#!/usr/bin/env bash
#
# onx-firewall-trusted-remove — Allowlist set'inden IP/CIDR sil.
# Input: {"ip": "..."}
# Output: {"ok":true,"ip":"...","removed":true|false}

set -euo pipefail

input="$(cat)"
ip="$(echo "$input" | jq -r '.ip // empty')"

if [[ -z "$ip" ]]; then
    jq -nc '{ok:false,error:"ip required"}' >&2
    exit 1
fi

readonly SET_V4="onox-trusted"
readonly SET_V6="onox-trusted-v6"

target_set=""
if [[ "$ip" == *:* ]]; then
    target_set="$SET_V6"
else
    target_set="$SET_V4"
fi

removed=true
if ! nft "delete element inet onox $target_set { $ip }" 2>/tmp/onox-nft-err-$$; then
    err="$(cat /tmp/onox-nft-err-$$ 2>/dev/null || echo unknown)"
    rm -f /tmp/onox-nft-err-$$
    # "No such file or directory" — zaten yok, idempotent
    if [[ "$err" == *"No such"* ]] || [[ "$err" == *"not found"* ]] || [[ "$err" == *"Element not"* ]]; then
        removed=false
    else
        jq -nc --arg ip "$ip" --arg err "$err" \
            '{ok:false,error:"nft delete element failed",ip:$ip,nft_err:$err}' >&2
        exit 4
    fi
fi
rm -f /tmp/onox-nft-err-$$

logger -t "onox-trusted" "Removed $ip from $target_set"

jq -nc --arg ip "$ip" --argjson removed "$removed" '{ok:true,ip:$ip,removed:$removed}'
