#!/bin/sh
set -e;

if ! command -v docker >/dev/null 2>&1; 
then
  if [ -f "/etc/arch-release" ]; then
    echo "* Docker not found. Installing via pacman...";
    pacman -Sy --noconfirm docker;
    systemctl enable --now docker;
  else
    echo "* Docker not found. Installing via get.docker.com...";
    curl -fsSL https://get.docker.com | sh;
  fi;
  echo "* Docker installed successfully";
  echo "--------------------------------------------------";
fi;

if ! command -v findmnt >/dev/null 2>&1 || ! command -v lsblk >/dev/null 2>&1;
then
  echo "* Util-linux not found. Installing...";
  if [ -f /etc/arch-release ]; 
  then pacman -Sy --noconfirm util-linux;
  else apt -y install util-linux; fi;
  echo "--------------------------------------------------";
fi;

APPARMOR_OPT="";
setup_apparmor() {
  PROFILE_NAME="cloudnetip-components";
  PROFILE_FILE="/etc/apparmor.d/${PROFILE_NAME}";
  if [ ! -r /sys/module/apparmor/parameters/enabled ] || \
     ! grep -qi '^Y' /sys/module/apparmor/parameters/enabled 2>/dev/null; then
    echo "* AppArmor is not active, skipping AppArmor profile";
    APPARMOR_OPT="";
    return 0;
  fi;
  if ! command -v apparmor_parser >/dev/null 2>&1; then
    echo "* AppArmor is active, but apparmor_parser not found, skipping AppArmor profile";
    APPARMOR_OPT="";
    return 0;
  fi;
  if [ "$(id -u)" != "0" ]; then
    echo "! AppArmor profile requires root, skipping AppArmor profile";
    APPARMOR_OPT="";
    return 0;
  fi;
  echo "* Installing AppArmor profile: ${PROFILE_NAME}";
  mkdir -p /etc/apparmor.d;
  cat > "${PROFILE_FILE}" <<'EOF'
#include <tunables/global>
profile cloudnetip-components flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  network,
  capability,
  file,
  ptrace (read, readby),
  signal (receive) peer=unconfined,
  signal (receive) peer=runc,
  signal (receive) peer=crun,
  signal (send,receive) peer=cloudnetip-components,
}
EOF
  apparmor_parser -r -W "${PROFILE_FILE}";
  if [ -r /sys/kernel/security/apparmor/profiles ] && \
     grep -q "^${PROFILE_NAME} " /sys/kernel/security/apparmor/profiles; then
    echo "* AppArmor profile loaded: ${PROFILE_NAME}";
    APPARMOR_OPT="--security-opt apparmor=${PROFILE_NAME}";
  else
    echo "! AppArmor profile was parsed, but not found in loaded profiles, skipping profile for docker run";
    APPARMOR_OPT="";
  fi;
};
setup_apparmor;
echo "--------------------------------------------------";

echo "* Pull ccr.cloudnetip.com/netip/component-core:1.9.2";
docker pull ccr.cloudnetip.com/netip/component-core:1.9.2;

printf "* Killing the netip.core container: ";
if [ $(docker ps -qaf name=netip.core) ];
then docker rm -f $(docker ps -qaf name=netip.core);
else echo "-"; fi;

printf "* Preparing the environment for the netip.core container: ";
EXTRA_VOL=""
if [ -f /etc/os-release ];
  then EXTRA_VOL="${EXTRA_VOL} -v /etc/os-release:/etc/host-os-release:ro"
fi
if [ -f /etc/os-release ] && [ -f /var/lib/dpkg/status ] && [ -f /var/lib/apt/extended_states ]; then
  EXTRA_VOL="${EXTRA_VOL} -v /var/lib/dpkg/status:/dpkg-status:ro"
  EXTRA_VOL="${EXTRA_VOL} -v /var/lib/apt/extended_states:/apt-states:ro"
fi
if [ -S /run/dbus/system_bus_socket ];
  then EXTRA_VOL="${EXTRA_VOL} -v /run/dbus/system_bus_socket:/run/dbus/system_bus_socket:ro"
fi

GPUS=$(docker info 2>/dev/null | grep -q 'Runtimes.*nvidia' && echo "--gpus all" || echo "");

DEVICES="--cap-add SYS_RAWIO";
for d in $(lsblk -d -n -o NAME,RO | awk '/0$/ { print $1 }');
  do DEVICES="${DEVICES} --device /dev/$d:/dev/$d:r";
done;
for d in $(awk '/^md/ {print $1}' /proc/mdstat 2>/dev/null);
  do DEVICES="${DEVICES} --device /dev/$d:/dev/$d:r";
done;
if [ -e /dev/zfs ];
  then DEVICES="${DEVICES} --device /dev/zfs:/dev/zfs";
fi;
if echo "$DEVICES" | grep -q '/dev/nvme';
  then DEVICES="${DEVICES} --cap-add SYS_ADMIN";
fi;

MNT=$(findmnt -rDUunvo source,target -t novfat,nosquashfs,notmpfs,nodevtmpfs,nofuse.lxcfs,nobpf,nofuse,noportal);
VOLUMES="";
for v in $(echo "$MNT" | grep "^/" | grep -v /var/snap | sort -u -k1,1 | sort -k2,2 | awk '{ print $2 }' | sed -e '/^\/$/d');
  do VOLUMES="${VOLUMES} -v $v/.netip-device:/_external$v/.netip-device:ro";
done;
echo "Ok";

printf "* Launching the netip.core container: ";
docker run -d --name netip.core \
  --restart always --log-driver json-file --log-opt max-size=100k $APPARMOR_OPT \
  -e CONNECT_KEY=no-set-key \
  --uts host --pid host \
  $EXTRA_VOL \
  $DEVICES $VOLUMES $GPUS \
ccr.cloudnetip.com/netip/component-core:1.9.2;
echo "--------------------------------------------------";

echo "* Pull ccr.cloudnetip.com/netip/component-network:1.12.0";
docker pull ccr.cloudnetip.com/netip/component-network:1.12.0;

printf "* Killing the netip.network container: ";
if [ $(docker ps -qaf name=netip.network) ];
then docker rm -f $(docker ps -qaf name=netip.network);
else echo "-"; fi;

printf "* Launching the netip.network container: ";
docker run -d --name netip.network \
  --restart always --log-driver json-file --log-opt max-size=100k $APPARMOR_OPT \
  -e CONNECT_KEY=no-set-key \
  -e FIREWALL_GROUPS='' --cap-add NET_ADMIN --network host  \
ccr.cloudnetip.com/netip/component-network:1.12.0;
echo "--------------------------------------------------";

echo "Done";
exit 0;