#!/usr/bin/env bash
set -Eeuo pipefail

# Startup hook - runs after container starts
# Dynamically detects Windows VM IP and sets up networking

# Install required packages (not persistent across restarts)
echo "[rego-tunnel] Installing required packages..."
apt-get update -qq && apt-get install -y -qq socat openssh-client netcat-openbsd >/dev/null 2>&1 || true

# Setup SSH key for accessing Windows VM
echo "[rego-tunnel] Setting up SSH key..."
mkdir -p /root/.ssh
cp /vpn_scripts/id_ed25519-lenovo /root/.ssh/ 2>/dev/null || true
chmod 600 /root/.ssh/id_ed25519-lenovo 2>/dev/null || true

get_windows_ip() {
  # Use VM_NET_IP env var if set, otherwise detect from DHCP leases
  if [[ -n "${VM_NET_IP:-}" ]]; then
    echo "$VM_NET_IP"
    return
  fi
  awk '/Windows/ {print $3}' /var/lib/misc/dnsmasq.leases 2>/dev/null | head -1
}

get_container_ip() {
  # Get container's external IP (172.31.0.10) - exclude docker bridge gateway (.1)
  ip -4 addr 2>/dev/null | grep -oE '172\.31\.0\.[0-9]+' | grep -v '\.1$' | head -1
}

(
  # Wait for Windows VM to boot and get IP
  echo "[rego-tunnel] Waiting for Windows VM..."
  WINDOWS_IP=""
  for i in {1..120}; do
    WINDOWS_IP=$(get_windows_ip)
    if [[ -n "$WINDOWS_IP" ]]; then
      echo "[rego-tunnel] Windows VM IP: $WINDOWS_IP"
      break
    fi
    sleep 2
  done

  if [[ -z "$WINDOWS_IP" ]]; then
    echo "[rego-tunnel] ERROR: Could not detect Windows VM IP"
    exit 1
  fi

  # Wait for SSH to be available on Windows
  echo "[rego-tunnel] Waiting for SSH on Windows..."
  for i in {1..60}; do
    if nc -z "$WINDOWS_IP" 22 2>/dev/null; then
      echo "[rego-tunnel] SSH is available"
      break
    fi
    sleep 2
  done

  CONTAINER_IP=$(get_container_ip)
  echo "[rego-tunnel] Container IP: $CONTAINER_IP"

  # Add MASQUERADE for docker bridge
  iptables -t nat -C POSTROUTING -o docker -j MASQUERADE 2>/dev/null || \
  iptables -t nat -A POSTROUTING -o docker -j MASQUERADE

  # Allow forwarding to Windows VM
  iptables -C FORWARD -d "$WINDOWS_IP" -j ACCEPT 2>/dev/null || \
  iptables -A FORWARD -d "$WINDOWS_IP" -j ACCEPT

  # Forward port 2222 to VM's SSH (2222) for VM access
  pkill -f "socat.*:2222" 2>/dev/null || true
  socat TCP-LISTEN:2222,fork,reuseaddr TCP:"$WINDOWS_IP":2222 &
  echo "[rego-tunnel] SSH to VM available on port 2222"

  # Add DNAT rules for port forwarding
  add_dnat() {
    local port=$1
    iptables -t nat -C PREROUTING -d "$CONTAINER_IP" -p tcp --dport "$port" -j DNAT --to-destination "$WINDOWS_IP:$port" 2>/dev/null || \
    iptables -t nat -A PREROUTING -d "$CONTAINER_IP" -p tcp --dport "$port" -j DNAT --to-destination "$WINDOWS_IP:$port"
  }

  # IBM i standard ports (via VM portproxy)
  add_dnat 22
  add_dnat 23
  add_dnat 446
  add_dnat 448
  add_dnat 449

  # IBM i data ports
  for port in $(seq 8470 8476); do add_dnat $port; done

  # Additional port ranges
  for port in $(seq 2000 2020); do add_dnat $port; done
  for port in $(seq 3000 3020); do add_dnat $port; done
  for port in $(seq 10000 10020); do add_dnat $port; done
  for port in $(seq 36000 36010); do add_dnat $port; done

  echo "[rego-tunnel] iptables DNAT rules configured"
  echo "[rego-tunnel] Port forwarding ready via $CONTAINER_IP"
) &

return 0