FROM alpine:3.20@sha256:d9e853e87e55526f6b2917df91a2115c36dd7c696a35be12163d44e6e2a4b6bc

# curl + ca-certificates: cell-to-cell peer-sync pushes (offer/permission state)
# originate from this container's network namespace — the only one with routes to
# remote-cell VPN subnets over the tunnel — and go over HTTPS to the remote's
# Caddy. busybox wget here has no TLS, so curl is required (~5MB over the slim
# base; the alternative is no automatic cross-cell sync).
RUN apk add --no-cache wireguard-tools iptables ip6tables iproute2 curl ca-certificates

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# This image uses the host kernel's builtin WireGuard module (default on modern
# kernels >= 5.6). It needs only CAP_NET_ADMIN — no privileged mode, no
# SYS_MODULE, no /lib/modules mount.
#
# FALLBACK for old kernels lacking builtin WireGuard: re-add to the compose
# service:  privileged: true  /  cap_add: SYS_MODULE  /  volume /lib/modules:/lib/modules
# and `apk add wireguard-tools` ships the kmod loader path. The slim/unprivileged
# default below assumes a builtin module.

ENTRYPOINT ["/entrypoint.sh"]