#!/usr/bin/env bash
set -euo pipefail

echo "== Host Security Check =="
echo "Timestamp (UTC): $(date -u +%Y-%m-%dT%H:%M:%SZ)"
echo

echo "== Listening TCP/UDP Ports =="
if command -v ss >/dev/null 2>&1; then
  ss -tulpn || true
else
  echo "ss command not found"
fi
echo

echo "== UFW Status =="
if command -v ufw >/dev/null 2>&1; then
  ufw status verbose || true
else
  echo "ufw command not found"
fi
echo

echo "== Fail2ban Status =="
if command -v fail2ban-client >/dev/null 2>&1; then
  fail2ban-client status || true
else
  echo "fail2ban-client command not found"
fi
echo

echo "== Docker Containers =="
if command -v docker >/dev/null 2>&1; then
  docker ps --format 'table {{.Names}}\t{{.Image}}\t{{.Status}}\t{{.Ports}}' || true
else
  echo "docker command not found"
fi
echo

echo "== Quick Expected Surface =="
echo "- Public inbound expected: 80/tcp, 443/tcp only"
echo "- SSH expected: restricted source allowlist or VPN-only"
echo "- Postgres expected: private-only, not internet-exposed"