#!/bin/bash
# Horus: Routes für OPNsense-Peer — wg syncconf legt AllowedIPs-Routen nicht an
# Schritt A: nur Tunnel-IP + Services-Netz (keine VLANs)
set -euo pipefail
ip link show wg0 &>/dev/null || exit 0
for net in 10.1.1.22/32 10.100.2.0/24; do
  ip route replace "$net" dev wg0
done
for net in 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 \
           192.168.40.0/24 192.168.50.0/24 192.168.60.0/24; do
  ip route del "$net" dev wg0 2>/dev/null || true
done