#!/bin/bash
# Horus: Routes für OPNsense-Peer — wg syncconf legt AllowedIPs-Routen nicht an
# Deploy: /usr/local/sbin/wg0-opnsense-routes.sh + systemd wg0-opnsense-routes.service
set -euo pipefail
ip link show wg0 &>/dev/null || exit 0
for net in \
  10.1.1.22/32 \
  192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 \
  192.168.40.0/24 192.168.50.0/24 192.168.60.0/24 \
  10.2.2.0/24; do
  ip route replace "$net" dev wg0
done