apiVersion: apps/v1
kind: Deployment
metadata:
  name: wireguard
  namespace: wireguard
  labels:
    app: wireguard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: wireguard
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      hostNetwork: true
      containers:
      - name: wireguard
        image: alpine:latest
        command: ["/bin/sh", "-c"]
        args:
          - |
            apk add --no-cache wireguard-tools iptables
            cp /config/wg0.conf /etc/wireguard/wg0.conf
            chmod 600 /etc/wireguard/wg0.conf
            wg-quick up wg0
            echo "Wireguard is up"
            trap "wg-quick down wg0" SIGINT SIGTERM
            sleep infinity &
            wait
        securityContext:
          privileged: true
          capabilities:
            add:
              - NET_ADMIN
              - SYS_MODULE
        volumeMounts:
        - name: wg-config
          mountPath: /config/wg0.conf
          subPath: wg0.conf
          readOnly: true
        - name: lib-modules
          mountPath: /lib/modules
          readOnly: true
      volumes:
      - name: wg-config
        secret:
          secretName: wireguard-config
      - name: lib-modules
        hostPath:
          path: /lib/modules