FROM debian:bookworm-slim

LABEL description="dante SOCKS5 + purevpn-cli exit node"

# ── System dependencies ───────────────────────────────────────────────────────
RUN apt-get update && apt-get install -y --no-install-recommends \
        dante-server \
        sudo \
        curl wget ca-certificates \
        iproute2 iptables iputils-ping \
        netcat-openbsd procps dnsutils \
        expect \
        openvpn wireguard wireguard-tools \
        net-tools openresolv \
    && rm -rf /var/lib/apt/lists/*

# ── Non-root vpnuser ─────────────────────────────────────────────────────────
# purevpn-cli is designed to run as non-root; it calls sudo internally for
# privileged VPN setup. Home is /root so login tokens written by root are shared.
RUN useradd -M -d /root -s /bin/bash vpnuser

# ── Sudoers: passwordless + correct PATH for vpnuser ─────────────────────────
RUN echo "vpnuser ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers \
    && echo 'Defaults:vpnuser secure_path="/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' >> /etc/sudoers

# ── Stub openvpn-systemd-resolved ────────────────────────────────────────────
RUN mkdir -p /usr/lib/openvpn \
    && printf '#!/bin/sh\nexit 0\n' \
        | tee /usr/local/bin/openvpn-systemd-resolved \
              /usr/lib/openvpn/openvpn-systemd-resolved > /dev/null \
    && chmod +x /usr/local/bin/openvpn-systemd-resolved \
                /usr/lib/openvpn/openvpn-systemd-resolved

# ── Install purevpn-cli ───────────────────────────────────────────────────────
RUN curl -fsSL https://apps.purevpn-tools.com/cross-platform/linux-cli/production/cli-install.sh \
        -o /tmp/cli-install.sh \
    && bash /tmp/cli-install.sh \
    && rm -f /tmp/cli-install.sh

# ── Pre-download pured daemon + patch wrong URL in purevpn-cli binary ────────
# The binary hardcodes /cross-platform/linux-cli/production/pured-linux-x64.gz
# which returns HTTP 403. The correct URL (from the installer script) is under
# /cross-platform/linux-daemon/1.4.1/. Same-length replacement (54 bytes each).
RUN curl -fsSL "https://apps.purevpn-tools.com/cross-platform/linux-daemon/1.4.1/pured-linux-x64.gz" \
        -o /opt/purevpn-cli/pured-linux-x64.gz \
    && gzip -d /opt/purevpn-cli/pured-linux-x64.gz \
    && chmod +x /opt/purevpn-cli/pured-linux-x64
RUN python3 -c "data=open('/opt/purevpn-cli/bin/purevpn-cli','rb').read();old=b'cross-platform/linux-cli/production/pured-linux-x64.gz';new=b'cross-platform/linux-daemon/1.4.1/pured-linux-x64.gz?x';assert len(old)==len(new),f'{len(old)} vs {len(new)}';n=data.count(old);assert n>0,'pattern not found';open('/opt/purevpn-cli/bin/purevpn-cli','wb').write(data.replace(old,new));print(f'Patched {n} occurrence(s)')"

# ── Fake systemctl (pured.service) ───────────────────────────────────────────
# purevpn-cli checks `systemctl is-active pured.service` to detect missing
# components. Without systemd, this always returns inactive → endless sudo loop.
# Fake systemctl returns "active" when the daemon is reachable on :9485.
COPY systemctl.sh /usr/local/bin/systemctl
RUN chmod +x /usr/local/bin/systemctl \
    && mkdir -p /etc/systemd/system \
    && cp /opt/purevpn-cli/pured.service /etc/systemd/system/pured.service

# ── PATH ──────────────────────────────────────────────────────────────────────
ENV PATH=/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# ── Location list ─────────────────────────────────────────────────────────────
COPY servers.txt /etc/vpndock/servers.txt

# ── Entrypoint ────────────────────────────────────────────────────────────────
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

EXPOSE 1080

ENTRYPOINT ["/entrypoint.sh"]