#!/usr/bin/env python3
import os
import socket
import subprocess
import uuid

from flask import Flask, request, render_template_string, flash

app = Flask(__name__)
app.secret_key = "change-me-in-production"

# --- Config -----------------------------------------------------------------

DOCKER_IMAGE = "micro-debian-dev:latest"   # built from the Dockerfile above
DATA_ROOT = "/srv/microcontainers"         # where per-tenant dirs live
HOSTNAME = "arthur.lan"                    # or "mentalnet.xyz" if you prefer
PORT_RANGE_START = 20000
PORT_RANGE_END = 21000

os.makedirs(DATA_ROOT, exist_ok=True)

# --- Helpers ----------------------------------------------------------------


def find_free_port(start=PORT_RANGE_START, end=PORT_RANGE_END):
    """Find a free TCP port on the host in the given range."""
    for port in range(start, end):
        with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
            s.settimeout(0.2)
            try:
                s.bind(("", port))
                return port
            except OSError:
                continue
    raise RuntimeError("No free ports available in range")


def validate_ssh_key(key: str) -> bool:
    """Very basic SSH public key validation."""
    key = key.strip()
    if not key:
        return False
    allowed_prefixes = (
        "ssh-ed25519",
        "ssh-rsa",
        "ecdsa-sha2-",
        "sk-ssh-",
    )
    return any(key.startswith(p) for p in allowed_prefixes)


def run_docker_container(container_name: str, ssh_dir: str, host_port: int):
    """
    Start the tenant container:
      - Binds host_port -> container:22
      - Mounts authorized_keys -> /home/micro/.ssh/authorized_keys (read-only)
    """
    auth_keys_path = os.path.join(ssh_dir, "authorized_keys")
    cmd = [
        "docker", "run", "-d",
        "--name", container_name,
        "--memory=512m",
        "--memory-swap=512m",
        "-p", f"{host_port}:22",
        "-v", f"{auth_keys_path}:/home/micro/.ssh/authorized_keys:ro",
        DOCKER_IMAGE,
    ]
    subprocess.run(cmd, check=True)


# --- Template ---------------------------------------------------------------

INDEX_TEMPLATE = """
<!doctype html>
<html>
<head>
    <meta charset="utf-8">
    <title>MicroContainer Provisioning</title>
    <style>
        body {
            background: #111;
            color: #eee;
            font-family: system-ui, -apple-system, BlinkMacSystemFont, sans-serif;
            max-width: 720px;
            margin: 40px auto;
            padding: 0 20px;
        }
        h1 { color: #66e0ff; }
        .box {
            background: #1a1a1a;
            border-radius: 8px;
            padding: 20px;
            margin-bottom: 20px;
            border: 1px solid #333;
        }
        label { display: block; margin-bottom: 8px; font-weight: 600; }
        textarea, input[type=text] {
            width: 100%;
            box-sizing: border-box;
            background: #101010;
            border: 1px solid #444;
            border-radius: 4px;
            color: #eee;
            padding: 8px;
            font-family: monospace;
            font-size: 0.9rem;
        }
        button {
            background: #66e0ff;
            color: #000;
            padding: 8px 16px;
            border-radius: 4px;
            border: none;
            font-weight: 600;
            cursor: pointer;
            margin-top: 10px;
        }
        button:hover { background: #4bc1dd; }
        .message { color: #ff8080; margin-bottom: 10px; }
        .success { color: #9bff9b; }
        code { background: #000; padding: 2px 4px; border-radius: 3px; }
    </style>
</head>
<body>
    <h1>MicroContainer Provisioning (Prototype)</h1>

    <div class="box">
        <p>This prototype spins up a small Docker-based "micro VM" and wires in your SSH public key.</p>
        <ul>
            <li>Base image: <code>{{ docker_image }}</code></li>
            <li>User: <code>micro</code></li>
            <li>SSH inside container: <code>port 22</code></li>
            <li>Host port: auto-assigned from <code>{{ port_start }}-{{ port_end }}</code></li>
        </ul>
    </div>

    {% with messages = get_flashed_messages() %}
      {% if messages %}
        <div class="message">
          {% for msg in messages %}
            {{ msg }}<br>
          {% endfor %}
        </div>
      {% endif %}
    {% endwith %}

    {% if result %}
    <div class="box">
        <h2 class="success">Container created!</h2>
        <p><strong>Container name:</strong> <code>{{ result.name }}</code></p>
        <p><strong>Host port:</strong> <code>{{ result.port }}</code></p>
        <p><strong>SSH command:</strong></p>
        <pre><code>ssh micro@{{ hostname }} -p {{ result.port }}</code></pre>
        <p>You can change the password for <code>micro</code> after logging in with:</p>
        <pre><code>passwd</code></pre>
    </div>
    {% endif %}

    <div class="box">
        <form method="post">
            <label for="ssh_key">SSH public key</label>
            <textarea id="ssh_key" name="ssh_key" rows="6" placeholder="ssh-ed25519 AAAAC3Nz... user@host" required>{{ ssh_key or "" }}</textarea>

            <label for="note">Optional note / label (will be part of container name)</label>
            <input type="text" id="note" name="note" placeholder="e.g. debian-dev-01">

            <button type="submit">Provision MicroContainer</button>
        </form>
    </div>
</body>
</html>
"""


# --- Routes -----------------------------------------------------------------


@app.route("/", methods=["GET", "POST"])
def index():
    if request.method == "GET":
        return render_template_string(
            INDEX_TEMPLATE,
            docker_image=DOCKER_IMAGE,
            port_start=PORT_RANGE_START,
            port_end=PORT_RANGE_END,
            result=None,
            ssh_key="",
            hostname=HOSTNAME,
        )

    # POST: handle provisioning
    ssh_key = (request.form.get("ssh_key") or "").strip()
    note = (request.form.get("note") or "").strip()

    if not validate_ssh_key(ssh_key):
        flash("Invalid SSH public key format. Please paste a standard OpenSSH public key line.")
        return render_template_string(
            INDEX_TEMPLATE,
            docker_image=DOCKER_IMAGE,
            port_start=PORT_RANGE_START,
            port_end=PORT_RANGE_END,
            result=None,
            ssh_key=ssh_key,
            hostname=HOSTNAME,
        )

    # Generate a container name
    suffix = uuid.uuid4().hex[:6]
    base_name = "mc"
    if note:
        safe_note = "".join(c for c in note.lower().replace(" ", "-") if c.isalnum() or c in "-_")
        base_name = f"mc-{safe_note}"
    container_name = f"{base_name}-{suffix}"

    # Tenant SSH dir on host
    tenant_root = os.path.join(DATA_ROOT, container_name)
    tenant_ssh_dir = os.path.join(tenant_root, "ssh")
    os.makedirs(tenant_ssh_dir, exist_ok=True)

    # Write authorized_keys
    auth_keys_path = os.path.join(tenant_ssh_dir, "authorized_keys")
    with open(auth_keys_path, "w") as f:
        f.write(ssh_key.strip() + "\n")

    # Make it look like micro:micro (uid/gid 1000) to sshd in the container
    os.chmod(auth_keys_path, 0o600)
    try:
        os.chown(auth_keys_path, 1000, 1000)  # micro:micro inside container
    except PermissionError:
        # If Flask isn't running as root, this will fail; on your VM it should succeed.
        pass

    # Choose a free port and start container
    host_port = find_free_port()
    try:
        run_docker_container(container_name, tenant_ssh_dir, host_port)
    except subprocess.CalledProcessError as e:
        flash(f"Error starting container: {e}")
        return render_template_string(
            INDEX_TEMPLATE,
            docker_image=DOCKER_IMAGE,
            port_start=PORT_RANGE_START,
            port_end=PORT_RANGE_END,
            result=None,
            ssh_key=ssh_key,
            hostname=HOSTNAME,
        )

    class Result:
        def __init__(self, name, port):
            self.name = name
            self.port = port

    result = Result(container_name, host_port)

    return render_template_string(
        INDEX_TEMPLATE,
        docker_image=DOCKER_IMAGE,
        port_start=PORT_RANGE_START,
        port_end=PORT_RANGE_END,
        result=result,
        ssh_key="",
        hostname=HOSTNAME,
    )


if __name__ == "__main__":
    # For dev/testing only
    app.run(host="0.0.0.0", port=5000, debug=True)