[Unit]
# Metadata
Description=Wireguard Userspace
Documentation=https://git.zx2c4.com/wireguard-go/about/
# Wait for networking
Requires=network-online.target
After=network-online.target

[Service]
Slice=machine.slice
# Resource limits
Delegate=true
CPUShares=1024
MemoryLimit=128M
OOMScoreAdjust=50

ExecStartPre=-/bin/mknod /dev/net/tun c 10 200

#Defaults
#Environment=WG_INTERFACE=wg0
#Environment=WG_HOST_INTERFACE=eth0
#Environment=WG_ADDRESS=10.200.200.1/24

#Environment=WG_LOG_EVENTS=1

Environment=ROOT_DIR=/srv/wireguard

Environment=WG_CAPS="CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FSETID,CAP_FOWNER,CAP_MKNOD,CAP_NET_RAW,CAP_SETGID,CAP_SETUID,CAP_SETFCAP,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_SYS_CHROOT,CAP_KILL,CAP_AUDIT_WRITE,CAP_NET_ADMIN,CAP_SYS_ADMIN"

ExecStartPre=/bin/mkdir -p $ROOT_DIR

ExecStart=/usr/bin/rkt --insecure-options=image run --uuid-file-save=${ROOT_DIR}/container.uuid --inherit-env --dns 8.8.8.8 --dns 9.9.9.9 --dns 1.1.1.1 \
                        --volume dev-net,kind=host,source=/dev/net/tun --volume volume-etc-wireguard,kind=host,source=${ROOT_DIR},readOnly=false \
                        --port 51820-udp:51820 repo.shimun.net/shimun/wireguard-user --mount volume=dev-net,target=/dev/net/tun --caps-retain=${WG_CAPS} 

ExecStop=-/usr/bin/rkt enter --app=wireguard-user $(cat ${ROOT_DIR}/container.uuid) /bin/wg-save
TimeoutStopSec=5
                        
ExecStopPost=-/usr/bin/rkt rm --uuid-file=${ROOT_DIR}/container.uuid
KillMode=mixed
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target