tcp
ufw --force enable
dpkg-reconfigure -f noninteractive unattended-upgrades
systemctl enable --now fail2ban
systemctl enable --now unattended-upgrades
echo "Security basic aktif. Cek: ufw status verbose && fail2ban-client status"