apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: wg-nat-rules
  namespace: wireguard
spec:
  selector:
    matchLabels:
      app: wg-nat-rules
  template:
    metadata:
      labels:
        app: wg-nat-rules
    spec:
      hostNetwork: true
      containers:
        - name: iptables
          image: alpine:latest
          securityContext:
            privileged: true
          command:
            - /bin/sh
            - -c
            - |
              set -e
              # Variables (ajústalas si cambian)
              WG_IF="wg0"
              WG_SUBNET="192.168.254.0/24"     # subred de tus peers en wg-easy
              LB200_CIDR="192.168.200.0/24"    # red br-srv / MetalLB (Ingress / servicios internos)
              LAN_CIDR="192.168.0.0/24"        # tu LAN clásica
              POD_CIDR="10.244.0.0/16"         # Pod CIDR (opcional)
              SVC_CIDR="10.96.0.0/12"          # Service CIDR (opcional)

              # Herramientas
              apk add --no-cache iptables iproute2 >/dev/null 2>&1 || true

              # IP forward y rp_filter (no hagas fallar el contenedor si no deja)
              sysctl -w net.ipv4.ip_forward=1 || true
              sysctl -w net.ipv4.conf.all.rp_filter=0 || true
              sysctl -w net.ipv4.conf.default.rp_filter=0 || true

              # FORWARD: permite tráfico desde wg0 hacia 200.x y 0.x, y retorno
              iptables -C FORWARD -i ${WG_IF} -d ${LB200_CIDR} -j ACCEPT 2>/dev/null || \
                iptables -A FORWARD -i ${WG_IF} -d ${LB200_CIDR} -j ACCEPT
              iptables -C FORWARD -i ${WG_IF} -d ${LAN_CIDR} -j ACCEPT 2>/dev/null || \
                iptables -A FORWARD -i ${WG_IF} -d ${LAN_CIDR} -j ACCEPT
              iptables -C FORWARD -o ${WG_IF} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || \
                iptables -A FORWARD -o ${WG_IF} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

              # NAT: WG -> 200.x (Ingress/DNS internos)
              iptables -t nat -C POSTROUTING -s ${WG_SUBNET} -d ${LB200_CIDR} -j MASQUERADE 2>/dev/null || \
                iptables -t nat -A POSTROUTING -s ${WG_SUBNET} -d ${LB200_CIDR} -j MASQUERADE

              # NAT: WG -> 192.168.0.0/24 (LAN)
              iptables -t nat -C POSTROUTING -s ${WG_SUBNET} -d ${LAN_CIDR} -j MASQUERADE 2>/dev/null || \
                iptables -t nat -A POSTROUTING -s ${WG_SUBNET} -d ${LAN_CIDR} -j MASQUERADE

              # (Opcional) NAT: WG -> Pod/Service CIDR si alguna vez accedes a Pods/ClusterIP
              # iptables -t nat -C POSTROUTING -s ${WG_SUBNET} -d ${POD_CIDR} -j MASQUERADE 2>/dev/null || \
              #   iptables -t nat -A POSTROUTING -s ${WG_SUBNET} -d ${POD_CIDR} -j MASQUERADE
              # iptables -t nat -C POSTROUTING -s ${WG_SUBNET} -d ${SVC_CIDR} -j MASQUERADE 2>/dev/null || \
              #   iptables -t nat -A POSTROUTING -s ${WG_SUBNET} -d ${SVC_CIDR} -j MASQUERADE

              # Mantener vivo
              sleep infinity