#!/bin/bash
# ── F2B Control Center — container entrypoint ────────────────────────────────
# Handles first-run initialisation, then hands off to supervisord.
# ─────────────────────────────────────────────────────────────────────────────
set -e

echo "[f2b-cc] Starting F2B Control Center..."

# ── Kernel module: xt_string (required for X-Forwarded-For matching) ──────────
if modprobe xt_string 2>/dev/null; then
    echo "[f2b-cc] xt_string kernel module loaded OK"
else
    echo "[f2b-cc] WARNING: xt_string module unavailable — X-Forwarded-For iptables rules will NOT work"
    echo "[f2b-cc] Run 'modprobe xt_string' on the Docker host to fix this."
fi

# ── DOCKER-USER chain (must exist for the ban action to insert rules) ─────────
if iptables -L DOCKER-USER -n > /dev/null 2>&1; then
    echo "[f2b-cc] DOCKER-USER iptables chain found OK"
else
    echo "[f2b-cc] DOCKER-USER chain missing — creating it"
    iptables -N DOCKER-USER 2>/dev/null || true
fi

# ── First-run: install default fail2ban config if none exists ─────────────────
if [ ! -f /etc/fail2ban/jail.local ]; then
    echo "[f2b-cc] First run — installing default fail2ban configuration..."
    cp -r /etc/f2b-defaults/. /etc/fail2ban/

    # Cloudflare credentials present → use the CF-enabled jail config
    if [ -n "${CF_EMAIL}" ] && [ -n "${CF_APIKEY}" ]; then
        echo "[f2b-cc] CF_EMAIL + CF_APIKEY detected — enabling Cloudflare jail config"
        cp /etc/f2b-defaults/jail.cloudflare.local /etc/fail2ban/jail.local
    fi

    # Apply SUBNETS_TO_IGNORE from environment into jail.local's ignoreip line
    if [ -n "${SUBNETS_TO_IGNORE}" ]; then
        IGNORE_LINE="ignoreip = 127.0.0.1/8 ::1 ${SUBNETS_TO_IGNORE}"
        sed -i "s|^ignoreip = .*|${IGNORE_LINE}|" /etc/fail2ban/jail.local
        echo "[f2b-cc] ignoreip set to: 127.0.0.1/8 ::1 ${SUBNETS_TO_IGNORE}"
    fi

    echo "[f2b-cc] Default configuration installed at /etc/fail2ban/"
    echo "[f2b-cc] Edit /etc/fail2ban/jail.local to customise jails."
else
    echo "[f2b-cc] Using existing fail2ban configuration."
fi

# ── Ensure required directories and files exist ───────────────────────────────
mkdir -p /data /var/log /var/run/fail2ban

# Create fail2ban log file if it doesn't exist (prevents startup errors)
touch /var/log/fail2ban.log

# Ensure nginx-logs directory exists and has at least one file matching the glob.
# fail2ban requires a matching file to exist at startup — create a placeholder
# if NPM hasn't generated any proxy host logs yet.
mkdir -p /nginx-logs
if ! ls /nginx-logs/proxy-host-*_access.log > /dev/null 2>&1; then
    echo "[f2b-cc] No NPM logs found — creating placeholder so fail2ban can start."
    touch /nginx-logs/proxy-host-placeholder_access.log
fi

# ── Start supervisord (manages fail2ban + dashboard) ─────────────────────────
echo "[f2b-cc] Starting supervisord (fail2ban + dashboard)..."
exec /usr/bin/supervisord -n -c /etc/supervisor/supervisord.conf