FROM debian:bookworm-slim

LABEL description="dante SOCKS5 + purevpn-cli exit node"

# ── System dependencies (all in one layer so apt cache is fresh for installer) ─
RUN apt-get update && apt-get install -y --no-install-recommends \
        dante-server \
        curl wget ca-certificates \
        iproute2 iptables iputils-ping \
        netcat-openbsd procps dnsutils \
        expect \
        openvpn wireguard wireguard-tools \
        net-tools openresolv \
    && rm -rf /var/lib/apt/lists/*

# ── Stub openvpn-systemd-resolved ────────────────────────────────────────────
# This package is not in Debian repos. Its absence is what triggers purevpn-cli
# to call `sudo --install-missing-components`. A no-op stub satisfies the check.
RUN mkdir -p /usr/lib/openvpn \
    && printf '#!/bin/sh\nexit 0\n' \
        | tee /usr/local/bin/openvpn-systemd-resolved \
              /usr/lib/openvpn/openvpn-systemd-resolved > /dev/null \
    && chmod +x /usr/local/bin/openvpn-systemd-resolved \
                /usr/lib/openvpn/openvpn-systemd-resolved

# ── Install purevpn-cli ───────────────────────────────────────────────────────
RUN curl -fsSL https://apps.purevpn-tools.com/cross-platform/linux-cli/production/cli-install.sh \
        -o /tmp/cli-install.sh \
    && bash /tmp/cli-install.sh \
    && rm -f /tmp/cli-install.sh

# ── Inspect binary (visible in build log, remove once confirmed working) ──────
RUN echo "=== binary type ===" \
    && file /opt/purevpn-cli/bin/purevpn-cli /opt/purevpn-cli/purevpn-cli 2>/dev/null || true \
    && echo "=== bin/purevpn-cli header ===" \
    && head -3 /opt/purevpn-cli/bin/purevpn-cli 2>/dev/null || true

# ── Fake sudo wrapper ────────────────────────────────────────────────────────
# Strips --install-missing-components (crashes pkg bootstrap when combined with
# --connect) then re-runs the binary with a CLEAN environment (env -i) so that
# any env vars set by the parent purevpn-cli don't corrupt the child's pkg
# bootstrap. Prints env key names and exec'd command for diagnosis.
RUN printf '#!/bin/bash\necho "[sudo] env: $(env | cut -d= -f1 | tr "\\n" " ")"\nnew=()\nfor a in "$@"; do\n  [[ "$a" == "--install-missing-components" ]] && { echo "[sudo] stripped --install-missing-components"; continue; }\n  new+=("$a")\ndone\necho "[sudo] exec (clean env): ${new[*]}"\nexec env -i PATH="$PATH" HOME=/root USER=root "${new[@]}"\n' \
    > /usr/local/bin/sudo && chmod +x /usr/local/bin/sudo

# ── PATH ──────────────────────────────────────────────────────────────────────
ENV PATH=/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# ── Location list ─────────────────────────────────────────────────────────────
COPY servers.txt /etc/vpndock/servers.txt

# ── Entrypoint ────────────────────────────────────────────────────────────────
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

EXPOSE 1080

ENTRYPOINT ["/entrypoint.sh"]