#!/bin/bash
# ufw-homelab.sh
# Applies the full homelab firewall baseline from the security guide.
# Idempotent — safe to run multiple times.
#
# Usage: sudo bash ufw-homelab.sh
# Docs: /guides/linux-security-hardening

set -euo pipefail

LAN_SUBNET="${LAN_SUBNET:-192.168.1.0/24}"
TAILSCALE_SUBNET="100.64.0.0/10"
SSH_PORT="${SSH_PORT:-22}"

echo "Applying homelab UFW baseline..."
echo "  LAN subnet:       $LAN_SUBNET"
echo "  Tailscale subnet: $TAILSCALE_SUBNET"
echo "  SSH port:         $SSH_PORT"
echo ""

# ── Defaults ────────────────────────────────────────────────────
ufw --force reset
ufw default deny incoming
ufw default allow outgoing
ufw default deny routed

# ── SSH ──────────────────────────────────────────────────────────
ufw allow from "$LAN_SUBNET"      to any port "$SSH_PORT" proto tcp comment "SSH from LAN"
ufw allow from "$TAILSCALE_SUBNET" to any port "$SSH_PORT" proto tcp comment "SSH from Tailscale"

# ── Homelab services (LAN only) ──────────────────────────────────
declare -A SERVICES=(
  ["Proxmox Web UI"]="8006"
  ["Portainer"]="9443"
  ["Grafana"]="3001"
  ["Prometheus"]="9090"
  ["n8n"]="5678"
  ["Open WebUI"]="3000"
  ["Uptime Kuma"]="3002"
  ["Nextcloud"]="8081"
  ["Jellyfin"]="8096"
  ["NPM Admin"]="81"
  ["Filebrowser"]="8082"
  ["Homepage"]="3003"
  ["Dozzle"]="8083"
  ["Vaultwarden"]="8080"
  ["Alertmanager"]="9093"
  ["Node Exporter"]="9100"
)

for name in "${!SERVICES[@]}"; do
  port="${SERVICES[$name]}"
  ufw allow from "$LAN_SUBNET" to any port "$port" proto tcp comment "$name"
done

# ── WireGuard (public — needed for external VPN connections) ─────
ufw allow 51820/udp comment "WireGuard VPN"

# ── Tailscale interface ──────────────────────────────────────────
if ip link show tailscale0 &>/dev/null; then
  ufw allow in on tailscale0 comment "Tailscale interface"
fi

# ── Enable ───────────────────────────────────────────────────────
ufw --force enable

echo ""
echo "✓ UFW enabled. Current rules:"
ufw status verbose