#!/bin/bash
# =====================================================================
# Fix: Docker in unprivileged LXC containers
# =====================================================================
# Both NPM (CT 122) and Guacamole (CT 121) fail with:
#   "open sysctl net.ipv4.ip_unprivileged_port_start: permission denied"
#
# Fix: Set AppArmor profile to unconfined.
# Run on Proxmox host (10.0.0.240) as root.
# Run THIS script first, then fix-guac-npm.sh second.
# =====================================================================

set -euo pipefail

for CT_ID in 121 122; do
    CT_CONF="/etc/pve/lxc/${CT_ID}.conf"
    CT_NAME=$(pct config "${CT_ID}" | grep hostname | awk '{print $2}')

    echo "=== Fixing CT ${CT_ID} (${CT_NAME}) ==="

    pct stop "${CT_ID}" 2>/dev/null || true
    sleep 3

    if grep -q "lxc.apparmor.profile" "${CT_CONF}" 2>/dev/null; then
        sed -i 's/^lxc\.apparmor\.profile:.*/lxc.apparmor.profile: unconfined/' "${CT_CONF}"
    else
        echo "lxc.apparmor.profile: unconfined" >> "${CT_CONF}"
    fi

    pct start "${CT_ID}"
    sleep 5
    pct exec "${CT_ID}" -- systemctl restart docker
    sleep 3
    echo "  Done"
done

echo ""
echo "AppArmor fix applied to CT 121 and 122."
echo "Now run: ./fix-guac-npm.sh"