#!/bin/bash

set -e


# Load WireGuard kernel module
modprobe wireguard || true

# Enable IP forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1

# Generate WireGuard config and keys if not present
if [ ! -f /etc/wireguard/wg0.conf ]; then
    python3 /usr/local/bin/generate_wireguard_config.py
fi

# Set up NAT for eth0
iptables -t nat -C POSTROUTING -o eth0 -j MASQUERADE 2>/dev/null || \
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Allow forwarding between wg0 and eth0
iptables -C FORWARD -i wg0 -o eth0 -j ACCEPT 2>/dev/null || \
iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT
iptables -C FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
iptables -A FORWARD -i eth0 -o wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Save iptables rules
netfilter-persistent save || true

# Start WireGuard
wg-quick up wg0

# Health check loop (optional)
while true; do
    sleep 60
    if ! ip link show wg0 | grep -q 'state UP'; then
        echo "[WARN] wg0 is down, restarting..."
        wg-quick down wg0 || true
        wg-quick up wg0
    fi
done