#!/bin/bash
set -euo pipefail
source "$(dirname "${BASH_SOURCE[0]}")/../../lib/logging.sh"

log "Installing OpenSSH server..."
sudo pacman -S --noconfirm --needed openssh

log "Hardening SSH config (disable root login, enforce key auth)..."
SSHD_CONF=/etc/ssh/sshd_config
sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/'        "$SSHD_CONF"
sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' "$SSHD_CONF"
sudo sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/'    "$SSHD_CONF"

log "Enabling sshd service..."
sudo systemctl enable sshd.service
log "SSH server installed and enabled (key auth only, root login disabled)."
warn "Add your public key to ~/.ssh/authorized_keys before first use."