#!/bin/sh

# EnsureTUN device exists
if [ ! -c /dev/net/tun ]; then
    mkdir -p /dev/net
    mknod /dev/net/tun c 10 200
    chmod 600 /dev/net/tun
fi

# Enable IP forwarding (moved to docker-compose.yml sysctls)
# sysctl -w net.ipv4.ip_forward=1 || true

# NAT MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# MSS Clamping (Path MTU Tuning)
iptables -t mangle -A FORWARD -o eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A FORWARD -i eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Ensure /run exists for PID files
mkdir -p /run


# Initialize Easy-RSA if not already present in /app/easy-rsa
if [ ! -f /app/easy-rsa/easyrsa ]; then
    echo "[INIT] Initializing Easy-RSA workspace..."
    mkdir -p /app/easy-rsa
    # Alpine installs easy-rsa files to /usr/share/easy-rsa
    cp -r /usr/share/easy-rsa/* /app/easy-rsa/
fi


# Start the APP_PROFILER API


# We use 0.0.0.0 to be reachable from other containers
python main.py