#!/usr/bin/env bash
# Deploys sing-box proxy server on VPS.
#
# Config generated by https://github.com/yonggekkk/sing-box-yg — run that
# script once interactively to create /etc/s-box/sb.json, certs, and keys.
# Then commit the generated files into infra for future re-deployment.
#
# Usage: INFRA_DIR=/path/to/infra/services/sing-box/server ./deploy.sh

set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../../../bin/lib/common.sh"

ENV_FILE="${INFRA_DIR:-.}/.env"
[ -f "$ENV_FILE" ] || { log_error "No .env found at $ENV_FILE"; exit 1; }
set -a; source "$ENV_FILE"; set +a

require_env SING_BOX_VERSION

INSTALL_DIR="/etc/s-box"
BIN="$INSTALL_DIR/sing-box"

if [[ -x "$BIN" ]]; then
    log_info "sing-box already at $BIN, skipping download"
else
    log_info "Downloading sing-box ${SING_BOX_VERSION}..."
    ARCH="$(uname -m)"
    case "$ARCH" in
        x86_64)  ARCH="amd64" ;;
        aarch64) ARCH="arm64" ;;
        *) log_error "Unsupported arch: $ARCH"; exit 1 ;;
    esac
    URL="https://github.com/SagerNet/sing-box/releases/download/v${SING_BOX_VERSION}/sing-box-${SING_BOX_VERSION}-linux-${ARCH}.tar.gz"
    TMP="$(mktemp -d)"
    wget -qO "$TMP/sing-box.tar.gz" "$URL"
    tar -xf "$TMP/sing-box.tar.gz" -C "$TMP"
    mkdir -p "$INSTALL_DIR"
    install -m 755 "$TMP/sing-box-${SING_BOX_VERSION}-linux-${ARCH}/sing-box" "$BIN"
    rm -rf "$TMP"
fi

log_info "Deploying config from INFRA_DIR..."
for f in sb.json cert.pem private.key public.key; do
    src="${INFRA_DIR}/$f"
    if [[ -f "$src" ]]; then
        cp "$src" "$INSTALL_DIR/$f"
        log_info "  copied $f"
    fi
done

log_info "Installing systemd service..."
cat > /etc/systemd/system/sing-box.service <<'EOF'
[Unit]
After=network.target nss-lookup.target

[Service]
User=root
WorkingDirectory=/root
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW
ExecStart=/etc/s-box/sing-box run -c /etc/s-box/sb.json
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=10
LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable --now sing-box

log_info "sing-box server deployed"
echo ""
echo "Note: initial config must be generated via sing-box-yg:"
echo "  bash <(curl -Ls https://raw.githubusercontent.com/yonggekkk/sing-box-yg/main/sb.sh)"