#!/usr/bin/env bash
# Audit LXCs on a Proxmox node via pct exec (run ON the PVE host as root).
set -u

AUDIT='#!/bin/bash
echo "=== identity ==="
hostname -f 2>/dev/null || hostname
[ -f /etc/os-release ] && . /etc/os-release && echo "os=${PRETTY_NAME:-unknown}"
echo "ip=$(hostname -I 2>/dev/null | awk "{print \$1}")"
echo "=== sshd (effective) ==="
if command -v sshd >/dev/null 2>&1; then
  sshd -T 2>/dev/null | grep -E "^(permitrootlogin|passwordauthentication|pubkeyauthentication|permitemptypasswords|port) " || true
else
  grep -E "^(PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|Port) " /etc/ssh/sshd_config 2>/dev/null | grep -v "^#" || echo "sshd not installed"
fi
echo "=== firewall ==="
ufw status 2>/dev/null | head -3 || echo "no ufw"
echo "=== fail2ban ==="
systemctl is-active fail2ban 2>/dev/null || echo "inactive/missing"
echo "=== pending upgrades ==="
apt-get -s upgrade 2>/dev/null | grep -c "^Inst" || echo 0
echo "=== public listeners ==="
ss -tlnp 2>/dev/null | grep LISTEN | grep -v "127.0.0.1:" | grep -v "\[::1\]:" | head -12
'

echo "PVE_NODE=$(hostname -f 2>/dev/null || hostname)"
echo "PVE_IP=$(hostname -I | awk '{print $1}')"

for id in $(pct list 2>/dev/null | awk 'NR>1 {print $1}'); do
  name=$(pct list | awk -v id="$id" '$1==id {print $4}')
  status=$(pct list | awk -v id="$id" '$1==id {print $2}')
  echo ""
  echo "######## LXC vmid=$id name=$name status=$status ########"
  if [ "$status" != "running" ]; then
    echo "SKIP: not running"
    continue
  fi
  pct exec "$id" -- bash -c "$AUDIT" 2>&1 || echo "ERROR: pct exec failed"
done