#!/bin/sh
set -e

# Fix data directory permissions when running as root.
# Docker named volumes / host bind-mounts may be owned by root,
# preventing the non-root sub2api user from writing files.
if [ "$(id -u)" = "0" ]; then
    mkdir -p /app/data
    # Use || true to avoid failure on read-only mounted files (e.g. config.yaml:ro)
    chown -R sub2api:sub2api /app/data 2>/dev/null || true
    if [ -S /var/run/docker.sock ]; then
        DOCKER_GID="$(stat -c '%g' /var/run/docker.sock 2>/dev/null || true)"
        if [ -n "${DOCKER_GID}" ]; then
            DOCKER_GROUP="$(getent group "${DOCKER_GID}" | cut -d: -f1 || true)"
            if [ -z "${DOCKER_GROUP}" ]; then
                DOCKER_GROUP="dockersock"
                groupadd -for -g "${DOCKER_GID}" "${DOCKER_GROUP}" 2>/dev/null || true
            fi
            usermod -aG "${DOCKER_GROUP}" sub2api 2>/dev/null || true
        fi
    fi
    # Re-invoke this script as sub2api so the flag-detection below
    # also runs under the correct user.
    # Use gosu if available (Debian), fall back to su-exec (Alpine)
    if command -v gosu >/dev/null 2>&1; then
        exec gosu sub2api "$0" "$@"
    elif command -v su-exec >/dev/null 2>&1; then
        exec su-exec sub2api "$0" "$@"
    else
        exec su -s /bin/sh sub2api -c "exec $0 $*"
    fi
fi

# Compatibility: if the first arg looks like a flag (e.g. --help),
# prepend the default binary so it behaves the same as the old
# ENTRYPOINT ["/app/sub2api"] style.
if [ "${1#-}" != "$1" ]; then
    set -- /app/sub2api "$@"
fi

exec "$@"