#!/usr/bin/env bash
set -euo pipefail

# SSH hardening bertahap.
# Pastikan public key valid sebelum menjalankan script ini.

if [ "$(id -u)" -ne 0 ]; then
  echo "Jalankan sebagai root."
  exit 1
fi

read -rp "Username sudo baru [deploy]: " USER_NAME
read -rp "Port SSH baru [22]: " SSH_PORT
read -rp "Public key SSH, mulai dari ssh-rsa/ssh-ed25519: " PUBLIC_KEY
USER_NAME="${USER_NAME:-deploy}"
SSH_PORT="${SSH_PORT:-22}"

if [[ ! "$PUBLIC_KEY" =~ ^ssh-(rsa|ed25519) ]]; then
  echo "Public key tidak valid. Script dihentikan agar server tidak terkunci."
  exit 1
fi

echo "Script akan membuat user $USER_NAME, memasang public key, dan mematikan password login SSH."
read -rp "Lanjut? [y/N]: " CONFIRM
if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then
  echo "Dibatalkan."
  exit 0
fi

id "$USER_NAME" >/dev/null 2>&1 || adduser --disabled-password --gecos "" "$USER_NAME"
usermod -aG sudo "$USER_NAME"
install -d -m 700 -o "$USER_NAME" -g "$USER_NAME" "/home/$USER_NAME/.ssh"
printf '%s\n' "$PUBLIC_KEY" > "/home/$USER_NAME/.ssh/authorized_keys"
chown "$USER_NAME:$USER_NAME" "/home/$USER_NAME/.ssh/authorized_keys"
chmod 600 "/home/$USER_NAME/.ssh/authorized_keys"

cp /etc/ssh/sshd_config "/etc/ssh/sshd_config.bak.$(date +%Y%m%d%H%M%S)"
sed -i -E "s/^#?Port .*/Port $SSH_PORT/" /etc/ssh/sshd_config
sed -i -E "s/^#?PermitRootLogin .*/PermitRootLogin prohibit-password/" /etc/ssh/sshd_config
sed -i -E "s/^#?PasswordAuthentication .*/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i -E "s/^#?PubkeyAuthentication .*/PubkeyAuthentication yes/" /etc/ssh/sshd_config

ufw allow "$SSH_PORT/tcp" || true
sshd -t
systemctl reload ssh || systemctl reload sshd

echo "Selesai. Buka terminal baru dan test login sebelum menutup sesi lama."