#!/bin/sh
# Copy host-mounted SSH key with correct ownership before dropping to appuser
if [ -f /tmp/host-ssh-key ]; then
  cp /tmp/host-ssh-key /home/appuser/.ssh/id_ed25519
  chmod 600 /home/appuser/.ssh/id_ed25519
  chown appuser:appuser /home/appuser/.ssh/id_ed25519
fi

# Route host-local IPs through Docker gateway (for IPs bound to host NICs)
# 14.215.128.96 is on the host's enp5s0 NIC, unreachable via default Docker NAT
GATEWAY=$(ip route | awk '/default/ {print $3}')
if [ -n "$GATEWAY" ]; then
  ip route add 14.215.128.96/32 via "$GATEWAY" 2>/dev/null || true
fi

# Drop privileges and start the service
exec su-exec appuser node dist/services/${SERVICE_NAME}/src/main