#!/bin/bash
# ── F2B Control Center — container entrypoint ────────────────────────────────
# Handles first-run initialisation, then hands off to supervisord.
# ─────────────────────────────────────────────────────────────────────────────
set -e

echo "[f2b-cc] Starting F2B Control Center..."

# ── First-run: install default fail2ban config if none exists ─────────────────
if [ ! -f /etc/fail2ban/jail.local ]; then
    echo "[f2b-cc] First run — installing default fail2ban configuration..."
    cp -r /etc/f2b-defaults/. /etc/fail2ban/

    # Apply SUBNETS_TO_IGNORE from environment into jail.local's ignoreip line
    if [ -n "${SUBNETS_TO_IGNORE}" ]; then
        IGNORE_LINE="ignoreip = 127.0.0.1/8 ::1 ${SUBNETS_TO_IGNORE}"
        sed -i "s|^ignoreip = .*|${IGNORE_LINE}|" /etc/fail2ban/jail.local
        echo "[f2b-cc] ignoreip set to: 127.0.0.1/8 ::1 ${SUBNETS_TO_IGNORE}"
    fi

    echo "[f2b-cc] Default configuration installed at /etc/fail2ban/"
    echo "[f2b-cc] Edit /etc/fail2ban/jail.local to customise jails."
else
    echo "[f2b-cc] Using existing fail2ban configuration."
fi

# ── Ensure required directories and files exist ───────────────────────────────
mkdir -p /data /var/log /var/run/fail2ban

# Create fail2ban log file if it doesn't exist (prevents startup errors)
touch /var/log/fail2ban.log

# Ensure nginx-logs directory exists (warn if empty/unmounted)
if [ ! -d /nginx-logs ] || [ -z "$(ls -A /nginx-logs 2>/dev/null)" ]; then
    echo "[f2b-cc] WARNING: /nginx-logs appears empty or unmounted."
    echo "[f2b-cc] Set NPM_LOG_DIR in .env and mount your NPM log directory."
    echo "[f2b-cc] Log scanning will not return results until logs are available."
    mkdir -p /nginx-logs
fi

# ── Start supervisord (manages fail2ban + dashboard) ─────────────────────────
echo "[f2b-cc] Starting supervisord (fail2ban + dashboard)..."
exec /usr/bin/supervisord -n -c /etc/supervisor/supervisord.conf