#!/bin/bash
# ════════════════════════════════════════════════════════════════
# 🛡️ TRIPZ FORTRESS v8.2 - PRODUCTION-SAFE DYNAMIC GENERATOR
# ════════════════════════════════════════════════════════════════
# الإصدار: 8.2
# التاريخ: 2025-02-05
# المطوّر: TRIPZ TEAM
# الترخيص: Proprietary
# ════════════════════════════════════════════════════════════════

set -euo pipefail  # Exit on error, undefined vars, pipe failures
IFS=$'\n\t'        # Safe word splitting

# ════════════════════════════════════════════════════════════════
# ⚙️ CONFIGURATION SECTION - يتم ملؤها ديناميكياً
# ════════════════════════════════════════════════════════════════

# معلومات السيرفر (REQUIRED)
SERVER_IP="${SERVER_IP:-}"
ADMIN_USER="${ADMIN_USER:-tripzadmin}"
SSH_PORT="${SSH_PORT:-2200}"
SSH_PUBLIC_KEY="${SSH_PUBLIC_KEY:-}"

# Port Knocking Sequence (3 منافذ عشوائية)
KNOCK_PORT_1="${KNOCK_PORT_1:-$(shuf -i 7000-9000 -n 1)}"
KNOCK_PORT_2="${KNOCK_PORT_2:-$(shuf -i 7000-9000 -n 1)}"
KNOCK_PORT_3="${KNOCK_PORT_3:-$(shuf -i 7000-9000 -n 1)}"

# Telegram Integration (OPTIONAL)
TELEGRAM_BOT_TOKEN="${TELEGRAM_BOT_TOKEN:-}"
TELEGRAM_CHAT_ID="${TELEGRAM_CHAT_ID:-}"

# Security Features (TOGGLES)
ENABLE_HONEYPOT="${ENABLE_HONEYPOT:-true}"
ENABLE_FAKE_SERVICES="${ENABLE_FAKE_SERVICES:-true}"
ENABLE_PORT_KNOCKING="${ENABLE_PORT_KNOCKING:-true}"
ENABLE_WIREGUARD="${ENABLE_WIREGUARD:-false}"
ENABLE_FAIL2BAN="${ENABLE_FAIL2BAN:-true}"
ENABLE_AUTO_BACKUP="${ENABLE_AUTO_BACKUP:-true}"

# WireGuard Configuration (if enabled)
VPN_NETWORK="${VPN_NETWORK:-10.8.0.0/24}"
VPN_SERVER_IP="${VPN_SERVER_IP:-10.8.0.1}"

# ════════════════════════════════════════════════════════════════
# 🎨 COLORS & STYLING
# ════════════════════════════════════════════════════════════════

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
PURPLE='\033[0;35m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
BOLD='\033[1m'

# ════════════════════════════════════════════════════════════════
# 📝 LOGGING FUNCTIONS
# ════════════════════════════════════════════════════════════════

LOG_DIR="/var/log/fortress"
LOG_FILE="${LOG_DIR}/install_$(date +%Y%m%d_%H%M%S).log"

log() {
    echo -e "${BLUE}[$(date '+%Y-%m-%d %H:%M:%S')]${NC} $*" | tee -a "$LOG_FILE"
}

info() {
    echo -e "${CYAN}ℹ️  $*${NC}" | tee -a "$LOG_FILE"
}

success() {
    echo -e "${GREEN}✅ $*${NC}" | tee -a "$LOG_FILE"
}

warning() {
    echo -e "${YELLOW}⚠️  $*${NC}" | tee -a "$LOG_FILE"
}

error() {
    echo -e "${RED}❌ ERROR: $*${NC}" | tee -a "$LOG_FILE"
    return 1
}

# ════════════════════════════════════════════════════════════════
# 🔍 PRE-FLIGHT CHECKS
# ════════════════════════════════════════════════════════════════

preflight_checks() {
    log "\n🔍 تشغيل الفحوصات الأولية..."
    
    # 1. التحقق من root
    if [ "$EUID" -ne 0 ]; then
        error "يجب تشغيل هذا السكريبت كـ root أو باستخدام sudo"
        exit 1
    fi
    
    # 2. التحقق من النظام
    if ! [ -f /etc/debian_version ] && ! [ -f /etc/redhat-release ]; then
        warning "نظام غير مدعوم رسمياً - قد تحدث مشاكل"
    fi
    
    # 3. التحقق من الاتصال
    if ! ping -c 2 8.8.8.8 &>/dev/null; then
        error "لا يوجد اتصال بالإنترنت"
        exit 1
    fi
    
    # 4. التحقق من المتطلبات الأساسية
    local required_vars=("SERVER_IP" "SSH_PUBLIC_KEY")
    for var in "${required_vars[@]}"; do
        if [ -z "${!var}" ]; then
            error "المتغير $var مطلوب ولكنه فارغ!"
            exit 1
        fi
    done
    
    # 5. التحقق من صلاحية IP
    if ! [[ $SERVER_IP =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
        error "عنوان IP غير صالح: $SERVER_IP"
        exit 1
    fi
    
    # 6. التحقق من SSH Key format
    if ! echo "$SSH_PUBLIC_KEY" | grep -qE '^(ssh-rsa|ssh-ed25519|ecdsa-sha2)'; then
        error "تنسيق SSH Key غير صالح"
        exit 1
    fi
    
    # 7. إنشاء مجلد السجلات
    mkdir -p "$LOG_DIR"
    
    # 8. نسخة احتياطية سريعة
    log "إنشاء نسخة احتياطية للملفات الحساسة..."
    mkdir -p /root/backup_before_fortress_$(date +%Y%m%d)
    cp -r /etc/ssh /root/backup_before_fortress_$(date +%Y%m%d)/ 2>/dev/null || true
    
    success "✓ الفحوصات الأولية مكتملة"
}

# ════════════════════════════════════════════════════════════════
# 📦 SYSTEM PREPARATION
# ════════════════════════════════════════════════════════════════

system_preparation() {
    log "\n📦 تحضير النظام..."
    
    # تحديث النظام
    info "تحديث قوائم الحزم..."
    export DEBIAN_FRONTEND=noninteractive
    apt-get update -qq
    
    # تثبيت الأدوات الأساسية
    info "تثبيت الأدوات الأساسية..."
    apt-get install -y -qq \
        curl \
        wget \
        git \
        ufw \
        fail2ban \
        openssh-server \
        sudo \
        htop \
        net-tools \
        knockd \
        openssl \
        cron \
        bc \
        jq \
        netcat-openbsd
    
    success "✓ تحضير النظام مكتمل"
}

# ════════════════════════════════════════════════════════════════
# 👤 USER MANAGEMENT
# ════════════════════════════════════════════════════════════════

create_admin_user() {
    log "\n👤 إنشاء المستخدم الإداري..."
    
    # التحقق من وجود المستخدم
    if id "$ADMIN_USER" &>/dev/null; then
        warning "المستخدم $ADMIN_USER موجود بالفعل - سيتم تحديثه"
    else
        info "إنشاء المستخدم $ADMIN_USER..."
        useradd -m -s /bin/bash -G sudo "$ADMIN_USER"
    fi
    
    # تعطيل كلمة المرور (سنستخدم المفاتيح فقط)
    passwd -l "$ADMIN_USER"
    
    # إعداد SSH
    mkdir -p "/home/$ADMIN_USER/.ssh"
    echo "$SSH_PUBLIC_KEY" > "/home/$ADMIN_USER/.ssh/authorized_keys"
    chmod 700 "/home/$ADMIN_USER/.ssh"
    chmod 600 "/home/$ADMIN_USER/.ssh/authorized_keys"
    chown -R "$ADMIN_USER:$ADMIN_USER" "/home/$ADMIN_USER/.ssh"
    
    # صلاحيات sudo بدون كلمة مرور
    cat > /etc/sudoers.d/"$ADMIN_USER" <<EOF
# TRIPZ FORTRESS - Admin User
$ADMIN_USER ALL=(ALL) NOPASSWD:ALL
EOF
    chmod 440 /etc/sudoers.d/"$ADMIN_USER"
    
    # التحقق من صحة sudoers
    visudo -c || error "خطأ في ملف sudoers!"
    
    success "✓ المستخدم $ADMIN_USER جاهز"
}

# ════════════════════════════════════════════════════════════════
# 🔐 SSH HARDENING
# ════════════════════════════════════════════════════════════════

harden_ssh() {
    log "\n🔐 تأمين SSH..."
    
    # نسخة احتياطية
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d)
    
    # التكوين الآمن
    cat > /etc/ssh/sshd_config <<SSHEOF
# ════════════════════════════════════════
# TRIPZ FORTRESS v8.2 - SSH Configuration
# ════════════════════════════════════════

# الأساسيات
Port $SSH_PORT
Protocol 2
AddressFamily inet
ListenAddress 0.0.0.0

# المصادقة
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes

# تعطيل root login
PermitRootLogin no

# المستخدمون المسموح لهم
AllowUsers $ADMIN_USER

# الأمان
X11Forwarding no
PermitUserEnvironment no
AllowAgentForwarding no
AllowTcpForwarding no
PermitTunnel no
GatewayPorts no

# الجلسات
MaxAuthTries 3
MaxSessions 2
ClientAliveInterval 300
ClientAliveCountMax 2
LoginGraceTime 30

# التشفير القوي (Modern Algorithms)
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512
HostKeyAlgorithms ssh-ed25519,rsa-sha2-512,rsa-sha2-256

# السجلات
SyslogFacility AUTH
LogLevel VERBOSE

# Banner
Banner /etc/ssh/banner.txt
SSHEOF

    # إنشاء Banner
    cat > /etc/ssh/banner.txt <<'BANNEREOF'
════════════════════════════════════════════════════════
⚠️  AUTHORIZED ACCESS ONLY  ⚠️

This system is protected by TRIPZ FORTRESS v8.2
All connections are monitored and logged.
Unauthorized access attempts will be prosecuted.

🛡️ Protected by 9-Layer Security System
════════════════════════════════════════════════════════
BANNEREOF

    # اختبار التكوين
    info "اختبار تكوين SSH..."
    if ! sshd -t; then
        error "تكوين SSH غير صالح!"
        cp /etc/ssh/sshd_config.backup.$(date +%Y%m%d) /etc/ssh/sshd_config
        exit 1
    fi
    
    # إعادة تحميل SSH (بدون قطع الاتصال!)
    systemctl reload sshd
    
    success "✓ SSH محمي (Port: $SSH_PORT)"
}

# ════════════════════════════════════════════════════════════════
# 🔥 FIREWALL CONFIGURATION
# ════════════════════════════════════════════════════════════════

configure_firewall() {
    log "\n🔥 تكوين جدار الحماية..."
    
    # السياسة الافتراضية
    ufw default deny incoming
    ufw default allow outgoing
    
    # السماح بالمنافذ الأساسية
    info "السماح بـ HTTP/HTTPS..."
    ufw allow 80/tcp comment 'HTTP'
    ufw allow 443/tcp comment 'HTTPS'
    
    # SSH: سيتم إدارته بواسطة Port Knocking
    if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
        info "Port Knocking مفعّل - SSH سيُفتح عبر الطرق فقط"
    else
        ufw allow "$SSH_PORT/tcp" comment 'SSH Direct Access'
    fi
    
    # WireGuard VPN
    if [ "$ENABLE_WIREGUARD" == "true" ]; then
        ufw allow 51820/udp comment 'WireGuard VPN'
    fi
    
    # Honeypot (Port 22 للخداع)
    if [ "$ENABLE_HONEYPOT" == "true" ]; then
        ufw allow 22/tcp comment 'Endlessh Honeypot'
    fi
    
    # Fake Services
    if [ "$ENABLE_FAKE_SERVICES" == "true" ]; then
        ufw allow 3306/tcp comment 'Fake MySQL Trap'
    fi
    
    # تفعيل UFW
    info "تفعيل جدار الحماية..."
    echo "y" | ufw enable
    
    # عرض الحالة
    ufw status verbose | head -20
    
    success "✓ جدار الحماية نشط"
}

# ════════════════════════════════════════════════════════════════
# 🚫 FAIL2BAN SETUP
# ════════════════════════════════════════════════════════════════

setup_fail2ban() {
    if [ "$ENABLE_FAIL2BAN" != "true" ]; then
        warning "Fail2Ban معطّل - تخطي..."
        return 0
    fi
    
    log "\n🚫 تكوين Fail2Ban..."
    
    # التكوين الرئيسي
    cat > /etc/fail2ban/jail.local <<F2BEOF
[DEFAULT]
# الإعدادات العامة
bantime = 3600
findtime = 600
maxretry = 3
destemail = root@localhost
sendername = TRIPZ-FORTRESS
action = %(action_mwl)s

# Whitelist
ignoreip = 127.0.0.1/8 ::1

# ══════════════════════════════════════
# SSH Protection (Progressive)
# ══════════════════════════════════════
[sshd]
enabled = true
port = $SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
findtime = 600

[sshd-aggressive]
enabled = true
port = $SSH_PORT
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
bantime = 86400
findtime = 300

# ══════════════════════════════════════
# Nginx Protection
# ══════════════════════════════════════
[nginx-http-auth]
enabled = true
port = 80,443
logpath = /var/log/nginx/error.log

[nginx-noscript]
enabled = true
port = 80,443
logpath = /var/log/nginx/access.log

[nginx-badbots]
enabled = true
port = 80,443
logpath = /var/log/nginx/access.log
F2BEOF

    # تفعيل وبدء
    systemctl enable fail2ban
    systemctl restart fail2ban
    
    # التحقق
    sleep 2
    if systemctl is-active --quiet fail2ban; then
        success "✓ Fail2Ban نشط"
    else
        warning "Fail2Ban لم يبدأ - راجع السجلات"
    fi
}

# ════════════════════════════════════════════════════════════════
# 🚪 PORT KNOCKING
# ════════════════════════════════════════════════════════════════

setup_port_knocking() {
    if [ "$ENABLE_PORT_KNOCKING" != "true" ]; then
        warning "Port Knocking معطّل - تخطي..."
        return 0
    fi
    
    log "\n🚪 إعداد Port Knocking..."
    
    info "تسلسل الطرق: $KNOCK_PORT_1, $KNOCK_PORT_2, $KNOCK_PORT_3"
    
    # تكوين knockd
    cat > /etc/knockd.conf <<KNOCKEOF
[options]
    UseSyslog
    LogFile = /var/log/knockd.log

[openSSH]
    sequence    = $KNOCK_PORT_1,$KNOCK_PORT_2,$KNOCK_PORT_3
    seq_timeout = 15
    command     = /usr/sbin/ufw allow from %IP% to any port $SSH_PORT proto tcp
    tcpflags    = syn

[closeSSH]
    sequence    = $KNOCK_PORT_3,$KNOCK_PORT_2,$KNOCK_PORT_1
    seq_timeout = 15
    command     = /usr/sbin/ufw delete allow from %IP% to any port $SSH_PORT proto tcp
    tcpflags    = syn
KNOCKEOF

    # تفعيل knockd
    sed -i 's/START_KNOCKD=0/START_KNOCKD=1/' /etc/default/knockd
    
    systemctl enable knockd
    systemctl restart knockd
    
    # التحقق
    if systemctl is-active --quiet knockd; then
        success "✓ Port Knocking نشط"
    else
        error "فشل بدء knockd!"
    fi
}

# ════════════════════════════════════════════════════════════════
# 🎣 HONEYPOT (Endlessh)
# ════════════════════════════════════════════════════════════════

setup_honeypot() {
    if [ "$ENABLE_HONEYPOT" != "true" ]; then
        warning "Honeypot معطّل - تخطي..."
        return 0
    fi
    
    log "\n🎣 إعداد Honeypot (Endlessh)..."
    
    # التثبيت من المصدر
    cd /opt
    if [ ! -d "endlessh" ]; then
        git clone --depth=1 https://github.com/skeeto/endlessh
    fi
    cd endlessh
    make
    cp endlessh /usr/local/bin/
    
    # التكوين
    mkdir -p /etc/endlessh
    cat > /etc/endlessh/config <<'ENDLESSHEOF'
Port 22
Delay 10000
MaxLineLength 32
MaxClients 4096
LogLevel 1
ENDLESSHEOF

    # Systemd service
    cat > /etc/systemd/system/endlessh.service <<'SERVICEEOF'
[Unit]
Description=Endlessh SSH Tarpit
After=network.target

[Service]
Type=simple
User=nobody
ExecStart=/usr/local/bin/endlessh -c /etc/endlessh/config
Restart=always
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target
SERVICEEOF

    systemctl daemon-reload
    systemctl enable endlessh
    systemctl start endlessh
    
    success "✓ Endlessh Honeypot نشط (Port 22)"
}

# ════════════════════════════════════════════════════════════════
# 🎭 FAKE SERVICES
# ════════════════════════════════════════════════════════════════

setup_fake_services() {
    if [ "$ENABLE_FAKE_SERVICES" != "true" ]; then
        warning "Fake Services معطّل - تخطي..."
        return 0
    fi
    
    log "\n🎭 إعداد Fake MySQL..."
    
    # سكريبت Fake MySQL
    cat > /usr/local/bin/fake-mysql.sh <<'FAKEMYSQLEOF'
#!/bin/bash
LOG_FILE="/var/log/fortress/fake-mysql.log"
PORT=3306

mkdir -p /var/log/fortress

while true; do
    nc -l -p $PORT -k 2>&1 | while read line; do
        echo "$(date '+%Y-%m-%d %H:%M:%S') - MySQL probe: ${line:0:100}" >> "$LOG_FILE"
        echo -e "\x4a\x00\x00\x00\x0a\x35\x2e\x37\x2e\x33\x33"
        sleep 2
    done
done
FAKEMYSQLEOF

    chmod +x /usr/local/bin/fake-mysql.sh
    
    # Systemd service
    cat > /etc/systemd/system/fake-mysql.service <<'EOF'
[Unit]
Description=Fake MySQL Honeypot
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/bin/fake-mysql.sh
Restart=always
User=nobody

[Install]
WantedBy=multi-user.target
EOF

    systemctl daemon-reload
    systemctl enable fake-mysql
    systemctl start fake-mysql
    
    success "✓ Fake MySQL نشط (Port 3306)"
}

# ════════════════════════════════════════════════════════════════
# ⚡ SYSTEM OPTIMIZATION
# ════════════════════════════════════════════════════════════════

optimize_system() {
    log "\n⚡ تحسينات النظام..."
    
    # Kernel hardening
    cat >> /etc/sysctl.conf <<'SYSCTLEOF'

# ════════════════════════════════════════
# TRIPZ FORTRESS v8.2 - Kernel Hardening
# ════════════════════════════════════════

# SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

# TCP hardening
net.ipv4.tcp_rfc1337 = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# IP spoofing protection
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# ICMP protection
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Performance
net.core.netdev_max_backlog = 2048
net.core.somaxconn = 1024

# TCP BBR
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

# Security
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
SYSCTLEOF

    # تطبيق التعديلات
    sysctl -p || warning "بعض إعدادات sysctl غير مدعومة"
    
    success "✓ تحسينات النظام مطبّقة"
}

# ════════════════════════════════════════════════════════════════
# 💾 AUTO BACKUP SYSTEM
# ════════════════════════════════════════════════════════════════

setup_auto_backup() {
    if [ "$ENABLE_AUTO_BACKUP" != "true" ]; then
        warning "Auto Backup معطّل - تخطي..."
        return 0
    fi
    
    log "\n💾 إعداد النسخ الاحتياطي التلقائي..."
    
    mkdir -p /usr/local/bin/fortress
    mkdir -p /backup/fortress
    
    # سكريبت النسخ الاحتياطي
    cat > /usr/local/bin/fortress/backup.sh <<'BACKUPEOF'
#!/bin/bash
BACKUP_DIR="/backup/fortress"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
TEMP_DIR="/tmp/fortress_backup_$TIMESTAMP"
BACKUP_FILE="${BACKUP_DIR}/fortress_${TIMESTAMP}.tar.gz"
ENCRYPTED_FILE="${BACKUP_FILE}.enc"
RETENTION_DAYS=30

mkdir -p "$TEMP_DIR"

# نسخ الملفات المهمة
cp -r /etc/ssh "$TEMP_DIR/" 2>/dev/null
cp -r /etc/fail2ban "$TEMP_DIR/" 2>/dev/null
cp -r /etc/ufw "$TEMP_DIR/" 2>/dev/null
cp /etc/knockd.conf "$TEMP_DIR/" 2>/dev/null

# ضغط
tar -czf "$BACKUP_FILE" -C /tmp "$(basename $TEMP_DIR)"

# تشفير AES-256
BACKUP_PASSWORD="TRIPZ_$(hostname)_$(date +%Y)"
openssl enc -aes-256-cbc -salt -pbkdf2 -in "$BACKUP_FILE" -out "$ENCRYPTED_FILE" -k "$BACKUP_PASSWORD"

# حذف غير المشفر
rm -f "$BACKUP_FILE"
rm -rf "$TEMP_DIR"

# تطبيق سياسة الاحتفاظ
find "$BACKUP_DIR" -name "fortress_*.tar.gz.enc" -mtime +$RETENTION_DAYS -delete

echo "✅ نسخة احتياطية: $ENCRYPTED_FILE"
echo "🔑 كلمة فك التشفير: $BACKUP_PASSWORD"
BACKUPEOF

    chmod +x /usr/local/bin/fortress/backup.sh
    
    # جدولة cron (يومياً 2 صباحاً)
    (crontab -l 2>/dev/null; echo "0 2 * * * /usr/local/bin/fortress/backup.sh >> ${LOG_DIR}/backup.log 2>&1") | crontab -
    
    success "✓ النسخ الاحتياطي التلقائي مجدول"
}

# ════════════════════════════════════════════════════════════════
# 📱 TELEGRAM NOTIFICATIONS
# ════════════════════════════════════════════════════════════════

setup_telegram_alerts() {
    if [ -z "$TELEGRAM_BOT_TOKEN" ] || [ -z "$TELEGRAM_CHAT_ID" ]; then
        warning "Telegram غير مكوّن - تخطي التنبيهات..."
        return 0
    fi
    
    log "\n📱 إعداد تنبيهات Telegram..."
    
    # سكريبت الإرسال
    cat > /usr/local/bin/fortress/telegram_notify.sh <<TELEGRAMEOF
#!/bin/bash
TELEGRAM_BOT_TOKEN="$TELEGRAM_BOT_TOKEN"
TELEGRAM_CHAT_ID="$TELEGRAM_CHAT_ID"

MESSAGE=\$1

if [ -z "\$MESSAGE" ]; then
    echo "Usage: \$0 'message'"
    exit 1
fi

curl -s -X POST "https://api.telegram.org/bot\${TELEGRAM_BOT_TOKEN}/sendMessage" \\
    -d chat_id="\${TELEGRAM_CHAT_ID}" \\
    -d text="🛡️ FORTRESS ALERT

🖥️ Server: \$(hostname)
📍 IP: \$(curl -s ifconfig.me)
🕐 Time: \$(date '+%Y-%m-%d %H:%M:%S')

📨 \$MESSAGE" \\
    -d parse_mode="HTML" > /dev/null

echo "✅ تم إرسال التنبيه"
TELEGRAMEOF

    chmod +x /usr/local/bin/fortress/telegram_notify.sh
    
    # اختبار
    /usr/local/bin/fortress/telegram_notify.sh "✅ تم تثبيت TRIPZ FORTRESS v8.2 بنجاح!"
    
    success "✓ تنبيهات Telegram جاهزة"
}

# ════════════════════════════════════════════════════════════════
# ✅ FINAL VERIFICATION
# ════════════════════════════════════════════════════════════════

final_verification() {
    log "\n✅ التحقق النهائي..."
    
    SERVICES_OK=0
    SERVICES_FAILED=0
    
    check_service() {
        if systemctl is-active --quiet "$1"; then
            success "$1 ✓"
            ((SERVICES_OK++))
        else
            warning "$1 ✗"
            ((SERVICES_FAILED++))
        fi
    }
    
    info "فحص الخدمات..."
    check_service "sshd"
    check_service "ufw"
    
    [ "$ENABLE_FAIL2BAN" == "true" ] && check_service "fail2ban"
    [ "$ENABLE_PORT_KNOCKING" == "true" ] && check_service "knockd"
    [ "$ENABLE_HONEYPOT" == "true" ] && check_service "endlessh"
    [ "$ENABLE_FAKE_SERVICES" == "true" ] && check_service "fake-mysql"
    
    log "\nالخدمات النشطة: $SERVICES_OK"
    log "الخدمات الفاشلة: $SERVICES_FAILED"
}

# ════════════════════════════════════════════════════════════════
# 📝 GENERATE INFO FILE
# ════════════════════════════════════════════════════════════════

generate_info_file() {
    log "\n📝 إنشاء ملف المعلومات..."
    
    cat > /root/FORTRESS_INFO.txt <<INFOEOF
════════════════════════════════════════════════════════
🛡️ TRIPZ FORTRESS v8.2 - معلومات السيرفر
════════════════════════════════════════════════════════
تاريخ التثبيت: $(date '+%Y-%m-%d %H:%M:%S')
السيرفر: $(hostname)
IP: $(curl -s ifconfig.me 2>/dev/null || echo "غير متاح")

🔐 معلومات الأمان:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
المستخدم الإداري: $ADMIN_USER
منفذ SSH: $SSH_PORT
Port Knocking: $KNOCK_PORT_1, $KNOCK_PORT_2, $KNOCK_PORT_3

🛡️ الطبقات الأمنية النشطة:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ SSH Key-Only Authentication
✅ UFW Firewall
$([ "$ENABLE_FAIL2BAN" == "true" ] && echo "✅ Fail2Ban Progressive Blocking" || echo "⊘ Fail2Ban (معطّل)")
$([ "$ENABLE_PORT_KNOCKING" == "true" ] && echo "✅ Port Knocking" || echo "⊘ Port Knocking (معطّل)")
$([ "$ENABLE_HONEYPOT" == "true" ] && echo "✅ Endlessh Honeypot (Port 22)" || echo "⊘ Honeypot (معطّل)")
$([ "$ENABLE_FAKE_SERVICES" == "true" ] && echo "✅ Fake MySQL (Port 3306)" || echo "⊘ Fake Services (معطّل)")
✅ Kernel Hardening
$([ "$ENABLE_AUTO_BACKUP" == "true" ] && echo "✅ Encrypted Auto Backups" || echo "⊘ Auto Backup (معطّل)")
$([ -n "$TELEGRAM_BOT_TOKEN" ] && echo "✅ Telegram Alerts" || echo "⊘ Telegram (غير مكوّن)")

🔧 أوامر مفيدة:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
• فحص UFW: sudo ufw status verbose
• فحص Fail2Ban: sudo fail2ban-client status
• سجل Knockd: sudo tail -f /var/log/knockd.log
• نسخة احتياطية يدوية: sudo /usr/local/bin/fortress/backup.sh

📁 الملفات المهمة:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
• السجلات: $LOG_DIR/
• النسخ الاحتياطية: /backup/fortress/
• التكوينات: /etc/ssh/, /etc/fail2ban/

⚠️ للاتصال بالسيرفر:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
$(if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
    echo "1. knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3"
    echo "2. ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
else
    echo "ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
fi)

📞 الدعم:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
https://tripz-egypt.com
[email protected]

════════════════════════════════════════════════════════
✅ السيرفر محمي بالكامل!
════════════════════════════════════════════════════════
INFOEOF

    chmod 600 /root/FORTRESS_INFO.txt
    
    success "✓ ملف المعلومات: /root/FORTRESS_INFO.txt"
}

# ════════════════════════════════════════════════════════════════
# 🎯 MAIN INSTALLATION FLOW
# ════════════════════════════════════════════════════════════════

main() {
    clear
    
    cat <<'BANNER'
════════════════════════════════════════════════════════════════
  ████████╗██████╗ ██╗██████╗ ███████╗                        
  ╚══██╔══╝██╔══██╗██║██╔══██╗╚══███╔╝                        
     ██║   ██████╔╝██║██████╔╝  ███╔╝                         
     ██║   ██╔══██╗██║██╔═══╝  ███╔╝                          
     ██║   ██║  ██║██║██║     ███████╗                        
     ╚═╝   ╚═╝  ╚═╝╚═╝╚═╝     ╚══════╝                        
                                                               
  ███████╗ ██████╗ ██████╗ ████████╗██████╗ ███████╗███████╗ 
  ██╔════╝██╔═══██╗██╔══██╗╚══██╔══╝██╔══██╗██╔════╝██╔════╝ 
  █████╗  ██║   ██║██████╔╝   ██║   ██████╔╝█████╗  ███████╗ 
  ██╔══╝  ██║   ██║██╔══██╗   ██║   ██╔══██╗██╔══╝  ╚════██║ 
  ██║     ╚██████╔╝██║  ██║   ██║   ██║  ██║███████╗███████║ 
  ╚═╝      ╚═════╝ ╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═╝╚══════╝╚══════╝ 
                                                               
              🛡️ v8.2 - PRODUCTION-SAFE EDITION
         9-Layer Security System | Enterprise Ready
════════════════════════════════════════════════════════════════
BANNER

    log "\n🚀 بدء التثبيت..."
    log "الإصدار: 8.2"
    log "التاريخ: $(date '+%Y-%m-%d %H:%M:%S')"
    log "════════════════════════════════════════════════════════════════\n"
    
    # تنفيذ المراحل
    preflight_checks
    system_preparation
    create_admin_user
    harden_ssh
    configure_firewall
    setup_fail2ban
    setup_port_knocking
    setup_honeypot
    setup_fake_services
    optimize_system
    setup_auto_backup
    setup_telegram_alerts
    final_verification
    generate_info_file
    
    # النتيجة النهائية
    log "\n════════════════════════════════════════════════════════════════"
    success "🎉 اكتمل تثبيت TRIPZ FORTRESS v8.2!"
    log "════════════════════════════════════════════════════════════════\n"
    
    cat <<FINALEOF

╔══════════════════════════════════════════════════════════════════╗
║                   🔐 TRIPZ FORTRESS v8.2 🔐                      ║
║                  PRODUCTION-SAFE EDITION                         ║
╠══════════════════════════════════════════════════════════════════╣
║                                                                  ║
║  ✅ التثبيت مكتمل بنجاح!                                        ║
║                                                                  ║
║  📊 معلومات الاتصال:                                            ║
║  • السيرفر: $SERVER_IP                                           ║
║  • المستخدم: $ADMIN_USER                                         ║
║  • منفذ SSH: $SSH_PORT                                           ║
║                                                                  ║
$(if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
    cat <<KNOCKEOF
║  🚪 Port Knocking مفعّل:                                         ║
║  • knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3   ║
KNOCKEOF
fi)
║                                                                  ║
║  ⚠️ التحذيرات المهمة:                                           ║
║  1. اختبر الاتصال قبل قطع الجلسة الحالية!                      ║
║  2. احفظ معلومات Port Knocking في مكان آمن                     ║
║  3. راجع: /root/FORTRESS_INFO.txt                               ║
║  4. السجلات: $LOG_FILE                                          ║
║                                                                  ║
╚══════════════════════════════════════════════════════════════════╝

FINALEOF

    warning "\n⚠️ لاختبار الاتصال، افتح terminal جديد وجرّب:"
    if [ "$ENABLE_PORT_KNOCKING" == "true" ]; then
        echo "knock $SERVER_IP $KNOCK_PORT_1 $KNOCK_PORT_2 $KNOCK_PORT_3"
    fi
    echo "ssh -p $SSH_PORT $ADMIN_USER@$SERVER_IP"
    
    log "\n✅ التثبيت مكتمل - السيرفر الآن محمي!"
}

# ════════════════════════════════════════════════════════════════
# 🚀 RUN
# ════════════════════════════════════════════════════════════════

main "$@"