#!/usr/bin/env bash
#
# onx-fail2ban-jail-delete — Jail config dosyasını sil + fail2ban'ı reload et.
#
# Input: {"jail_name": "sshd-custom"}
# Output: {"ok":true,"jail":"...","file_removed":"...","reloaded":true}

set -euo pipefail

input="$(cat)"
jail="$(echo "$input" | jq -r '.jail_name // empty')"

if [[ -z "$jail" ]] || ! [[ "$jail" =~ ^[a-zA-Z0-9_-]{1,40}$ ]]; then
    jq -nc '{ok:false,error:"jail_name required and must match [a-zA-Z0-9_-]+"}' >&2
    exit 1
fi

# Whitelist: bazı sistem jail'lerini silinmesin
for protected in sshd; do
    if [[ "$jail" == "$protected" ]]; then
        jq -nc --arg j "$jail" '{ok:false,error:"protected system jail cannot be deleted",jail:$j}' >&2
        exit 1
    fi
done

readonly JAIL_FILE="/etc/fail2ban/jail.d/${jail}.local"

if [[ ! -f "$JAIL_FILE" ]]; then
    jq -nc --arg j "$jail" --arg f "$JAIL_FILE" \
        '{ok:true,jail:$j,file_removed:$f,already_absent:true,reloaded:false}'
    exit 0
fi

# Önce unban-all → sonra dosyayı sil → reload
if command -v fail2ban-client &>/dev/null; then
    fail2ban-client unban --all 2>/dev/null || true
    # Specific to this jail
    fail2ban-client set "$jail" unban --all 2>/dev/null || true
fi

rm -f "$JAIL_FILE"

reloaded=true
if command -v fail2ban-client &>/dev/null; then
    if ! fail2ban-client reload 2>/dev/null; then
        reloaded=false
    fi
fi

logger -t "onox-fail2ban" "Deleted jail: $jail"

jq -nc --arg jail "$jail" --arg file "$JAIL_FILE" --argjson reloaded "$reloaded" \
    '{ok:true,jail:$jail,file_removed:$file,reloaded:$reloaded}'
