#!/bin/bash
# ============================================================
# Bookworm Portable - 防火墙加固 (P1-2)
# 配置 UFW + fail2ban 保护 Gitea
# ============================================================
# 用法: ssh root@8.138.11.105 'bash -s' < secure-firewall.sh
# ============================================================

set -euo pipefail

echo "========================================="
echo "  Bookworm 防火墙加固 v1.0"
echo "========================================="

# 1. 确保 Gitea 只监听 127.0.0.1 (Nginx 反代已处理外部访问)
GITEA_INI="/var/lib/gitea/custom/conf/app.ini"
if [ -f "$GITEA_INI" ]; then
  if grep -q "^HTTP_ADDR.*=.*127.0.0.1" "$GITEA_INI"; then
    echo "[1/3] Gitea 已绑定 127.0.0.1"
  else
    echo "[1/3] 配置 Gitea 仅本地监听..."
    sed -i "s/^HTTP_ADDR\s*=.*/HTTP_ADDR = 127.0.0.1/" "$GITEA_INI" 2>/dev/null || \
      sed -i "/^\[server\]/a HTTP_ADDR = 127.0.0.1" "$GITEA_INI"
    systemctl restart gitea
    echo "  [OK] Gitea 已限制为本地监听"
  fi
else
  echo "[1/3] [!] Gitea 配置不存在，跳过"
fi

# 2. 安装配置 fail2ban
echo "[2/3] 配置 fail2ban..."
if ! command -v fail2ban-client &>/dev/null; then
  apt-get update -qq && apt-get install -y -qq fail2ban
fi

# Gitea 登录失败过滤器
cat > /etc/fail2ban/filter.d/gitea.conf << 'EOF'
[Definition]
failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
ignoreregex =
EOF

# Gitea jail 配置
cat > /etc/fail2ban/jail.d/gitea.conf << EOF
[gitea]
enabled  = true
port     = http,https
filter   = gitea
logpath  = /var/lib/gitea/log/gitea.log
maxretry = 5
findtime = 3600
bantime  = 86400
action   = iptables-multiport[name=gitea, port="http,https"]
EOF

systemctl restart fail2ban
echo "  [OK] fail2ban 已配置 (5次失败/小时 → 封禁24小时)"

# 3. 输出阿里云安全组配置指引
echo "[3/3] 安全组配置指引..."
echo ""
echo "========================================="
echo "  阿里云安全组配置 (手动操作)"
echo "========================================="
echo ""
echo "  1. 登录阿里云控制台 → ECS → 安全组"
echo "  2. 找到实例 8.138.11.105 所在安全组"
echo "  3. 添加入方向规则:"
echo ""
echo "  ┌────────────┬──────────┬───────────────────────────┐"
echo "  │ 端口       │ 协议     │ 授权对象                  │"
echo "  ├────────────┼──────────┼───────────────────────────┤"
echo "  │ 443/443    │ TCP      │ 0.0.0.0/0 (HTTPS 公开)   │"
echo "  │ 80/80      │ TCP      │ 0.0.0.0/0 (重定向用)     │"
echo "  │ 22/22      │ TCP      │ 你的 IP/32               │"
echo "  ├────────────┼──────────┼───────────────────────────┤"
echo "  │ 3300/3300  │ TCP      │ 拒绝 0.0.0.0/0           │"
echo "  │            │          │ (Gitea 仅本地，不需公开)  │"
echo "  └────────────┴──────────┴───────────────────────────┘"
echo ""
echo "  4. 删除任何允许 3300 端口公开访问的规则"
echo ""
echo "  查看你当前的公网 IP:"
echo "    curl -s ifconfig.me"
echo ""
echo "========================================="