#!/usr/bin/env bash
set -euo pipefail

if [[ "${EUID}" -ne 0 ]]; then
  echo "Run as root (sudo)." >&2
  exit 1
fi

SSH_USER="${1:-devops}"
SSH_PORT="${2:-42315}"
SSH_PUBKEY="${3:-}"

if [[ -z "${SSH_PUBKEY}" ]]; then
  echo "Usage: $0 <ssh_user> <ssh_port> <ssh_public_key>" >&2
  exit 1
fi

if ! id -u "${SSH_USER}" >/dev/null 2>&1; then
  useradd -m -s /bin/bash "${SSH_USER}"
fi

usermod -aG sudo "${SSH_USER}"

install -d -m 700 -o "${SSH_USER}" -g "${SSH_USER}" "/home/${SSH_USER}/.ssh"
touch "/home/${SSH_USER}/.ssh/authorized_keys"
chown "${SSH_USER}:${SSH_USER}" "/home/${SSH_USER}/.ssh/authorized_keys"
chmod 600 "/home/${SSH_USER}/.ssh/authorized_keys"

if ! grep -Fqx "${SSH_PUBKEY}" "/home/${SSH_USER}/.ssh/authorized_keys"; then
  echo "${SSH_PUBKEY}" >>"/home/${SSH_USER}/.ssh/authorized_keys"
fi

cat >/etc/ssh/sshd_config.d/99-company.conf <<EOF
Port ${SSH_PORT}
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
EOF

sshd -t
systemctl restart ssh || systemctl restart sshd

echo "Company baseline applied:"
echo "- user: ${SSH_USER}"
echo "- ssh port: ${SSH_PORT}"
echo "- root login: disabled"
echo "- password auth: disabled"