#!/bin/bash
# Køres som root inde i LXC'en. Idempotent.
set -euo pipefail

if [[ "$EUID" -ne 0 ]]; then
    echo "must be run as root" >&2
    exit 1
fi

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"

# 1. APT deps
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y --no-install-recommends \
    wireguard-tools \
    iproute2 \
    iptables \
    ca-certificates \
    git \
    build-essential \
    procps

# 2. Build + install microsocks (lille, ingen runtime deps)
if ! command -v microsocks >/dev/null 2>&1; then
    tmp=$(mktemp -d)
    git clone --depth=1 https://github.com/rofl0r/microsocks.git "$tmp"
    make -C "$tmp"
    install -Dm755 "$tmp/microsocks" /usr/local/bin/microsocks
    rm -rf "$tmp"
fi

# 3. Install fetch-service binary.
#    Forventes pushet/lagt på plads af brugeren før dette script køres
#    (enten via `pct push` fra Proxmox-hosten, eller lokalt med `cp`).
BIN=/usr/local/bin/weircon-random-proxy
if [[ ! -f "$BIN" ]]; then
    cat >&2 <<EOF
ERR: $BIN mangler.

Læg binæren på plads med én af:
  - fra Proxmox-host:  pct push <ctid> ./weircon-random-proxy $BIN --perms 0755
  - fra inde i LXC:    cp /path/to/weircon-random-proxy $BIN
                       chmod +x $BIN
  - download release:  curl -fLo $BIN https://<gitea>/<owner>/weircon-random-proxy/releases/download/<tag>/weircon-random-proxy
                       chmod +x $BIN

Kør derefter setup-container.sh igen.
EOF
    exit 1
fi
chmod +x "$BIN"

# 4. Helper-scripts
install -Dm755 "$SCRIPT_DIR/netns-up.sh"   /usr/local/sbin/weircon-netns-up
install -Dm755 "$SCRIPT_DIR/netns-down.sh" /usr/local/sbin/weircon-netns-down

# 5. systemd units
install -Dm644 "$SCRIPT_DIR/weircon-proxies.target"   /etc/systemd/system/weircon-proxies.target
install -Dm644 "$SCRIPT_DIR/weircon-proxy@.service"   /etc/systemd/system/weircon-proxy@.service
install -Dm644 "$SCRIPT_DIR/weircon-fetch.service"    /etc/systemd/system/weircon-fetch.service

# 6. Config-dir + default env
mkdir -p /etc/weircon-random-proxy/wg
chmod 700 /etc/weircon-random-proxy/wg
if [[ ! -f /etc/weircon-random-proxy/fetch.env ]]; then
    install -m640 "$SCRIPT_DIR/fetch.env.example" /etc/weircon-random-proxy/fetch.env
fi

systemctl daemon-reload

# 7. Tjek at WG-configs er på plads
missing=0
for i in 0 1 2 3 4 5 6 7 8 9; do
    if [[ ! -f /etc/weircon-random-proxy/wg/proxy${i}.conf ]]; then
        echo "WARN: /etc/weircon-random-proxy/wg/proxy${i}.conf mangler"
        missing=1
    fi
done

cat <<EOF

Setup done.

Configs til stede: $([[ $missing -eq 0 ]] && echo "alle 10 OK" || echo "MANGLER — push dem ind før du starter")

Start stakken:
  systemctl enable --now weircon-proxies.target
  systemctl enable --now weircon-proxy@{0..9}.service
  systemctl enable --now weircon-fetch.service

Verificér:
  systemctl status 'weircon-proxy@*'
  curl http://127.0.0.1:8080/health
  curl -H 'X-Weircon-Random-Ip-Redirect: https://api.ipify.org' http://127.0.0.1:8080/

Egress-IP tjek (skal vise N distinkte upstream-IPs):
  for i in 0 1 2 3 4 5 6 7 8 9; do
    curl -sS -H "X-Weircon-Proxy-Id: \$i" -H "X-Weircon-Random-Ip-Redirect: https://api.ipify.org" http://127.0.0.1:8080/
    echo "  ← proxy\$i"
  done
EOF