#!/bin/bash
set -e

# Load config
source "$(dirname "$0")/config.env"

# Create network if not exists
if ! podman network exists ${NETWORK}; then
    echo "Creating network: ${NETWORK} (subnet: ${PRIVATE_SUBNET})"
    podman network create --subnet=${PRIVATE_SUBNET} ${NETWORK}
else
    echo "Network exists: ${NETWORK}"
fi

# Stop existing container if running
podman stop ${CONTAINER_NAME} 2>/dev/null || true
podman rm ${CONTAINER_NAME} 2>/dev/null || true
ip route del ${PUBLIC_IP}/32 2>/dev/null || true

# Rebuild authorized_keys from .pub files
mkdir -p /git/.ssh
rm -f /git/.ssh/authorized_keys
cat /git/.ssh/*.pub > /git/.ssh/authorized_keys 2>/dev/null || true
chmod 600 /git/.ssh/authorized_keys

# Build image
echo "Building image..."
podman build -t cgit "$(dirname "$0")"

# Run container
podman run -d \
    --init \
    --name ${CONTAINER_NAME} \
    --network ${NETWORK} \
    --ip ${PRIVATE_IP} \
    --cap-add=NET_ADMIN \
    --pids-limit=100 \
    --env-file "$(dirname "$0")/config.env" \
    -v ${CONTAINER_NAME}_data:/data \
    -v /git:/git \
    localhost/cgit

# Setup public IP via DNAT/SNAT
sleep 2
OIFACE=$(ip route show default | awk '{print $5; exit}')
BRIDGE=$(podman network inspect ${NETWORK} 2>/dev/null | python3 -c "import json,sys; print(json.load(sys.stdin)[0]['network_interface'])")

# Clean up any stale rules for this IP
nft -a list chain ip nat PREROUTING 2>/dev/null | grep "daddr ${PUBLIC_IP} " | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat PREROUTING handle "$h"; done
nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "snat to ${PUBLIC_IP}" | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
nft -a list chain inet netavark FORWARD 2>/dev/null | grep "daddr ${PRIVATE_IP} " | grep -oP 'handle \K\d+' | while read h; do nft delete rule inet netavark FORWARD handle "$h"; done
nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "daddr ${PRIVATE_IP}.*masquerade" | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
ip route del ${PUBLIC_IP} 2>/dev/null || true

nft add rule ip nat PREROUTING ip daddr ${PUBLIC_IP} dnat to ${PRIVATE_IP}
nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_IP} oifname ${OIFACE} snat to ${PUBLIC_IP}
nft insert rule inet netavark FORWARD ip daddr ${PRIVATE_IP} oifname ${BRIDGE} accept
nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_SUBNET} ip daddr ${PRIVATE_IP} oifname ${BRIDGE} masquerade

echo "Running at https://${DOMAIN}/"