#!/bin/bash
set -e

echo "=== 启动LUKS加密SFTP服务器 ==="

# 环境变量配置
ENCRYPTED_IMG="/encrypted-storage/data.img"
ENCRYPTED_DEVICE="encrypted-volume"
MOUNT_POINT="/mnt/encrypted-volume"
SFTP_HOME="/home/${SFTP_USER:-syncuser}/upload"

# 步骤1: 创建加密卷文件（如果不存在）
if [ ! -f "$ENCRYPTED_IMG" ]; then
    echo "创建 ${VOLUME_SIZE_GB:-5}GB 加密卷文件..."
    dd if=/dev/zero of="$ENCRYPTED_IMG" bs=1G count=${VOLUME_SIZE_GB:-5} status=progress
    
    # 设置加密密码
    echo -n "$ENCRYPTION_PASSWORD" > /tmp/luks-password
    chmod 600 /tmp/luks-password
    
    echo "格式化LUKS加密卷..."
    cryptsetup luksFormat --type luks2 "$ENCRYPTED_IMG" --key-file=/tmp/luks-password --batch-mode
    
    rm -f /tmp/luks-password
fi

# 步骤2: 打开加密卷
echo "打开LUKS加密卷..."
echo -n "$ENCRYPTION_PASSWORD" > /tmp/luks-password
chmod 600 /tmp/luks-password

if ! cryptsetup isLuks "$ENCRYPTED_IMG" 2>/dev/null; then
    echo "错误: $ENCRYPTED_IMG 不是有效的LUKS卷"
    exit 1
fi

cryptsetup open --type luks "$ENCRYPTED_IMG" "$ENCRYPTED_DEVICE" --key-file=/tmp/luks-password
rm -f /tmp/luks-password

# 步骤3: 检查并创建文件系统
if ! blkid "/dev/mapper/$ENCRYPTED_DEVICE" | grep -q "ext4"; then
    echo "创建ext4文件系统..."
    mkfs.ext4 "/dev/mapper/$ENCRYPTED_DEVICE" -F
fi

# 步骤4: 挂载加密卷
mkdir -p "$MOUNT_POINT"
mount "/dev/mapper/$ENCRYPTED_DEVICE" "$MOUNT_POINT"

# 步骤5: 创建SFTP目录并链接
mkdir -p "$SFTP_HOME"
if [ ! -L "$SFTP_HOME" ]; then
    # 将加密卷挂载点链接到SFTP用户目录
    ln -sf "$MOUNT_POINT" "$SFTP_HOME"
fi

# 步骤6: 设置权限
chown -R ${SFTP_USER}:${SFTP_USER} "$MOUNT_POINT"
chmod 755 "$MOUNT_POINT"

echo "加密卷已挂载到: $MOUNT_POINT"
echo "SFTP用户目录: $SFTP_HOME"
echo "卷大小: $(df -h $MOUNT_POINT | tail -1 | awk '{print $2}')"
echo "可用空间: $(df -h $MOUNT_POINT | tail -1 | awk '{print $4}')"

# 步骤7: 设置SSH公钥（如果存在）
if [ -n "$SSH_PUBLIC_KEY" ]; then
    echo "设置SSH公钥认证..."
    mkdir -p "/home/${SFTP_USER}/.ssh"
    echo "$SSH_PUBLIC_KEY" > "/home/${SFTP_USER}/.ssh/authorized_keys"
    chown -R ${SFTP_USER}:${SFTP_USER} "/home/${SFTP_USER}/.ssh"
    chmod 600 "/home/${SFTP_USER}/.ssh/authorized_keys"
    chmod 700 "/home/${SFTP_USER}/.ssh"
fi

# 步骤8: 设置用户密码（如果通过环境变量）
if [ -n "$SFTP_PASSWORD" ] && [ "$SFTP_PASSWORD" != "SyncPass123!" ]; then
    echo "更新用户密码..."
    echo "${SFTP_USER}:${SFTP_PASSWORD}" | chpasswd
fi

# 步骤9: 生成SSH主机密钥（如果不存在）
if [ ! -f /etc/ssh/ssh_host_rsa_key ]; then
    echo "生成SSH主机密钥..."
    ssh-keygen -A
fi

# 步骤10: 清理函数
cleanup() {
    echo "正在关闭加密卷..."
    umount "$MOUNT_POINT" 2>/dev/null || true
    cryptsetup close "$ENCRYPTED_DEVICE" 2>/dev/null || true
    echo "SFTP服务器已停止"
    exit 0
}

# 捕获退出信号
trap cleanup SIGTERM SIGINT SIGKILL

# 步骤11: 执行传入的命令
echo "启动服务..."
exec "$@"