.PHONY: postinstall utils hardening sys-tune

postinstall: utils hardening sys-tune
	@echo "[INFO] Post-installazione completata."

utils:
	@echo "[INFO] Installo utilità post-installazione..."
	@apt-get update
	@DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
		vim tmux net-tools wget jq tree fail2ban software-properties-common \
		htop lsof

hardening:
	@echo "[INFO] Configuro auto-aggiornamenti di sicurezza, sysctl e Docker..."
	@DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends unattended-upgrades
	@printf 'APT::Periodic::Update-Package-Lists "1";\nAPT::Periodic::Unattended-Upgrade "1";\n' | tee /etc/apt/apt.conf.d/20auto-upgrades >/dev/null
	@mkdir -p /etc/sysctl.d
	@tee /etc/sysctl.d/99-hardening.conf >/dev/null <<'EOF'
net.ipv4.conf.all.rp_filter=1
net.ipv4.tcp_syncookies=1
net.ipv4.icmp_echo_ignore_broadcasts=1
kernel.kptr_restrict=2
kernel.randomize_va_space=2
EOF
	@sysctl --system || true
	@mkdir -p /etc/docker
	@tee /etc/docker/daemon.json >/dev/null <<'EOF'
{
  "log-driver": "json-file",
  "log-opts": { "max-size": "10m", "max-file": "3" },
  "live-restore": true
}
EOF
	@systemctl reload docker || systemctl restart docker || true
	@mkdir -p /etc/fail2ban/jail.d
	@tee /etc/fail2ban/jail.d/sshd-local.conf >/dev/null <<'EOF'
[sshd]
enabled = true
bantime = 1h
findtime = 10m
maxretry = 5
EOF
	@systemctl restart fail2ban || true

sys-tune:
	@echo "[INFO] Configuro Fail2ban..."
	@systemctl enable fail2ban || true
	@systemctl restart fail2ban || true