#!/usr/bin/env bash
#
# install mcp
#
#

set -o errexit
set -o pipefail
set -o nounset

# installing dependencies
apt update && apt upgrade -y && apt autoremove -y

apt remove ubuntu-advantage-tools -y
apt install -y ca-certificates curl gnupg

mkdir -p /etc/apt/keyrings
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_18.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list

apt update && apt install -y nodejs git unzip curl ca-certificates gnupg ufw fail2ban cockpit software-properties-common

systemctl start cockpit

#
# configure ufw and start ufw
#
#

ufw allow ssh
ufw allow 9090/tcp

service ufw start
echo "y" | ufw enable

#
# configure fail2ban for seacure ssh and start fail2ban
#
#

cat > /etc/fail2ban/jail.local << EOF
[default]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime = 3600

banaction = ufw

# The length of time between login attempts before a ban is set.
# For example, if Fail2ban is set to ban an IP after five (3) failed log-in attempts,
# those 3 attempts must occur within the set 10-minute findtime limit.
# The findtime value should be a set number of seconds.
findtime = 600

maxretry = 5

[ssh]
enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth-fail2ban.log
EOF

cp resources/fail2ban/filter.d/* /etc/fail2ban/filter.d
touch /var/log/fail2ban.log
service fail2ban start

echo -e "mcp installed"