#!/bin/bash
# Security hardening for the live image.
set -euo pipefail

echo "=== Applying security hardening ==="

# Disable core dumps (Python doesn't zero memory — core dumps leak keys)
echo "* hard core 0" >> /etc/security/limits.conf
echo "fs.suid_dumpable = 0" >> /etc/sysctl.d/99-fieldwitness.conf
echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/99-fieldwitness.conf

# Disable swap (keys persist in swap pages)
systemctl mask swap.target || true
echo "vm.swappiness = 0" >> /etc/sysctl.d/99-fieldwitness.conf

# Enable UFW with deny-all + allow web UI
ufw default deny incoming
ufw default allow outgoing
ufw allow 5000/tcp comment "FieldWitness Web UI"
ufw allow 22/tcp comment "SSH"
ufw --force enable || true

# Disable unnecessary services
systemctl disable bluetooth.service 2>/dev/null || true
systemctl disable avahi-daemon.service 2>/dev/null || true
systemctl disable cups.service 2>/dev/null || true

# Enable FieldWitness service
systemctl enable fieldwitness.service

# Auto-login to openbox (so the browser opens without login prompt)
mkdir -p /etc/lightdm/lightdm.conf.d
cat > /etc/lightdm/lightdm.conf.d/50-autologin.conf << 'EOF'
[Seat:*]
autologin-user=fieldwitness
autologin-user-timeout=0
EOF

echo "=== Hardening complete ==="