FROM alpine:3.19

RUN apk add --no-cache \
    wireguard-tools \
    iptables \
    ip6tables \
    bash \
    curl \
    iputils-ping \
    iproute2 \
    openresolv

# Create wireguard config directory (config is mounted at runtime)
RUN mkdir -p /etc/wireguard

# Copy entrypoint
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

# Health check: can we reach the internet through the VPN?
HEALTHCHECK --interval=30s --timeout=10s --retries=5 \
    CMD curl -sf --max-time 5 http://1.1.1.1 || exit 1

ENTRYPOINT ["/entrypoint.sh"]