#!/usr/bin/perl -T

# Note: In theory, all this can be done by 'pveproxy' daemon. But some 
# API call still have blocking code, so we use a separate daemon to avoid 
# that the console gets blocked.

$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';

delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};  

use strict;
use warnings;

use PVE::SafeSyslog;
use PVE::Daemon;
use PVE::API2Tools;
use PVE::API2;
use PVE::HTTPServer;

use base qw(PVE::Daemon);

$SIG{'__WARN__'} = sub {
    my $err = $@;
    my $t = $_[0];
    chomp $t;
    print STDERR "$t\n";
    syslog('warning', "%s", $t);
    $@ = $err;
};

my $cmdline = [$0, @ARGV];

my %daemon_options = (
    max_workers => 1, # todo: do we need more?
    restart_on_error => 5, 
    stop_wait_time => 15,
    leave_children_open_on_reload => 1,
    setuid => 'www-data',
    setgid => 'www-data',
    pidfile => '/var/run/pveproxy/spiceproxy.pid',
    );

my $rundir="/var/run/pveproxy";
if (mkdir($rundir, 0700)) { # only works at first start if we are root)
    my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
    my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n";
    chown($uid, $gid, $rundir);
}

my $daemon = __PACKAGE__->new('spiceproxy', $cmdline, %daemon_options); 

sub init {
    my ($self) = @_;

    # we use same ALLOW/DENY/POLICY as pveproxy
    my $proxyconf = PVE::API2Tools::read_proxy_config();

    my $accept_lock_fn = "/var/lock/spiceproxy.lck";

    my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
	die "unable to open lock file '${accept_lock_fn}' - $!\n";

    my $socket = $self->create_reusable_socket(3128);

    $self->{server_config} = {
	base_handler_class => 'PVE::API2',
	keep_alive => 0,
	max_conn => 500,
	lockfile => $accept_lock_fn,
	socket => $socket,
	lockfh => $lockfh,
	debug => $self->{debug},
	spiceproxy => 1,
	trusted_env => 0,
	logfile => '/var/log/pveproxy/access.log',
	allow_from => $proxyconf->{ALLOW_FROM},
	deny_from => $proxyconf->{DENY_FROM},
	policy => $proxyconf->{POLICY},
    };
}

sub run {
    my ($self) = @_;

    my $server = PVE::HTTPServer->new(%{$self->{server_config}});
    $server->run();
}

$daemon->register_start_command();
$daemon->register_restart_command(1);
$daemon->register_stop_command();
$daemon->register_status_command();

my $cmddef = {
    start => [ __PACKAGE__, 'start', []],
    restart => [ __PACKAGE__, 'restart', []],
    stop => [ __PACKAGE__, 'stop', []],
    status => [ __PACKAGE__, 'status', [], undef, sub { print shift . "\n";} ],
};

my $cmd = shift;

PVE::CLIHandler::handle_cmd($cmddef, $0, $cmd, \@ARGV, undef, $0);

exit (0);

__END__

=head1 NAME
                                          
spiceproxy - SPICE proxy server for Proxmox VE

=head1 SYNOPSIS

=include synopsis

=head1 DESCRIPTION

SPICE proxy server for Proxmox VE. Listens on port 3128.

=head1 Host based access control

It is possible to configure apache2 like access control lists. Values are read 
from file /etc/default/pveproxy (see 'pveproxy' for details).

=head1 FILES

 /etc/default/pveproxy

=include pve_copyright