#!/usr/bin/env bash
set -euo pipefail

SCRIPT_NAME="$(basename "$0")"
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"

: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
: "${TEMPLATE_DIR:=$SKILL_ROOT/templates}"

log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
log_warn()  { echo "[WARN]  $(date -Iseconds) $*" >&2; }

render_template() {
  local tpl="$1"
  local port="$2"
  sed "s/{{SSH_PORT}}/$port/g" "$tpl"
}

main() {
  mkdir -p "$OUTPUT_DIR"
  local ssh_port="${SSH_PORT:-22}"
  log_info "SSH Hardening Plan (no changes applied)"
  log_info "Target SSH_PORT=$ssh_port"

  if [[ -f /etc/ssh/sshd_config ]]; then
    log_info "Current /etc/ssh/sshd_config exists"
  else
    log_warn "No /etc/ssh/sshd_config found; this host may use a different path"
  fi

  echo
  echo "--- Proposed sshd_config (rendered from template) ---"
  render_template "$TEMPLATE_DIR/sshd_config.tpl" "$ssh_port"
  echo
  echo "--- Safety notes ---"
  echo "- Apply will backup /etc/ssh/sshd_config before writing"
  echo "- Apply will run 'sshd -t' (syntax check) before reloading"
  echo "- Apply will refuse unless DRY_RUN=0"
}

[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"