#!/bin/bash

# Debian 12 系统配置脚本
# 系统基础配置和优化

set -e

# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

# 日志函数
log_info() {
    echo -e "${BLUE}[INFO]${NC} $1"
}

log_success() {
    echo -e "${GREEN}[SUCCESS]${NC} $1"
}

log_warning() {
    echo -e "${YELLOW}[WARNING]${NC} $1"
}

log_error() {
    echo -e "${RED}[ERROR]${NC} $1"
}

# 配置时区
configure_timezone() {
    log_info "配置时区为 Asia/Shanghai..."

    # 设置时区
    timedatectl set-timezone Asia/Shanghai

    # 安装并配置 chrony
    apt update
    apt install -y chrony

    # 配置 chrony 使用国内 NTP 服务器
    cat > /etc/chrony/chrony.conf << 'EOF'
# NTP servers from Alibaba Cloud
server ntp.aliyun.com iburst
server ntp1.aliyun.com iburst
server ntp2.aliyun.com iburst
server ntp3.aliyun.com iburst

# NTP servers from Tencent Cloud
server time1.cloud.tencent.com iburst
server time2.cloud.tencent.com iburst

# NTP servers from Baidu
server ntp1.baidu.com iburst
server ntp2.baidu.com iburst

# Allow NTP client access from local network
allow 192.168.0.0/16
allow 10.0.0.0/8
allow 172.16.0.0/12

# Serve time even if not synchronized to a time source
local stratum 10

# Specify directory for log files
logdir /var/log/chrony

# Select which information is logged
log measurements statistics tracking
EOF

    systemctl restart chrony
    systemctl enable chrony

    log_success "时区配置完成"
}

# 配置语言环境
configure_locale() {
    log_info "配置语言环境..."

    # 生成中文 locale
    sed -i 's/# zh_CN.UTF-8 UTF-8/zh_CN.UTF-8 UTF-8/' /etc/locale.gen
    sed -i 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen

    locale-gen

    # 设置默认语言环境
    cat > /etc/default/locale << 'EOF'
LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC=zh_CN.UTF-8
LC_TIME=zh_CN.UTF-8
LC_COLLATE="en_US.UTF-8"
LC_MONETARY=zh_CN.UTF-8
LC_MESSAGES="en_US.UTF-8"
LC_PAPER=zh_CN.UTF-8
LC_NAME=zh_CN.UTF-8
LC_ADDRESS=zh_CN.UTF-8
LC_TELEPHONE=zh_CN.UTF-8
LC_MEASUREMENT=zh_CN.UTF-8
LC_IDENTIFICATION=zh_CN.UTF-8
EOF

    # 重新加载 locale 设置
    update-locale LANG=en_US.UTF-8

    log_success "语言环境配置完成"
}

# 配置系统限制
configure_limits() {
    log_info "配置系统限制..."

    cat >> /etc/security/limits.conf << 'EOF'

# EM Script Library - System Limits Configuration
* soft nofile 65536
* hard nofile 65536
* soft nproc 65536
* hard nproc 65536
root soft nofile 65536
root hard nofile 65536
root soft nproc 65536
root hard nproc 65536

# Increase core file size
* soft core unlimited
* hard core unlimited
root soft core unlimited
root hard core unlimited
EOF

    # 配置 sysctl 参数
    cat > /etc/sysctl.d/99-custom.conf << 'EOF'
# EM Script Library - System Control Configuration

# Increase system file descriptor limits
fs.file-max = 655360

# Network optimizations
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 250000
net.ipv4.tcp_max_syn_backlog = 250000
net.ipv4.ip_local_port_range = 1024 65535

# TCP optimizations
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 3

# Memory optimizations
vm.swappiness = 10
vm.dirty_ratio = 20
vm.dirty_background_ratio = 10
vm.vfs_cache_pressure = 50

# Security enhancements
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
EOF

    # 应用 sysctl 配置
    sysctl -p /etc/sysctl.d/99-custom.conf

    log_success "系统限制配置完成"
}

# 配置 SSH
configure_ssh() {
    log_info "配置 SSH 服务..."

    # 备份原始配置
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

    # 配置 SSH
    cat > /etc/ssh/sshd_config << 'EOF'
# EM Script Library - SSH Configuration

# Basic configuration
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

# Host keys
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Logging
LogLevel INFO
SyslogFacility AUTH

# Authentication
PermitRootLogin yes
StrictModes yes
MaxAuthTries 6
MaxSessions 10

# Password authentication
PasswordAuthentication yes

# Public key authentication
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

# GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials no

# Kerberos options
KerberosAuthentication no
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
KerberosGetAFSToken no

# Security options
UsePAM yes
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PermitTTY yes
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
PermitUserEnvironment no
Compression delayed
ClientAliveInterval 60
ClientAliveCountMax 3
UseDNS no
PidFile /var/run/sshd.pid
MaxStartups 10:30:100
PermitTunnel no
ChrootDirectory none
VersionAddendum none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# Override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
EOF

    # 重启 SSH 服务
    systemctl restart ssh
    systemctl enable ssh

    log_success "SSH 配置完成"
}

# 配置防火墙
configure_firewall() {
    log_info "配置防火墙..."

    # 安装并启用 UFW
    apt update
    apt install -y ufw

    # 配置 UFW
    ufw --force reset
    ufw default deny incoming
    ufw default allow outgoing

    # 允许 SSH
    ufw allow ssh
    ufw allow 22/tcp

    # 允许 HTTP/HTTPS
    ufw allow 80/tcp
    ufw allow 443/tcp

    # 启用防火墙
    echo "y" | ufw enable

    log_success "防火墙配置完成"
}

# 配置日志轮转
configure_logrotate() {
    log_info "配置日志轮转..."

    cat > /etc/logrotate.d/custom << 'EOF'
/var/log/*.log {
    daily
    missingok
    rotate 52
    compress
    delaycompress
    notifempty
    create 644 root root
    postrotate
        systemctl reload rsyslog.service || true
    endscript
}

/var/log/apt/*.log {
    daily
    missingok
    rotate 12
    compress
    delaycompress
    notifempty
    create 644 root root
}
EOF

    log_success "日志轮转配置完成"
}

# 显示帮助信息
show_help() {
    cat << EOF
Debian 12 系统配置工具

用法: $0 [选项] [操作]

操作:
    timezone       配置时区和 NTP
    locale         配置语言环境
    limits         配置系统限制
    ssh            配置 SSH 服务
    firewall       配置防火墙
    logrotate      配置日志轮转
    all            执行所有配置

选项:
    -h, --help     显示此帮助信息

示例:
    $0 timezone     # 配置时区
    $0 all          # 执行所有配置

EOF
}

# 主函数
main() {
    local action="$1"

    case $action in
        timezone)
            configure_timezone
            ;;
        locale)
            configure_locale
            ;;
        limits)
            configure_limits
            ;;
        ssh)
            configure_ssh
            ;;
        firewall)
            configure_firewall
            ;;
        logrotate)
            configure_logrotate
            ;;
        all)
            configure_timezone
            configure_locale
            configure_limits
            configure_ssh
            configure_firewall
            configure_logrotate
            ;;
        ""|-h|--help)
            show_help
            ;;
        *)
            log_error "未知操作: $action"
            show_help
            exit 1
            ;;
    esac

    log_success "系统配置完成！"
}

# 执行主函数
main "$@"