#!/bin/bash
set -euo pipefail

apt update

apt install -y openssh-server vim ca-certificates curl gnupg iputils-ping

# Configure system-wide proxy for this container.
PROXY_URL="http://10.8.0.1:7890"
cat >/etc/apt/apt.conf.d/99proxy <<EOF
Acquire::http::Proxy "${PROXY_URL}";
Acquire::https::Proxy "${PROXY_URL}";
EOF

cat >/etc/profile.d/proxy.sh <<EOF
export http_proxy="${PROXY_URL}"
export https_proxy="${PROXY_URL}"
export no_proxy="localhost,127.0.0.1"
EOF

# Configure git proxy if git is available.
if command -v git >/dev/null 2>&1; then
  git config --system http.proxy "${PROXY_URL}"
  git config --system https.proxy "${PROXY_URL}"
fi

# Install Docker CLI only (docker-ce-cli) from official Docker repo.
install -m 0755 -d /etc/apt/keyrings
export DOWNLOAD_URL="https://mirrors.tuna.tsinghua.edu.cn/docker-ce"
curl -fsSL https://raw.githubusercontent.com/docker/docker-install/master/install.sh | sh

mkdir -p /run/sshd

# Configure sshd: allow root login, disable password auth.
mkdir -p /etc/ssh/sshd_config.d
cat >/etc/ssh/sshd_config.d/99-codex.conf <<'EOF'
PermitRootLogin yes
PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
PubkeyAuthentication yes
EOF

# Copy authorized_keys for root from init directory if present.
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
if [[ -f "${SCRIPT_DIR}/authorized_keys" ]]; then
  mkdir -p /root/.ssh
  install -m 600 "${SCRIPT_DIR}/authorized_keys" /root/.ssh/authorized_keys
fi

# Copy init.sh to /init
cp /init.d/init.sh /init