#!/bin/sh
# proxy-vm/docker-entrypoint.sh
# Generates nginx config fragments from environment variables at container start.
set -e

CONF_DIR="/etc/nginx/conf.d"
mkdir -p "${CONF_DIR}"

# --- 1. Generate IP allowlist (geo block) ---
ALLOWLIST_FILE="${CONF_DIR}/allowlist.conf"

if [ -z "${ALLOWED_CIDR}" ]; then
    # Dev mode: allow all IPs
    cat > "${ALLOWLIST_FILE}" <<'GEO'
geo $allowed_ip {
    default 1;
}
GEO
    echo "[entrypoint] ALLOWED_CIDR is empty — allowing all IPs (dev mode)"
else
    # Build geo block from comma-separated CIDRs
    {
        echo 'geo $allowed_ip {'
        echo '    default 0;'
        echo "${ALLOWED_CIDR}" | tr ',' '\n' | while read -r cidr; do
            cidr=$(echo "${cidr}" | xargs)  # trim whitespace
            [ -n "${cidr}" ] && echo "    ${cidr} 1;"
        done
        echo '}'
    } > "${ALLOWLIST_FILE}"
    echo "[entrypoint] IP allowlist configured: ${ALLOWED_CIDR}"
fi

# --- 2. Generate token auth (map block) ---
AUTH_FILE="${CONF_DIR}/auth.conf"

if [ -z "${PROXY_SECRET}" ]; then
    echo "[entrypoint] WARNING: PROXY_SECRET is not set — all requests will be rejected!"
    cat > "${AUTH_FILE}" <<'MAP'
map $http_x_proxy_token $auth_ok {
    default 0;
}
MAP
else
    cat > "${AUTH_FILE}" <<MAP
map \$http_x_proxy_token \$auth_ok {
    default          0;
    "${PROXY_SECRET}" 1;
}
MAP
    echo "[entrypoint] Token auth configured"
fi

# --- 3. Start nginx ---
echo "[entrypoint] Starting nginx..."
exec nginx -g 'daemon off;'