#!/usr/bin/env bash
# One-time VPS prep for a Coolify-managed box (Ubuntu 24.04).
# Coolify installs Docker + its reverse proxy itself, so we keep this minimal:
# system update, firewall, base tools. Idempotent. Run as root.
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive

echo "### [1/4] needrestart -> automatic (no interactive prompts)"
if [ -f /etc/needrestart/needrestart.conf ]; then
  sed -i "s/#\$nrconf{restart} = .*/\$nrconf{restart} = 'a';/" /etc/needrestart/needrestart.conf || true
fi

echo "### [2/4] apt update + upgrade"
apt-get update -y
apt-get upgrade -y

echo "### [3/4] base packages"
apt-get install -y curl ca-certificates gnupg lsb-release ufw jq

echo "### [4/4] firewall (ufw)"
ufw allow OpenSSH        # 22 - keep our key login alive
ufw allow 80/tcp         # http (Coolify proxy / ACME)
ufw allow 443/tcp        # https (Coolify proxy)
ufw allow 8000/tcp       # Coolify dashboard
ufw --force enable
ufw status verbose

echo "BOOTSTRAP_DONE"