#!/bin/bash
set -euo pipefail

sudo pacman -S --noconfirm --needed openssh

# Harden defaults: disable root login, enforce key auth only
SSHD_CONF=/etc/ssh/sshd_config
sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/'        "$SSHD_CONF"
sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' "$SSHD_CONF"
sudo sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/'    "$SSHD_CONF"

sudo systemctl enable sshd.service
echo "SSH server installed and enabled (key auth only, root login disabled)."
echo "Add your public key to ~/.ssh/authorized_keys before first use."