# Dockerfile para CSF (ConfigServer Security & Firewall)
FROM ubuntu:22.04

# Evitar prompts interactivos durante la instalación
ENV DEBIAN_FRONTEND=noninteractive

# Instalar dependencias del sistema
RUN apt-get update && apt-get install -y \
    perl \
    wget \
    curl \
    unzip \
    iptables \
    ipset \
    fail2ban \
    logrotate \
    rsyslog \
    cron \
    nano \
    net-tools \
    procps \
    iproute2 \
    dnsutils \
    && rm -rf /var/lib/apt/lists/*

# Crear directorios necesarios
RUN mkdir -p /usr/local/csf \
    && mkdir -p /etc/csf \
    && mkdir -p /var/lib/csf \
    && mkdir -p /var/log/lfd

# Copiar archivos CSF desde el directorio local
COPY scripts/csf/ /tmp/csf/

# Instalar CSF
RUN cd /tmp/csf && \
    cp -r * /usr/local/csf/ && \
    chmod +x /usr/local/csf/bin/csf && \
    chmod +x /usr/local/csf/bin/lfd && \
    ln -sf /usr/local/csf/bin/csf /usr/local/bin/csf && \
    ln -sf /usr/local/csf/bin/lfd /usr/local/bin/lfd

# Copiar archivos de configuración
RUN cp /usr/local/csf/csf.conf /etc/csf/ && \
    cp /usr/local/csf/csf.allow /etc/csf/ && \
    cp /usr/local/csf/csf.deny /etc/csf/ && \
    cp /usr/local/csf/csf.ignore /etc/csf/ && \
    cp /usr/local/csf/csf.pignore /etc/csf/ && \
    cp /usr/local/csf/csf.fignore /etc/csf/ && \
    cp /usr/local/csf/csf.blocklists /etc/csf/ && \
    cp /usr/local/csf/csf.logfiles /etc/csf/

# Configurar CSF para producción en contenedor
RUN sed -i 's/TESTING = "1"/TESTING = "0"/' /etc/csf/csf.conf && \
    sed -i 's/RESTRICT_SYSLOG = "0"/RESTRICT_SYSLOG = "3"/' /etc/csf/csf.conf && \
    sed -i 's/AUTO_UPDATES = "1"/AUTO_UPDATES = "0"/' /etc/csf/csf.conf && \
    sed -i 's/LF_DAEMON = "1"/LF_DAEMON = "0"/' /etc/csf/csf.conf

# Configurar puertos básicos
RUN echo 'TCP_IN = "22,80,443,3000"' >> /etc/csf/csf.conf && \
    echo 'TCP_OUT = "22,25,53,80,113,443,587,993,995"' >> /etc/csf/csf.conf && \
    echo 'UDP_IN = "53"' >> /etc/csf/csf.conf && \
    echo 'UDP_OUT = "53,113,123"' >> /etc/csf/csf.conf

# Permitir acceso desde la red de Docker
RUN echo '172.16.0.0/12 # Docker network' >> /etc/csf/csf.allow && \
    echo '192.168.0.0/16 # Private network' >> /etc/csf/csf.allow && \
    echo '10.0.0.0/8 # Private network' >> /etc/csf/csf.allow

# Configurar rsyslog para contenedor
RUN sed -i 's/#module(load="imudp")/module(load="imudp")/' /etc/rsyslog.conf && \
    sed -i 's/#input(type="imudp" port="514")/input(type="imudp" port="514")/' /etc/rsyslog.conf

# Crear script de inicio
COPY docker/csf-start.sh /usr/local/bin/csf-start.sh
RUN chmod +x /usr/local/bin/csf-start.sh

# Script de entrypoint
COPY docker/entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# Exponer puertos
EXPOSE 22 80 443 3000

# Variables de entorno
ENV CSF_CONFIG_PATH=/etc/csf
ENV CSF_LOG_PATH=/var/log/lfd

# Volúmenes para persistencia
VOLUME ["/etc/csf", "/var/log/lfd", "/var/lib/csf"]

# Healthcheck
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD /usr/local/csf/bin/csf --status > /dev/null 2>&1 || exit 1

# Punto de entrada
ENTRYPOINT ["/entrypoint.sh"]
CMD ["csf"]