apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: wg-nat-rules
  namespace: wireguard
spec:
  selector:
    matchLabels:
      app: wg-nat-rules
  template:
    metadata:
      labels:
        app: wg-nat-rules
    spec:
      hostNetwork: true
      containers:
      - name: iptables
        image: alpine:latest
        securityContext:
          privileged: true
        command:
          - /bin/sh
          - -c
          - |
            sysctl -w net.ipv4.ip_forward=1
            iptables -t nat -C POSTROUTING -s 192.168.254.0/24 -d 192.168.0.0/24 -j MASQUERADE || iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -d 192.168.0.0/24 -j MASQUERADE
            iptables -t nat -C POSTROUTING -s 192.168.254.0/24 -d 10.42.0.0/16 -j MASQUERADE || iptables -t nat -A POSTROUTING -s 192.168.254.0/24 -d 10.42.0.0/16 -j MASQUERADE
            sleep infinity