#!/bin/bash
###############################################################################
# Sentinel Firewall — Interhost mirror installer
# Source: https://csf.interhost.co.il/
# Fork:   https://github.com/devpets/sentinelfirewall
###############################################################################
set -e

MIRROR="https://csf.interhost.co.il"
TARBALL="${MIRROR}/csf.tgz"
SHA_URL="${MIRROR}/SHA256SUMS"
GPG_URL="${MIRROR}/SHA256SUMS.asc"
PUBKEY_URL="${MIRROR}/release-pubkey.asc"
WORKDIR="/usr/src"

if [ "$EUID" -ne 0 ]; then
  echo "Must be run as root" >&2
  exit 1
fi

echo
echo "=========================================================="
echo " Sentinel Firewall installer (Interhost mirror)"
echo " Mirror : ${MIRROR}"
echo "=========================================================="
echo

cd "${WORKDIR}"
[ -d csf ] && rm -rf csf
[ -f csf.tgz ] && rm -f csf.tgz

echo "--> Downloading public key..."
curl -fsSL "${PUBKEY_URL}" -o /tmp/sentinel-pubkey.asc
gpg --quiet --batch --import /tmp/sentinel-pubkey.asc 2>/dev/null || {
  apt-get install -y gnupg2 >/dev/null 2>&1 || yum install -y gnupg2 >/dev/null 2>&1 || true
  gpg --quiet --batch --import /tmp/sentinel-pubkey.asc
}

echo "--> Downloading release..."
curl -fsSL "${TARBALL}"  -o csf.tgz
curl -fsSL "${SHA_URL}"  -o SHA256SUMS
curl -fsSL "${GPG_URL}"  -o SHA256SUMS.asc

echo "--> Verifying GPG signature..."
gpg --quiet --batch --verify SHA256SUMS.asc SHA256SUMS

echo "--> Verifying SHA256..."
EXPECTED=$(awk '/csf.tgz$/{print $1}' SHA256SUMS)
ACTUAL=$(sha256sum csf.tgz | awk '{print $1}')
if [ "$EXPECTED" != "$ACTUAL" ]; then
  echo "SHA256 mismatch: expected $EXPECTED, got $ACTUAL" >&2
  exit 1
fi
echo "    OK: $ACTUAL"

echo "--> Extracting..."
tar -xzf csf.tgz
cd csf

echo "--> Running installer..."
sh install.sh