#!/usr/bin/env bash
set -euo pipefail

HERE="$(dirname "$(readlink -f "${BASH_SOURCE[0]}")")"
JAIL_HOME=/home/proton
BIN="${BIN:-entrypoint.sh}"

if [[ -z "${BRIDGE_HOME:-}" ]]; then
    echo "Please set the BRIDGE_HOME envvar!"
    exit 1
else
    BRIDGE_HOME="$(realpath "${BRIDGE_HOME}")"
fi

exec nsjail -Mo                                                                                \
       --disable_clone_newnet                                                                  \
       --disable_rlimits                                                                       \
       --cwd "${JAIL_HOME}"                                                                    \
       --tmpfsmount /tmp --tmpfsmount /run                                                     \
       --bindmount "${BRIDGE_HOME}:${JAIL_HOME}"                                               \
       --symlink /proc/self/fd:/dev/fd                                                         \
       --bindmount_ro "${HERE}/entrypoint.sh:${JAIL_HOME}/entrypoint.sh"                       \
       --bindmount_ro "${HERE}/gpg-keygen-params.txt:${JAIL_HOME}/gpg-keygen-params.txt"       \
       --bindmount_ro /bin --bindmount_ro /sbin                                                \
       --bindmount_ro /usr --bindmount_ro /lib --bindmount_ro /lib64                           \
       --bindmount_ro /dev/null --bindmount_ro /dev/urandom --bindmount_ro /dev/random         \
       --bindmount_ro /etc/resolv.conf                                                         \
       --env HOME=/home/proton                                                                 \
       --env PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin                 \
       --env BRIDGE_USER                                                                       \
       --env BRIDGE_PASS                                                                       \
       -- ${BIN} "${1:-}"