From 99311fda66e7b6543ae077665cf77f8703b62921 Mon Sep 17 00:00:00 2001
From: Maciej Lebiest <szwendacz@proton.me>
Date: Tue, 1 Aug 2023 17:01:01 +0200
Subject: [PATCH] Wireguard: add setup scripts directory

---
 README.md               | 15 ++++++++++++++-
 wireguard/Dockerfile    |  3 ++-
 wireguard/entrypoint.sh | 10 +++++++++-
 3 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 97fbea9..a018757 100644
--- a/README.md
+++ b/README.md
@@ -125,8 +125,21 @@ MASQUERADE required for accessing external networks is done by nftables, so
 it should work with nftables kernel modules, iptables-only modules can
 be missing.
 
+Before seting up the wg interface, entrypoint will execute files in
+`/setup.d/` if any.
+
+`PostUp` and `PostDown` in network interface config should look like this:
+
+```bash
+PostUp = nft add table inet filter; nft add chain inet filter forward { type filter hook forward priority 0 \; }; nft add rule inet filter forward iifname "%i" accept; nft add rule inet filter forward oifname "%i" accept; nft add table inet nat; nft add chain inet nat postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet nat postrouting oifname "eth*" masquerade
+PostDown = nft delete table inet filter
+```
+
 Example run (requires root and privileged for nftables setup)
 
 ```bash
-podman run --privileged --name wireguard -d -v './:/data:ro' wireguard:latest
+podman run --privileged --name wireguard -d \
+    -v './config:/data:ro' \
+    -v './setup:/setup.d:ro' \
+    -wireguard:latest
 ```
diff --git a/wireguard/Dockerfile b/wireguard/Dockerfile
index c3d6e89..b62983b 100644
--- a/wireguard/Dockerfile
+++ b/wireguard/Dockerfile
@@ -14,7 +14,8 @@ COPY entrypoint.sh /usr/bin/
 RUN dnf install -y \
     ${PKGS} \
     && dnf clean all &&\
-    chmod +x /usr/bin/entrypoint.sh
+    chmod +x /usr/bin/entrypoint.sh && \
+    mkdir /setup.d
 
 STOPSIGNAL SIGALRM
 
diff --git a/wireguard/entrypoint.sh b/wireguard/entrypoint.sh
index 9975e6b..b67c7db 100644
--- a/wireguard/entrypoint.sh
+++ b/wireguard/entrypoint.sh
@@ -1,3 +1,11 @@
 #!/bin/bash
 
-wg-quick up /data/wg0.conf && exec sleep infinity
+for file in /setup.d/*;
+do
+    echo "Executing setup file $file";
+    bash -c "$file";
+done
+
+wg-quick up /data/wg0.conf && sleep infinity
+echo "removing wg0 interface"
+wg-quick down /data/wg0.conf