#!/bin/bash
# ════════════════════════════════════════════════════════════════
# 🛡️ TRIPZ FORTRESS v9.0 - PRODUCTION-SAFE EDITION
# ════════════════════════════════════════════════════════════════
# الإصدار: 9.0 (Advanced Hardening)
# التاريخ: 2025-02-05
# التحديثات: Safety Net, Sandboxing, Key Management
# ════════════════════════════════════════════════════════════════

set -euo pipefail  # Exit on error, undefined vars, pipe failures
IFS=$'\n\t'        # Safe word splitting

# ════════════════════════════════════════════════════════════════
# ⚙️ CONFIGURATION SECTION - يتم ملؤها ديناميكياً
# ════════════════════════════════════════════════════════════════

# معلومات السيرفر (REQUIRED)
SERVER_IP="${SERVER_IP:-}"
ADMIN_USER="${ADMIN_USER:-tripzadmin}"
SSH_PORT="${SSH_PORT:-2200}"
SSH_PUBLIC_KEY="${SSH_PUBLIC_KEY:-}"

# Port Knocking Sequence (3 منافذ عشوائية)
KNOCK_PORT_1="${KNOCK_PORT_1:-$(shuf -i 7000-9000 -n 1)}"
KNOCK_PORT_2="${KNOCK_PORT_2:-$(shuf -i 7000-9000 -n 1)}"
KNOCK_PORT_3="${KNOCK_PORT_3:-$(shuf -i 7000-9000 -n 1)}"

# Telegram Integration (OPTIONAL)
TELEGRAM_BOT_TOKEN="${TELEGRAM_BOT_TOKEN:-}"
TELEGRAM_CHAT_ID="${TELEGRAM_CHAT_ID:-}"

# Security Features (TOGGLES)
ENABLE_HONEYPOT="${ENABLE_HONEYPOT:-true}"
ENABLE_FAKE_SERVICES="${ENABLE_FAKE_SERVICES:-true}"
ENABLE_PORT_KNOCKING="${ENABLE_PORT_KNOCKING:-true}"
ENABLE_WIREGUARD="${ENABLE_WIREGUARD:-false}"
ENABLE_FAIL2BAN="${ENABLE_FAIL2BAN:-true}"
ENABLE_AUTO_BACKUP="${ENABLE_AUTO_BACKUP:-true}"

# WireGuard Configuration (if enabled)
VPN_NETWORK="${VPN_NETWORK:-10.8.0.0/24}"
VPN_SERVER_IP="${VPN_SERVER_IP:-10.8.0.1}"

# ════════════════════════════════════════════════════════════════
# 🎨 COLORS & STYLING
# ════════════════════════════════════════════════════════════════

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color

# ════════════════════════════════════════════════════════════════
# 📝 LOGGING FUNCTIONS
# ════════════════════════════════════════════════════════════════

LOG_DIR="/var/log/fortress"
LOG_FILE="${LOG_DIR}/install_$(date +%Y%m%d_%H%M%S).log"

log() { echo -e "${BLUE}[$(date '+%Y-%m-%d %H:%M:%S')]${NC} $*" | tee -a "$LOG_FILE"; }
info() { echo -e "${CYAN}ℹ️  $*${NC}" | tee -a "$LOG_FILE"; }
success() { echo -e "${GREEN}✅ $*${NC}" | tee -a "$LOG_FILE"; }
warning() { echo -e "${YELLOW}⚠️  $*${NC}" | tee -a "$LOG_FILE"; }
error() { echo -e "${RED}❌ ERROR: $*${NC}" | tee -a "$LOG_FILE"; return 1; }

# ════════════════════════════════════════════════════════════════
# 🔍 PRE-FLIGHT CHECKS
# ════════════════════════════════════════════════════════════════

preflight_checks() {
    log "\n🔍 تشغيل الفحوصات الأولية..."
    if [ "$EUID" -ne 0 ]; then error "يجب تشغيل هذا السكريبت كـ root"; exit 1; fi
    if ! ping -c 2 8.8.8.8 &>/dev/null; then error "لا يوجد اتصال بالإنترنت"; exit 1; fi
    
    local required_vars=("SERVER_IP" "SSH_PUBLIC_KEY")
    for var in "${required_vars[@]}"; do
        if [ -z "${!var}" ]; then error "المتغير $var مطلوب ولكنه فارغ!"; exit 1; fi
    done
    
    mkdir -p "$LOG_DIR"
    mkdir -p /root/backup_before_fortress_$(date +%Y%m%d)
    cp -r /etc/ssh /root/backup_before_fortress_$(date +%Y%m%d)/ 2>/dev/null || true
    
    success "✓ الفحوصات الأولية مكتملة"
}

# ════════════════════════════════════════════════════════════════
# 📦 SYSTEM PREPARATION
# ════════════════════════════════════════════════════════════════

system_preparation() {
    log "\n📦 تحضير النظام..."
    export DEBIAN_FRONTEND=noninteractive
    apt-get update -qq
    apt-get install -y -qq curl wget git ufw fail2ban openssh-server sudo htop net-tools knockd openssl cron bc jq netcat-openbsd at
    success "✓ تحضير النظام مكتمل"
}

# ════════════════════════════════════════════════════════════════
# 🛟 SAFETY NET (NEW in v9.0)
# ════════════════════════════════════════════════════════════════

setup_safety_net() {
    log "\n🛟 إعداد شبكة الأمان (Safety Net)..."
    
    # سكريبت استعادة الطوارئ
    cat > /usr/local/bin/fortress_emergency_reset.sh <<EOF
#!/bin/bash
# 🆘 EMERGENCY RESET triggered by Safety Net
ufw disable
iptables -F
systemctl stop knockd
# إعادة SSH للوضع الافتراضي مؤقتاً
if [ -d "/root/backup_before_fortress_$(date +%Y%m%d)" ]; then
    cp /root/backup_before_fortress_$(date +%Y%m%d)/ssh/sshd_config /etc/ssh/sshd_config 2>/dev/null
    systemctl restart sshd
fi
echo "⚠️ تم تفعيل استعادة الطوارئ بسبب فقدان الاتصال!" >> /var/log/fortress/emergency.log
EOF
    chmod +x /usr/local/bin/fortress_emergency_reset.sh

    # جدولة المهمة بعد 15 دقيقة
    if command -v at &>/dev/null; then
        echo "/usr/local/bin/fortress_emergency_reset.sh" | at now + 15 minutes
        info "تم ضبط مؤقت طوارئ (15 دقيقة). سيتم إلغاؤه عند نجاح التثبيت."
    else
        (crontab -l 2>/dev/null; echo "*/15 * * * * /usr/local/bin/fortress_emergency_reset.sh # SAFETY_NET") | crontab -
        warning "تم استخدام Cron للطوارئ. سيتم إلغاؤه عند النجاح."
    fi
}

remove_safety_net() {
    log "\n✅ إلغاء شبكة الأمان (نجح التثبيت)..."
    if command -v atq &>/dev/null; then
        for job in $(atq | awk '{print $1}'); do atrm $job; done
    fi
    crontab -l 2>/dev/null | grep -v "SAFETY_NET" | crontab -
    success "✓ تم تعطيل مؤقت الطوارئ."
}

# ════════════════════════════════════════════════════════════════
# 👤 USER MANAGEMENT
# ════════════════════════════════════════════════════════════════

create_admin_user() {
    log "\n👤 إنشاء المستخدم الإداري..."
    if ! id "$ADMIN_USER" &>/dev/null; then
        useradd -m -s /bin/bash -G sudo "$ADMIN_USER"
    fi
    passwd -l "$ADMIN_USER"
    
    mkdir -p "/home/$ADMIN_USER/.ssh"
    echo "$SSH_PUBLIC_KEY" > "/home/$ADMIN_USER/.ssh/authorized_keys"
    chmod 700 "/home/$ADMIN_USER/.ssh"
    chmod 600 "/home/$ADMIN_USER/.ssh/authorized_keys"
    chown -R "$ADMIN_USER:$ADMIN_USER" "/home/$ADMIN_USER/.ssh"
    
    echo "$ADMIN_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/"$ADMIN_USER"
    chmod 440 /etc/sudoers.d/"$ADMIN_USER"
    success "✓ المستخدم $ADMIN_USER جاهز"
}

# ════════════════════════════════════════════════════════════════
# 🔐 SSH HARDENING
# ════════════════════════════════════════════════════════════════

harden_ssh() {
    log "\n🔐 تأمين SSH..."
    cat > /etc/ssh/sshd_config <<SSHEOF
Port $SSH_PORT
Protocol 2
AddressFamily inet
ListenAddress 0.0.0.0
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
PermitRootLogin no
AllowUsers $ADMIN_USER
X11Forwarding no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
GatewayPorts no
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 30
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512
SyslogFacility AUTH
LogLevel VERBOSE
Banner /etc/ssh/banner.txt
SSHEOF

    echo "⚠️ AUTHORIZED ACCESS ONLY - TRIPZ FORTRESS v9.0 PROTECTED" > /etc/ssh/banner.txt
    
    if ! sshd -t; then
        error "تكوين SSH غير صالح!"
        cp /root/backup_before_fortress_$(date +%Y%m%d)/ssh/sshd_config /etc/ssh/sshd_config
        exit 1
    fi
    systemctl reload sshd
    success "✓ SSH محمي (Port: $SSH_PORT)"
}

# ════════════════════════════════════════════════════════════════
# 🔥 FIREWALL & FAIL2BAN
# ════════════════════════════════════════════════════════════════

configure_firewall() {
    log "\n🔥 تكوين جدار الحماية..."
    ufw default deny incoming
    ufw default allow outgoing
    ufw allow 80/tcp
    ufw allow 443/tcp
    
    if [ "$ENABLE_PORT_KNOCKING" != "true" ]; then
        ufw allow "$SSH_PORT/tcp"
    fi
    
    if [ "$ENABLE_HONEYPOT" == "true" ]; then ufw allow 22/tcp; fi
    if [ "$ENABLE_FAKE_SERVICES" == "true" ]; then ufw allow 3306/tcp; fi
    
    echo "y" | ufw enable
    success "✓ جدار الحماية نشط"
}

setup_fail2ban() {
    if [ "$ENABLE_FAIL2BAN" != "true" ]; then return 0; fi
    log "\n🚫 تكوين Fail2Ban..."
    
    cat > /etc/fail2ban/jail.local <<F2BEOF
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
ignoreip = 127.0.0.1/8 ::1

[sshd]
enabled = true
port = $SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200

[sshd-aggressive]
enabled = true
port = $SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
bantime = 86400
findtime = 300
F2BEOF

    systemctl enable fail2ban
    systemctl restart fail2ban
    success "✓ Fail2Ban نشط"
}

# ════════════════════════════════════════════════════════════════
# 🚪 PORT KNOCKING (HARDENED v9.0)
# ════════════════════════════════════════════════════════════════

setup_port_knocking() {
    if [ "$ENABLE_PORT_KNOCKING" != "true" ]; then return 0; fi
    log "\n🚪 إعداد Port Knocking (Hardened)..."
    
    # تحديد واجهة الشبكة تلقائياً
    NET_INTERFACE=$(ip route | grep default | awk '{print $5}' | head -1)
    
    cat > /etc/knockd.conf <<KNOCKEOF
[options]
    UseSyslog
    LogFile = /var/log/knockd.log
    Interface = $NET_INTERFACE

[openSSH]
    sequence    = $KNOCK_PORT_1,$KNOCK_PORT_2,$KNOCK_PORT_3
    seq_timeout = 5
    command     = /usr/sbin/ufw allow from %IP% to any port $SSH_PORT proto tcp
    tcpflags    = syn

[closeSSH]
    sequence    = $KNOCK_PORT_3,$KNOCK_PORT_2,$KNOCK_PORT_1
    seq_timeout = 5
    command     = /usr/sbin/ufw delete allow from %IP% to any port $SSH_PORT proto tcp
    tcpflags    = syn
KNOCKEOF

    sed -i 's/START_KNOCKD=0/START_KNOCKD=1/' /etc/default/knockd
    systemctl enable knockd
    systemctl restart knockd
    success "✓ Port Knocking نشط (Timeout: 5s)"
}

# ════════════════════════════════════════════════════════════════
# 🎣 HONEYPOT (SANDBOXED v9.0)
# ════════════════════════════════════════════════════════════════

setup_honeypot() {
    if [ "$ENABLE_HONEYPOT" != "true" ]; then return 0; fi
    log "\n🎣 إعداد Honeypot (Sandboxed)..."
    
    cd /opt
    if [ ! -d "endlessh" ]; then git clone --depth=1 https://github.com/skeeto/endlessh; fi
    cd endlessh
    make
    cp endlessh /usr/local/bin/
    
    mkdir -p /etc/endlessh
    echo -e "Port 22\nDelay 10000\nMaxLineLength 32\nMaxClients 4096\nLogLevel 1" > /etc/endlessh/config

    # Systemd Hardened Service
    cat > /etc/systemd/system/endlessh.service <<'SERVICEEOF'
[Unit]
Description=Endlessh SSH Tarpit
After=network.target

[Service]
Type=simple
User=nobody
Group=nogroup
ExecStart=/usr/local/bin/endlessh -c /etc/endlessh/config
Restart=always

# 🛡️ Security Sandboxing
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectControlGroups=true
NoNewPrivileges=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM

[Install]
WantedBy=multi-user.target
SERVICEEOF

    systemctl daemon-reload
    systemctl enable endlessh
    systemctl start endlessh
    success "✓ Endlessh Honeypot معزول (Sandboxed)"
}

setup_fake_services() {
    if [ "$ENABLE_FAKE_SERVICES" != "true" ]; then return 0; fi
    log "\n🎭 إعداد Fake MySQL..."
    
    cat > /usr/local/bin/fake-mysql.sh <<'FAKEMYSQLEOF'
#!/bin/bash
LOG_FILE="/var/log/fortress/fake-mysql.log"
mkdir -p /var/log/fortress
while true; do
    nc -l -p 3306 -k 2>&1 | while read line; do
        echo "$(date '+%Y-%m-%d %H:%M:%S') - Probe: ${line:0:50}" >> "$LOG_FILE"
        echo -e "\x4a\x00\x00\x00\x0a\x35\x2e\x37\x2e\x33\x33"
        sleep 2
    done
done
FAKEMYSQLEOF
    chmod +x /usr/local/bin/fake-mysql.sh
    
    cat > /etc/systemd/system/fake-mysql.service <<'EOF'
[Unit]
Description=Fake MySQL Honeypot
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/fake-mysql.sh
Restart=always
User=nobody
[Install]
WantedBy=multi-user.target
EOF
    systemctl daemon-reload
    systemctl enable fake-mysql
    systemctl start fake-mysql
    success "✓ Fake MySQL نشط"
}

# ════════════════════════════════════════════════════════════════
# ⚡ KERNEL HARDENING (ADVANCED v9.0)
# ════════════════════════════════════════════════════════════════

optimize_system() {
    log "\n⚡ تحسين وتصليب النواة (Kernel Hardening)..."
    
    cat >> /etc/sysctl.conf <<'SYSCTLEOF'
# Network Security
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 2
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirects (MITM Protection)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# Log Martian Packets
net.ipv4.conf.all.log_martians = 1

# Ignore ICMP Broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Memory & Process Security
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.sysrq = 0
kernel.yama.ptrace_scope = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

# TCP/IP Stack Tuning
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
SYSCTLEOF

    sysctl -p
    success "✓ Kernel Hardening: Advanced Profile Applied"
}

# ════════════════════════════════════════════════════════════════
# 💾 AUTO BACKUP (KEY MANAGEMENT v9.0)
# ════════════════════════════════════════════════════════════════

setup_auto_backup() {
    if [ "$ENABLE_AUTO_BACKUP" != "true" ]; then return 0; fi
    log "\n💾 إعداد النسخ الاحتياطي التلقائي..."
    
    mkdir -p /usr/local/bin/fortress
    mkdir -p /backup/fortress
    
    # توليد كلمة مرور وحفظها
    BACKUP_KEY="TRIPZ_$(openssl rand -hex 12)"
    echo "$BACKUP_KEY" > /root/BACKUP_DECRYPTION_KEY.txt
    chmod 600 /root/BACKUP_DECRYPTION_KEY.txt
    
    cat > /usr/local/bin/fortress/backup.sh <<BACKUPEOF
#!/bin/bash
BACKUP_DIR="/backup/fortress"
TIMESTAMP=\$(date +%Y%m%d_%H%M%S)
BACKUP_FILE="\${BACKUP_DIR}/fortress_\${TIMESTAMP}.tar.gz"
ENCRYPTED_FILE="\${BACKUP_FILE}.enc"
BACKUP_PASSWORD=\$(cat /root/BACKUP_DECRYPTION_KEY.txt)

tar -czf "\$BACKUP_FILE" -C /etc ssh fail2ban ufw knockd.conf 2>/dev/null
openssl enc -aes-256-cbc -salt -pbkdf2 -in "\$BACKUP_FILE" -out "\$ENCRYPTED_FILE" -k "\$BACKUP_PASSWORD"
rm -f "\$BACKUP_FILE"
find "\$BACKUP_DIR" -name "*.enc" -mtime +30 -delete
echo "✅ Backup: \$ENCRYPTED_FILE"
BACKUPEOF

    chmod +x /usr/local/bin/fortress/backup.sh
    (crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/fortress/backup.sh >> ${LOG_DIR}/backup.log 2>&1") | crontab -
    
    success "✓ النسخ الاحتياطي مجدول"
    warning "🔑 مفتاح التشفير محفوظ في: /root/BACKUP_DECRYPTION_KEY.txt (قم بتنزيله واحذفه!)"
}

setup_telegram_alerts() {
    if [ -z "$TELEGRAM_BOT_TOKEN" ]; then return 0; fi
    log "\n📱 إعداد تنبيهات Telegram..."
    
    cat > /usr/local/bin/fortress/telegram_notify.sh <<TELEGRAMEOF
#!/bin/bash
TELEGRAM_BOT_TOKEN="$TELEGRAM_BOT_TOKEN"
TELEGRAM_CHAT_ID="$TELEGRAM_CHAT_ID"
MESSAGE=\$1
curl -s -X POST "https://api.telegram.org/bot\${TELEGRAM_BOT_TOKEN}/sendMessage" \
    -d chat_id="\${TELEGRAM_CHAT_ID}" \
    -d text="🛡️ ALERT: \$MESSAGE" > /dev/null
TELEGRAMEOF
    chmod +x /usr/local/bin/fortress/telegram_notify.sh
    /usr/local/bin/fortress/telegram_notify.sh "TRIPZ FORTRESS v9.0 Installed Successfully"
    success "✓ تنبيهات Telegram جاهزة"
}

# ════════════════════════════════════════════════════════════════
# 🎯 MAIN EXECUTION
# ════════════════════════════════════════════════════════════════

generate_info_file() {
    log "\n📝 إنشاء ملف المعلومات..."
    cat > /root/FORTRESS_INFO.txt <<INFOEOF
════════════════════════════════════════════════════════
🛡️ TRIPZ FORTRESS v9.0 - Server Information
════════════════════════════════════════════════════════
تاريخ التثبيت: $(date '+%Y-%m-%d %H:%M:%S')
السيرفر: $(hostname)
المستخدم الإداري: $ADMIN_USER
منفذ SSH: $SSH_PORT

🔐 الوصول (Port Knocking):
1. knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3
2. ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP

🔑 النسخ الاحتياطي:
مفتاح فك التشفير: /root/BACKUP_DECRYPTION_KEY.txt

⚠️ هام: تم تفعيل Safety Net. تأكد من الاتصال بنجاح!
════════════════════════════════════════════════════════
INFOEOF
    chmod 600 /root/FORTRESS_INFO.txt
}

main() {
    clear
    log "🚀 TRIPZ FORTRESS v9.0 - Starting Installation..."
    
    preflight_checks
    system_preparation
    create_admin_user
    setup_safety_net   # ✅ تفعيل شبكة الأمان
    harden_ssh
    configure_firewall
    setup_fail2ban
    setup_port_knocking
    setup_honeypot
    setup_fake_services
    optimize_system
    setup_auto_backup
    setup_telegram_alerts
    generate_info_file
    
    log "\n🧪 التحقق النهائي..."
    if systemctl is-active --quiet sshd; then
        remove_safety_net  # ✅ تعطيل شبكة الأمان عند النجاح
        success "🎉 اكتمل التثبيت بنجاح!"
    else
        error "فشل في خدمة SSH - تم الإبقاء على Safety Net لاستعادة الوصول بعد 15 دقيقة."
    fi
    
    echo ""
    warning "⚠️ لا تغلق هذه الجلسة! افتح نافذة جديدة واختبر الاتصال:"
    if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
        echo "knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3"
    fi
    echo "ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
}

main "$@"