#!/bin/sh
# Slim WireGuard entrypoint for PIC.
#
# Brings up the SAME wg0.conf the API manages live (config/wireguard/wg_confs/wg0.conf,
# mounted at /config inside the container). The API does `docker exec cell-wireguard
# wg set wg0 ...` for live peer sync, so the interface MUST be named wg0 and stay up
# for the whole container lifetime.
#
# Requires CAP_NET_ADMIN + iptables (the conf's PostUp installs DNAT/MASQUERADE/FORWARD
# rules). No s6, no PUID/PGID — those linuxserver env vars (if still passed) are ignored.
set -eu

CONF="/config/wg_confs/wg0.conf"
IFACE="wg0"

cleanup() {
    echo "[wireguard] caught signal, bringing $IFACE down"
    wg-quick down "$CONF" 2>/dev/null || true
    exit 0
}
trap cleanup TERM INT

# Wait for the API/setup to write a usable [Interface] block. On a clean install
# setup_cell.py seeds it before the stack starts, so this normally passes immediately.
echo "[wireguard] waiting for $CONF with an [Interface] block..."
i=0
while true; do
    if [ -f "$CONF" ] && grep -q '^\[Interface\]' "$CONF"; then
        break
    fi
    i=$((i + 1))
    if [ "$i" -ge 120 ]; then
        echo "[wireguard] timed out waiting for $CONF — exiting" >&2
        exit 1
    fi
    sleep 1
done

echo "[wireguard] bringing up $IFACE from $CONF"
wg-quick up "$CONF"

echo "[wireguard] $IFACE is up; holding container open"
# Stay alive in the foreground forever so the API can docker-exec into us.
while true; do
    sleep 3600 &
    wait $!
done