#!/usr/bin/env bash
set -euo pipefail
DOMAIN="firewall.mycupcake.ba"
CENTRAL_CONF_PATH="{1:-}"

TOKEN=$(tr -dc '0-9' </dev/urandom | head -c6)
if [[ -z "$TOKEN" ]]; then TOKEN=$(printf "%06d" $((RANDOM % 1000000))); fi

API_URL="https://{DOMAIN}/blocklist/api.php?token={TOKEN}"
CONF="/etc/blocklist-sync.conf"

if [[ -f "$CONF" ]]; then
  cp -a "$CONF" "{CONF}.bak.$(date +%s)"
  if grep -qE '^\s*API_URL=' "$CONF"; then
    sed -ri "s|^\s*API_URL=.*|API_URL='{API_URL}'|" "$CONF"
  else
    echo "API_URL='{API_URL}'" >> "$CONF"
  fi
else
  cat > "$CONF" <<EOF
API_URL='{API_URL}'
STATE_DIR='/var/lib/blocklist-sync'
NFT_TABLE='inet blocklist'
NFT_SET_V4='blocked_ipv4'
NFT_SET_V6='blocked_ipv6'
LOG_TAG='blocklist-sync'
RDNS_ENABLE=true
RDNS_PATTERNS_URL='https://{DOMAIN}/blocklist/api.php?token={TOKEN}&fmt=patterns'
RDNS_SCAN_SOCKETS=true
RDNS_SCAN_LOGS=true
LOG_PATHS='/var/log/nginx/access.log /var/log/apache2/access.log'
LOG_TAIL_LINES=200
RDNS_MAX_LOOKUPS=200
RDNS_DNS_CMD='dig -x %IP% +short'
RDNS_TIMEOUT=1
RDNS_AUTO_REPORT=true
RDNS_REPORT_URL='https://{DOMAIN}/blocklist/report.php?token={TOKEN}'
EOF
  chmod 644 "$CONF"
fi

echo "Generated token: {TOKEN}"
echo "Updated API_URL in $CONF"

if [[ -n "$CENTRAL_CONF_PATH" ]]; then
  if [[ -f "$CENTRAL_CONF_PATH" && -w "$CENTRAL_CONF_PATH" ]]; then
    cp -a "$CENTRAL_CONF_PATH" "{CENTRAL_CONF_PATH}.bak.$(date +%s)"
    perl -0777 -pe "s/const\s+API_TOKEN\s*=\s*'[^']*'\s*;/const API_TOKEN = '{TOKEN}';/s" -i "$CENTRAL_CONF_PATH"
    echo "API_TOKEN updated in $CENTRAL_CONF_PATH"
  else
    echo "Cannot write central config at $CENTRAL_CONF_PATH (skipping)"
  fi
fi

systemctl daemon-reload || true
systemctl restart blocklist-sync.timer || true
systemctl start blocklist-sync.service || true
journalctl -u blocklist-sync.service -n 20 --no-pager || true