#!/bin/bash
# Install source scripts and configure system
set -euo pipefail

echo "Installing source scripts..."

# Install firewall-setup script (embedded - /workspace not available in installed system)
cat >/usr/local/bin/firewall-setup.sh <<'FIREWALL_SCRIPT'
#!/bin/bash
set -euo pipefail

parse_wg_endpoint() {
  local wg_config="${1:-/etc/wireguard/wg0.conf}"
  if [[ ! -f $wg_config ]]; then
    echo "Error: WireGuard config not found at $wg_config"
    return 1
  fi
  grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || {
    echo "Error: Could not parse endpoint from WireGuard config"
    return 1
  }
}

generate_nftables_rules() {
  local endpoint="$1"
  local ip="${endpoint%:*}"
  local port="${endpoint#*:}"
  cat <<NFTCONF
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
    chain input {
        type filter hook input priority 0; policy drop
        iif lo accept comment "Accept loopback"
        icmp type echo-request accept comment "Accept ping"
    }
    chain forward {
        type filter hook forward priority 0; policy drop
    }
    chain output {
        type filter hook output priority 0; policy drop
        oif lo accept comment "Accept loopback"
        udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
        icmp type echo-request accept comment "Allow ping"
    }
}
NFTCONF
}

apply_firewall() {
  local wg_config="${1:-/etc/wireguard/wg0.conf}"
  if [[ -f $wg_config ]]; then
    endpoint=$(parse_wg_endpoint "$wg_config")
    if [[ -n $endpoint ]]; then
      generate_nftables_rules "$endpoint" >/etc/nftables.conf
      systemctl enable nftables
      systemctl restart nftables
      echo "Firewall configured for endpoint: $endpoint"
    else
      echo "Warning: Could not parse WireGuard endpoint, using default deny policy"
    fi
  else
    echo "Warning: WireGuard config not found, using default deny policy"
  fi
}

main() {
  echo "Setting up dynamic firewall..."
  apply_firewall "$@"
  echo "Firewall setup completed."
}

if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
  main "$@"
fi
FIREWALL_SCRIPT
chmod +x /usr/local/bin/firewall-setup.sh

# Install security-hardening script (embedded)
cat >/usr/local/bin/security-hardening.sh <<'HARDENING_SCRIPT'
#!/bin/bash
set -euo pipefail

check_encryption_status() {
  echo "Checking encryption status..."
  if command -v cryptsetup >/dev/null 2>&1; then
    for dev in /dev/mapper/*; do
      if [ -e "$dev" ]; then
        echo "Encrypted device: $dev"
      fi
    done
  fi
}

main() {
  echo "KNEL-Football Security Hardening Utility"
  check_encryption_status
}

if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then
  main "$@"
fi
HARDENING_SCRIPT
chmod +x /usr/local/bin/security-hardening.sh

# Create VPN configuration apply script
cat >/usr/local/bin/apply-vpn-config.sh <<'EOF'
#!/bin/bash
# Apply VPN configuration and update firewall
set -euo pipefail

# Apply firewall configuration
/usr/local/bin/firewall-setup.sh

# Start WireGuard if configuration exists
if [[ -f "/etc/wireguard/wg0.conf" ]]; then
    systemctl enable wg-quick@wg0
    systemctl start wg-quick@wg0
    echo "WireGuard started successfully."
else
    echo "Warning: WireGuard configuration not found."
fi

echo "VPN configuration applied successfully."
EOF

chmod +x /usr/local/bin/apply-vpn-config.sh

# Create desktop shortcuts
mkdir -p /usr/share/applications

# WireGuard Configuration Editor shortcut
cat >/usr/share/applications/wg-config.desktop <<EOF
[Desktop Entry]
Name=WireGuard Configuration
Comment=Edit WireGuard configuration
Exec=pkexec mousepad /etc/wireguard/wg0.conf
Icon=network-vpn
Terminal=true
Type=Application
Categories=Network;System;
EOF

# VPN Configuration Apply shortcut
cat >/usr/share/applications/apply-vpn.desktop <<EOF
[Desktop Entry]
Name=Apply VPN Configuration
Comment=Apply WireGuard configuration and start VPN
Exec=pkexec /usr/local/bin/apply-vpn-config.sh
Icon=network-vpn
Terminal=true
Type=Application
Categories=Network;System;
EOF

# WireGuard QR Code Import shortcut
cat >/usr/share/applications/scan-wireguard-qr.desktop <<EOF
[Desktop Entry]
Name=Import WireGuard QR Code
Comment=Scan QR code to import WireGuard configuration
Exec=pkexec /usr/local/bin/scan-wireguard-qr.sh
Icon=camera-web
Terminal=true
Type=Application
Categories=Network;System;
EOF

# Create WireGuard configuration directory
mkdir -p /etc/wireguard

# Add football to appropriate groups
usermod -a -G sudo,audio,video,plugdev,input,cdrom,floppy football 2>/dev/null || true

echo "Source scripts installed successfully."