#!/bin/bash
# Dynamic firewall setup hook
set -euo pipefail

echo "Setting up firewall configuration..."

# Load firewall setup functions from proper volume path
# Note: Source path exists at build time in Docker container
# shellcheck disable=SC1091
source /build/src/firewall-setup.sh

# Install nftables rules (default deny policy)
cat >/etc/nftables.conf <<'EOF'
#!/usr/sbin/nft -f
# Default secure firewall rules for KNEL-Football
flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop
        iif lo accept comment "Accept loopback"
        icmp type echo-request accept comment "Accept ping"
    }
    
    chain forward {
        type filter hook forward priority 0; policy drop
    }
    
    chain output {
        type filter hook output priority 0; policy drop
        oif lo accept comment "Accept loopback"
        icmp type echo-request accept comment "Allow ping"
    }
}
EOF

# Enable nftables service
systemctl enable nftables

echo "Firewall setup hook completed."