#!/usr/bin/env bash
#
# sync_local_hosts.sh - Sync local madagascar DNS records to jumper and as01.
#

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
CONFIG_FILE="$PROJECT_DIR/config/local-hosts.tsv"
JUMPER_HOST="jumper.madagascar.xdev.ro"
AS01="admin@192.168.2.2"
APPLY=false
VERIFY=false
TARGET="all"
NEGATIVE_NAME="nohost.madagascar.xdev.ro"

usage() {
    cat << EOF
Usage: $0 [--apply] [--verify] [--target all|jumper|as01] [-c file]

Default mode is dry-run. Use --apply to change remote resolvers.

Examples:
  $0
  $0 --apply --verify
  $0 --target as01 --apply
EOF
}

log() {
    printf '[INFO] %s\n' "$*"
}

die() {
    printf '[ERROR] %s\n' "$*" >&2
    exit 1
}

while [[ $# -gt 0 ]]; do
    case "$1" in
        --apply) APPLY=true; shift ;;
        --verify) VERIFY=true; shift ;;
        --target) TARGET="${2:-}"; shift 2 ;;
        -c|--config) CONFIG_FILE="${2:-}"; shift 2 ;;
        -h|--help) usage; exit 0 ;;
        *) die "Unknown option: $1" ;;
    esac
done

case "$TARGET" in
    all|jumper|is-vpn-gw|as01) ;;
    *) die "Invalid target: $TARGET" ;;
esac

if [[ "$TARGET" == "is-vpn-gw" ]]; then
    log "Target is-vpn-gw is deprecated; use jumper"
    TARGET="jumper"
fi

[[ -f "$CONFIG_FILE" ]] || die "Missing config file: $CONFIG_FILE"

WORK_DIR="$(mktemp -d)"
trap 'rm -rf "$WORK_DIR"' EXIT

HOSTS_ROWS="$WORK_DIR/hosts.rows"
CLOAK_ROWS="$WORK_DIR/cloak.rows"
NAMES_FILE="$WORK_DIR/names.txt"
MIKROTIK_RSC="$WORK_DIR/as01.rsc"
VERIFY_ROWS="$WORK_DIR/verify.rows"

touch "$HOSTS_ROWS" "$CLOAK_ROWS" "$NAMES_FILE" "$MIKROTIK_RSC" "$VERIFY_ROWS"

quote_ros() {
    printf '%s' "$1" | sed 's/\\/\\\\/g; s/"/\\"/g'
}

is_local_jumper() {
    local host_name
    host_name="$(hostname -f 2>/dev/null || hostname 2>/dev/null || true)"
    [[ "$host_name" == "jumper.madagascar.xdev.ro" ]] && return 0
    ip addr show 2>/dev/null | grep -q '192\.168\.2\.100' && return 0
    return 1
}

run_jumper_payload() {
    local remote_dir="$1"
    if is_local_jumper; then
        REMOTE_DIR="$remote_dir" bash -s
    else
        ssh "$JUMPER_HOST" "REMOTE_DIR='$remote_dir' bash -s"
    fi
}

while IFS= read -r line || [[ -n "$line" ]]; do
    [[ -z "${line//[[:space:]]/}" ]] && continue
    [[ "$line" =~ ^[[:space:]]*# ]] && continue

    read -r hosts_ip dns_ip names <<< "$line"
    [[ -n "${hosts_ip:-}" && -n "${dns_ip:-}" && -n "${names:-}" ]] || die "Invalid row: $line"

    printf '%s   %s\n' "$hosts_ip" "$names" >> "$HOSTS_ROWS"

    for name in $names; do
        printf '%s\n' "$name" >> "$NAMES_FILE"
        printf '%-40s %s\n' "$name" "$dns_ip" >> "$CLOAK_ROWS"
        if [[ "$name" == *.xdev.ro ]]; then
            printf '%s %s\n' "$name" "$dns_ip" >> "$VERIFY_ROWS"
        fi

        ros_name="$(quote_ros "$name")"
        ros_ip="$(quote_ros "$dns_ip")"
        {
            printf '/ip dns static remove [find name="%s"]\n' "$ros_name"
            printf '/ip dns static add name="%s" type=A address=%s comment="xdev-local managed"\n' "$ros_name" "$ros_ip"
        } >> "$MIKROTIK_RSC"
    done
done < "$CONFIG_FILE"

sort -u "$NAMES_FILE" -o "$NAMES_FILE"
printf '/ip dns cache flush\n' >> "$MIKROTIK_RSC"
printf ':put "xdev local dns sync complete"\n' >> "$MIKROTIK_RSC"

sync_jumper() {
    if ! $APPLY; then
        log "Dry-run for $JUMPER_HOST: generated /etc/hosts block"
        sed -n '1,80p' "$HOSTS_ROWS"
        log "Dry-run for $JUMPER_HOST: generated cloaking-rules block"
        sed -n '1,120p' "$CLOAK_ROWS"
        return
    fi

    log "Syncing $JUMPER_HOST"
    remote_dir="/tmp/xdev-local-dns.$$"
    if is_local_jumper; then
        mkdir -p "$remote_dir"
        cp "$HOSTS_ROWS" "$CLOAK_ROWS" "$NAMES_FILE" "$remote_dir/"
    else
        ssh "$JUMPER_HOST" "mkdir -p '$remote_dir'"
        scp "$HOSTS_ROWS" "$CLOAK_ROWS" "$NAMES_FILE" "$JUMPER_HOST:$remote_dir/" >/dev/null
    fi
    run_jumper_payload "$remote_dir" <<'REMOTE'
set -euo pipefail
stamp="$(date +%Y%m%d_%H%M%S)"
cp /etc/hosts "/etc/hosts.bak.$stamp"
cp /etc/dnscrypt-proxy/cloaking-rules.txt "/etc/dnscrypt-proxy/cloaking-rules.txt.bak.$stamp"

awk '
    NR == FNR { names[$1] = 1; next }
    /^# BEGIN XDEV LOCAL DNS MANAGED BLOCK/ { in_managed = 1; next }
    /^# END XDEV LOCAL DNS MANAGED BLOCK/ { in_managed = 0; next }
    in_managed { next }
    /^[[:space:]]*#/ || /^[[:space:]]*$/ { print; next }
    {
        keep = 1
        for (i = 2; i <= NF; i++) {
            if ($i in names) keep = 0
        }
        if (keep) print
    }
' "$REMOTE_DIR/names.txt" /etc/hosts > "$REMOTE_DIR/hosts.new"
{
    cat "$REMOTE_DIR/hosts.new"
    printf "\n# BEGIN XDEV LOCAL DNS MANAGED BLOCK\n"
    cat "$REMOTE_DIR/hosts.rows"
    printf "# END XDEV LOCAL DNS MANAGED BLOCK\n"
} > /etc/hosts

awk '
    NR == FNR { names[$1] = 1; next }
    /^# BEGIN XDEV LOCAL DNS MANAGED BLOCK/ { in_managed = 1; next }
    /^# END XDEV LOCAL DNS MANAGED BLOCK/ { in_managed = 0; next }
    in_managed { next }
    /^[[:space:]]*#/ || /^[[:space:]]*$/ { print; next }
    {
        if (!($1 in names)) print
    }
' "$REMOTE_DIR/names.txt" /etc/dnscrypt-proxy/cloaking-rules.txt > "$REMOTE_DIR/cloak.new"
{
    cat "$REMOTE_DIR/cloak.new"
    printf "\n# BEGIN XDEV LOCAL DNS MANAGED BLOCK\n"
    cat "$REMOTE_DIR/cloak.rows"
    printf "# END XDEV LOCAL DNS MANAGED BLOCK\n"
} > /etc/dnscrypt-proxy/cloaking-rules.txt

resolved_backup=""
if ! grep -Eq '^ReadEtcHosts=no$' /etc/systemd/resolved.conf; then
    cp /etc/systemd/resolved.conf "/etc/systemd/resolved.conf.bak.$stamp"
    resolved_backup=" /etc/systemd/resolved.conf.bak.$stamp"
    if grep -Eq '^ReadEtcHosts=' /etc/systemd/resolved.conf; then
        sed -i 's/^ReadEtcHosts=.*/ReadEtcHosts=no/' /etc/systemd/resolved.conf
    else
        printf "\nReadEtcHosts=no\n" >> /etc/systemd/resolved.conf
    fi
fi

if grep -Eq '^DNSStubListenerExtra=' /etc/systemd/resolved.conf; then
    if [[ -z "$resolved_backup" ]]; then
        cp /etc/systemd/resolved.conf "/etc/systemd/resolved.conf.bak.$stamp"
        resolved_backup=" /etc/systemd/resolved.conf.bak.$stamp"
    fi
    sed -i 's/^DNSStubListenerExtra=/#DNSStubListenerExtra=/' /etc/systemd/resolved.conf
fi

dnscrypt_resolved_conf="/etc/systemd/resolved.conf.d/20-dnscrypt.conf"
mkdir -p /etc/systemd/resolved.conf.d
if [[ ! -f "$dnscrypt_resolved_conf" ]] || ! grep -Eq '^DNS=127\.0\.0\.1:5300$' "$dnscrypt_resolved_conf"; then
    if [[ -f "$dnscrypt_resolved_conf" ]]; then
        cp "$dnscrypt_resolved_conf" "$dnscrypt_resolved_conf.bak.$stamp"
        resolved_backup="$resolved_backup $dnscrypt_resolved_conf.bak.$stamp"
    fi
    cat > "$dnscrypt_resolved_conf" <<'EOF'
[Resolve]
# Send LAN DNS traffic through dnscrypt-proxy so cloaking-rules are authoritative locally.
DNS=127.0.0.1:5300
FallbackDNS=
EOF
fi

dnscrypt_conf="/etc/dnscrypt-proxy/dnscrypt-proxy.toml"
expected_listen="listen_addresses = ['127.0.0.1:5300', '192.168.2.100:53']"
dnscrypt_backup=""
if ! grep -Fqx "$expected_listen" "$dnscrypt_conf"; then
    cp "$dnscrypt_conf" "$dnscrypt_conf.bak.$stamp"
    dnscrypt_backup=" $dnscrypt_conf.bak.$stamp"
    sed -i "s|^listen_addresses = .*|$expected_listen|" "$dnscrypt_conf"
fi

allowed_names_file="/etc/dnscrypt-proxy/allowed-names.txt"
if ! grep -Eq "^allowed_names_file = '/etc/dnscrypt-proxy/allowed-names.txt'$" "$dnscrypt_conf"; then
    if [[ -z "$dnscrypt_backup" ]]; then
        cp "$dnscrypt_conf" "$dnscrypt_conf.bak.$stamp"
        dnscrypt_backup=" $dnscrypt_conf.bak.$stamp"
    fi
    if grep -Eq '^[#[:space:]]*allowed_names_file =' "$dnscrypt_conf"; then
        sed -i "s|^[#[:space:]]*allowed_names_file = .*|allowed_names_file = '/etc/dnscrypt-proxy/allowed-names.txt'|" "$dnscrypt_conf"
    else
        sed -i "/^\\[allowed_names\\]/a allowed_names_file = '/etc/dnscrypt-proxy/allowed-names.txt'" "$dnscrypt_conf"
    fi
fi

for allowed_name in google.com www.google.com; do
    grep -Fxq "$allowed_name" "$allowed_names_file" || printf "%s\n" "$allowed_name" >> "$allowed_names_file"
done

resolvectl flush-caches || true
systemctl restart systemd-resolved

systemctl restart dnscrypt-proxy
rm -rf "$REMOTE_DIR"
printf "backups: /etc/hosts.bak.%s /etc/dnscrypt-proxy/cloaking-rules.txt.bak.%s%s%s\n" "$stamp" "$stamp" "$resolved_backup" "$dnscrypt_backup"
REMOTE
}

sync_as01() {
    if ! $APPLY; then
        log "Dry-run for as01: generated RouterOS commands"
        sed -n '1,160p' "$MIKROTIK_RSC"
        return
    fi

    log "Syncing as01"
    ssh "$AS01" "/ip dns static remove [find comment=\"xdev-local managed\"]"$'\n'"$(cat "$MIKROTIK_RSC")"
}

verify_resolver() {
    local resolver="$1"
    local failures=0

    log "Verifying resolver $resolver"
    while read -r name expected_ip; do
        answers="$(dig @"$resolver" "$name" +short || true)"
        if ! grep -Fxq "$expected_ip" <<< "$answers"; then
            compact_answers="$(paste -s -d ',' - <<< "$answers")"
            printf '[FAIL] %s %s expected %s got %s\n' "$resolver" "$name" "$expected_ip" "${compact_answers:-<empty>}" >&2
            failures=$((failures + 1))
        fi
    done < "$VERIFY_ROWS"

    dns_status="$(dig @"$resolver" "$NEGATIVE_NAME" +noall +comments | awk '/status:/ {print $6}' | tr -d ',' || true)"
    if [[ "$dns_status" != "NXDOMAIN" ]]; then
        printf '[FAIL] %s %s expected NXDOMAIN got %s\n' "$resolver" "$NEGATIVE_NAME" "${dns_status:-<empty>}" >&2
        failures=$((failures + 1))
    fi

    [[ "$failures" -eq 0 ]]
}

if $APPLY || ! $VERIFY; then
    case "$TARGET" in
        all)
            sync_jumper
            sync_as01
            ;;
        jumper) sync_jumper ;;
        as01) sync_as01 ;;
    esac
fi

if $VERIFY; then
    case "$TARGET" in
        all)
            verify_resolver 192.168.2.100
            verify_resolver 192.168.2.2
            ;;
        jumper) verify_resolver 192.168.2.100 ;;
        as01) verify_resolver 192.168.2.2 ;;
    esac
fi