#!/usr/bin/env bash
# check-hardened.sh - Scan all known Genesis VPSes for hardening status
# Requirements: ssh access to all VPSes by label or IP

LOG_BASE="/home/doc/vpslogs"
MARKER_FILE="/var/log/genesis-hardened.ok"

if [ ! -d "$LOG_BASE" ]; then
  echo "❌ Log directory $LOG_BASE does not exist. Are you running this on Krang?"
  exit 1
fi

cd "$LOG_BASE" || exit 1

echo "🔍 Scanning for hardened Genesis VPSes..."
echo

for LOG in *.log; do
  VPS_LABEL="${LOG%.log}"
  LAST_KNOWN_IP=$(grep -Eo '\([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\)' "$LOG" | tail -1 | tr -d '()')

  if [ -z "$LAST_KNOWN_IP" ]; then
    echo "⚠️  $VPS_LABEL: No IP found in log. Skipping."
    continue
  fi

  echo -n "🔧 $VPS_LABEL ($LAST_KNOWN_IP): "

  ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no root@"$LAST_KNOWN_IP" "test -f $MARKER_FILE" >/dev/null 2>&1

  if [ $? -eq 0 ]; then
    echo "✅ Hardened"
  else
    echo "❌ Not marked as hardened"
  fi

done