#!/bin/bash
# LibrePortal DNS helper — the only root-privileged edit of /etc/resolv.conf the
# manager may trigger. Installed root:root 0755 to /usr/local/sbin by init.sh.
# Self-contained (sources no manager code). Operates ONLY on /etc/resolv.conf and
# only with strictly-validated IP arguments, so the scoped sudoers can allow it
# wholesale instead of a blanket `sudo sed`/`sudo tee` (which would be root).

set -u

[[ $EUID -eq 0 ]] || { echo "libreportal-dns: must run as root" >&2; exit 1; }

RESOLV="/etc/resolv.conf"

_is_ip() {
    local ip="$1"
    # IPv4
    if [[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
        local o; for o in ${ip//./ }; do (( o <= 255 )) || return 1; done
        return 0
    fi
    # IPv6 (loose but safe — only hex/colon, no shell metachars)
    [[ "$ip" =~ ^[0-9A-Fa-f:]+$ ]] && return 0
    return 1
}

clear_ns() {
    [[ -f "$RESOLV" ]] || return 0
    sed -i '/^nameserver/d' "$RESOLV"
}

add_ns() {
    local ip="$1"
    _is_ip "$ip" || { echo "libreportal-dns: invalid IP '$ip'" >&2; return 1; }
    printf 'nameserver %s\n' "$ip" >> "$RESOLV"
}

action="${1:-}"; shift 2>/dev/null || true
case "$action" in
    clear) clear_ns ;;
    add)   add_ns "${1:-}" ;;
    *) echo "usage: libreportal-dns {clear|add <ip>}" >&2; exit 2 ;;
esac
