#!/usr/bin/env bash
set -euo pipefail

if ! command -v ufw >/dev/null 2>&1; then
  echo "ufw is not installed on this host."
  exit 1
fi

SSH_ALLOW_CIDR="${SSH_ALLOW_CIDR:-}"
DRY_RUN="${DRY_RUN:-1}"

if [[ -z "$SSH_ALLOW_CIDR" ]]; then
  echo "SSH_ALLOW_CIDR is required (example: SSH_ALLOW_CIDR=203.0.113.10/32)."
  exit 1
fi

run_cmd() {
  if [[ "$DRY_RUN" == "1" ]]; then
    echo "+ $*"
  else
    "$@"
  fi
}

echo "Applying UFW baseline policy (DRY_RUN=$DRY_RUN)..."
run_cmd ufw --force reset
run_cmd ufw default deny incoming
run_cmd ufw default allow outgoing
run_cmd ufw allow from "$SSH_ALLOW_CIDR" to any port 22 proto tcp
run_cmd ufw allow 80/tcp
run_cmd ufw allow 443/tcp
run_cmd ufw --force enable
run_cmd ufw status verbose

echo "Done."