#!/bin/sh
set -e

# FRESH-SECRET-ON-BOOT: generate a new random value on every container start.
# Never baked at build time. The stub backend reads this and serves it under
# the /api endpoint; the verifier reads the true value via the privileged
# loopback channel (docker exec ... cat /run/hubble-secret  OR  curl
# 127.0.0.1:8081/api from inside the container).
mkdir -p /run
if command -v uuidgen >/dev/null 2>&1; then
    uuidgen > /run/hubble-secret
else
    cat /proc/sys/kernel/random/uuid > /run/hubble-secret
fi
chmod 644 /run/hubble-secret

# Start the stub /api backend on loopback:8090.
python3 /opt/backend.py &

# Start nginx in the foreground (vulnerable rendered config).
exec nginx -g 'daemon off;'