#!/usr/bin/env bash
set -euo pipefail

SSHD_CONFIG="/etc/ssh/sshd_config"

if [[ $EUID -ne 0 ]]; then
  echo "This script must be run as root."
  exit 1
fi

echo "Updating SSH configuration..."

# Backup once
if [[ ! -f "${SSHD_CONFIG}.bak" ]]; then
  cp "$SSHD_CONFIG" "${SSHD_CONFIG}.bak"
fi

# Ensure PermitRootLogin yes
if grep -qE '^\s*PermitRootLogin' "$SSHD_CONFIG"; then
  sed -i 's/^\s*PermitRootLogin.*/PermitRootLogin yes/' "$SSHD_CONFIG"
else
  echo "PermitRootLogin yes" >> "$SSHD_CONFIG"
fi

# Ensure PasswordAuthentication no
if grep -qE '^\s*PasswordAuthentication' "$SSHD_CONFIG"; then
  sed -i 's/^\s*PasswordAuthentication.*/PasswordAuthentication no/' "$SSHD_CONFIG"
else
  echo "PasswordAuthentication no" >> "$SSHD_CONFIG"
fi

echo "Restarting SSH service..."
if systemctl is-active --quiet sshd; then
  systemctl restart sshd
elif systemctl is-active --quiet ssh; then
  systemctl restart ssh
else
  echo "SSH service not found via systemd"
fi

echo "Rebooting system now..."
reboot