#!/bin/bash
set -e

echo "Applying system hardening..."

echo "Configuring kernel parameters..."
cat > /etc/sysctl.d/99-hardening.conf << 'EOF'
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2
kernel.yama.ptrace_scope = 2
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_all = 1
EOF

echo "Configuring firewall..."
pacman -S --noconfirm --needed ufw
systemctl enable ufw
ufw default deny incoming
ufw default allow outgoing
ufw enable

echo "Setting secure umask..."
echo "umask 077" >> /etc/profile

echo "Disabling core dumps..."
echo "* hard core 0" >> /etc/security/limits.conf

echo "System hardening complete!"