FROM debian:bookworm-slim

LABEL description="dante SOCKS5 + purevpn-cli exit node"

# ── System dependencies (all in one layer so apt cache is fresh for installer) ─
RUN apt-get update && apt-get install -y --no-install-recommends \
        dante-server \
        curl wget ca-certificates \
        iproute2 iptables iputils-ping \
        netcat-openbsd procps dnsutils \
        expect \
        openvpn wireguard wireguard-tools \
        net-tools openresolv \
    && rm -rf /var/lib/apt/lists/*

# ── Stub openvpn-systemd-resolved ────────────────────────────────────────────
# This package is not in Debian repos. Its absence is what triggers purevpn-cli
# to call `sudo --install-missing-components`. A no-op stub satisfies the check.
RUN mkdir -p /usr/lib/openvpn \
    && printf '#!/bin/sh\nexit 0\n' \
        | tee /usr/local/bin/openvpn-systemd-resolved \
              /usr/lib/openvpn/openvpn-systemd-resolved > /dev/null \
    && chmod +x /usr/local/bin/openvpn-systemd-resolved \
                /usr/lib/openvpn/openvpn-systemd-resolved

# ── Install purevpn-cli ───────────────────────────────────────────────────────
RUN curl -fsSL https://apps.purevpn-tools.com/cross-platform/linux-cli/production/cli-install.sh \
        -o /tmp/cli-install.sh \
    && bash /tmp/cli-install.sh \
    && rm -f /tmp/cli-install.sh

# ── Fake sudo wrapper ────────────────────────────────────────────────────────
# Unsets PKG_EXECPATH so the child's pkg bootstrap starts fresh instead of
# treating argv[1] as a Node.js module path. Depth guard stops recursion.
COPY sudo-wrapper.sh /usr/local/bin/sudo
RUN chmod +x /usr/local/bin/sudo

# ── PATH ──────────────────────────────────────────────────────────────────────
ENV PATH=/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# ── Pre-install VPN components so runtime never needs sudo ───────────────────
# Runs the binary as root during build; it calls our sudo wrapper (depth 1),
# which correctly invokes the child. Connection attempt will fail (no auth),
# but component files get written to stable paths and persist in the image.
RUN purevpn-cli --connect US --install-missing-components 2>&1 || true

# ── Location list ─────────────────────────────────────────────────────────────
COPY servers.txt /etc/vpndock/servers.txt

# ── Entrypoint ────────────────────────────────────────────────────────────────
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

EXPOSE 1080

ENTRYPOINT ["/entrypoint.sh"]