#!/bin/bash
set -e

echo "Applying Miasma OS system hardening..."

# Configure kernel parameters
cat > /etc/sysctl.d/99-miasma-hardening.conf << 'EOF'
# Miasma OS Security Hardening
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2
kernel.yama.ptrace_scope = 2
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_all = 1
EOF

# Configure nftables (replacing ufw)
pacman -S --noconfirm --needed nftables
systemctl enable nftables
# Basic nftables rules will be configured on first boot

# Set secure umask
echo "umask 077" >> /etc/profile

# Disable core dumps
echo "* hard core 0" >> /etc/security/limits.conf

# Blacklist vulnerable modules (based on Secureblue)
cat > /etc/modprobe.d/blacklist-miasma.conf << 'EOF'
# Miasma OS module blacklisting
blacklist dccp
blacklist sctp
blacklist rds
blacklist tipc
blacklist n_hdlc
blacklist bluetooth
blacklist net-pf-31
blacklist uvcvideo
EOF

echo "System hardening complete!"