#!/bin/bash
#===============================================================================
# ШАГ 8: НАСТРОЙКА FAIL2BAN
#===============================================================================
# Запуск: sudo bash 01-k-server-initial-setup.08.sh
#===============================================================================

SCRIPT_DIR=$(cd "$(dirname "$0")" && pwd)
source "$SCRIPT_DIR/01-k-server-initial-setup.00.sh"

init_log
check_root

print_header "ШАГ 8: НАСТРОЙКА FAIL2BAN"

#-------------------------------------------------------------------------------
# 8.1 Проверка установки
#-------------------------------------------------------------------------------
print_subheader "Проверка fail2ban"

if ! is_installed fail2ban; then
    print_info "Установка fail2ban..."
    apt install -y fail2ban
fi

print_success "fail2ban установлен"

#-------------------------------------------------------------------------------
# 8.2 Создание конфигурации
#-------------------------------------------------------------------------------
print_subheader "Создание конфигурации"

cat > /etc/fail2ban/jail.local << EOF
# Fail2ban configuration for Git Server

[DEFAULT]
# Время бана
bantime = 1h
# Время наблюдения
findtime = 10m
# Количество попыток
maxretry = 3
# Backend
backend = systemd
# Email для уведомлений (опционально)
# destemail = admin@example.com
# sendername = Fail2Ban

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 1h
findtime = 10m
EOF

print_success "Конфигурация создана"

#-------------------------------------------------------------------------------
# 8.3 Запуск сервиса
#-------------------------------------------------------------------------------
print_subheader "Запуск fail2ban"

systemctl enable fail2ban
systemctl restart fail2ban

if service_running fail2ban; then
    print_success "fail2ban запущен"
else
    print_error "fail2ban не запустился"
    systemctl status fail2ban --no-pager
    exit 1
fi

#-------------------------------------------------------------------------------
# 8.4 Проверка статуса
#-------------------------------------------------------------------------------
print_subheader "Статус fail2ban"

echo ""
fail2ban-client status
echo ""
fail2ban-client status sshd 2>/dev/null || true

print_success "Шаг 8 завершён: Fail2ban настроен"