#!/bin/bash
set -e

# === CONFIG ===
GEN_HOSTNAME="genesis-vps-$RANDOM"
TG_API_URL="https://api.telegram.org/bot<OPTIONAL-BOT>/sendMessage"
TG_CHAT_ID="<OPTIONAL-ID>"

# === STEP 1: Obfuscate Traceroute (ICMP & UDP/TCP Ports) ===
echo "[*] Obfuscating traceroute and TTL paths..."
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j DROP
iptables -A INPUT -p udp --dport 33434:33534 -j DROP
iptables -A INPUT -p tcp --dport 33434:33534 -j DROP
echo "[+] Firewall rules added."

# === STEP 2: Set a Neutral Hostname ===
echo "[*] Setting hostname to $GEN_HOSTNAME"
hostnamectl set-hostname "$GEN_HOSTNAME"
sed -i "s/^127.0.1.1.*/127.0.1.1   $GEN_HOSTNAME/" /etc/hosts
echo "[+] Hostname set."

# === STEP 3: Remove Linode Metadata Access ===
echo "[*] Disabling Linode metadata agent (if present)..."
systemctl stop linode-cloudinit 2>/dev/null || true
systemctl disable linode-cloudinit 2>/dev/null || true
touch /etc/cloud/cloud-init.disabled
rm -rf /etc/cloud /var/lib/cloud /var/log/cloud-init.log
echo "[+] Cloud-init neutered."

# === STEP 4: Scrub Linode Stuff ===
echo "[*] Scrubbing Linode fingerprints..."
rm -f /etc/motd /etc/update-motd.d/linode
rm -rf /usr/share/linode*
rm -f /etc/apt/sources.list.d/linode.list
apt remove --purge -y linode-cli linode-config 2>/dev/null || true
yum remove -y linode-cli linode-config 2>/dev/null || true
echo "[+] Linode packages and branding removed."

# === STEP 5: Optional Telegram Notice ===
# Uncomment if you want to alert yourself when a VPS is hardened
# curl -s -X POST "$TG_API_URL" -d chat_id="$TG_CHAT_ID" -d text="Genesis VPS hardened: $GEN_HOSTNAME is stealth-ready." > /dev/null

# === STEP 6: Final Touch ===
echo "[✅] Genesis VPS hardened. You are now off-the-grid and good to go."