#!/bin/sh
# 00-base.sh — install variant extra packages, baseline sysctl + ufw.
# Runs in-target (already inside installed system's chroot, /proc /sys /dev
# bind-mounted by d-i, /etc/resolv.conf working, apt sources configured).
set -eu

LIST=/root/s8n-postinstall/extra.list
if [ -s "$LIST" ]; then
  echo "[00] installing extra packages from $LIST"
  apt-get update
  PKGS=$(grep -vE '^\s*(#|$)' "$LIST" | tr '\n' ' ')
  if [ -n "$PKGS" ]; then
    # `apt-get install -- $PKGS` lets a malicious extra.list still inject `--`
    # tokens but only repo-controlled file is the source. The `--` separator
    # is hygiene against accidental flag-like names.
    # Failure here is a hard fail per `set -e` from caller — DKMS / wifi
    # depending on these packages is critical for laptop variants.
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends -- $PKGS
  fi
fi

echo "[00] applying sysctl hardening"
cat > /etc/sysctl.d/90-s8n.conf <<'SYSCTL'
# Personal sysctl baseline.
kernel.kptr_restrict=2
kernel.dmesg_restrict=1
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
fs.protected_hardlinks=1
fs.protected_symlinks=1
fs.protected_fifos=2
fs.protected_regular=2
SYSCTL

echo "[00] enabling ufw (if installed)"
if command -v ufw >/dev/null; then
  # Idempotent: don't reset if already active (preserves user rules on rerun).
  if ufw status 2>/dev/null | grep -q '^Status: active'; then
    echo "[00] ufw already active, skipping reset"
  else
    ufw --force reset
    ufw default deny incoming
    ufw default allow outgoing
    ufw allow 22/tcp
    ufw --force enable
  fi
fi

echo "[00] enabling unattended-upgrades"
if [ -f /etc/apt/apt.conf.d/50unattended-upgrades ]; then
  systemctl enable unattended-upgrades || true
fi