FROM alpine:3.20@sha256:d9e853e87e55526f6b2917df91a2115c36dd7c696a35be12163d44e6e2a4b6bc

RUN apk add --no-cache wireguard-tools iptables ip6tables iproute2

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# This image uses the host kernel's builtin WireGuard module (default on modern
# kernels >= 5.6). It needs only CAP_NET_ADMIN — no privileged mode, no
# SYS_MODULE, no /lib/modules mount.
#
# FALLBACK for old kernels lacking builtin WireGuard: re-add to the compose
# service:  privileged: true  /  cap_add: SYS_MODULE  /  volume /lib/modules:/lib/modules
# and `apk add wireguard-tools` ships the kmod loader path. The slim/unprivileged
# default below assumes a builtin module.

ENTRYPOINT ["/entrypoint.sh"]
