apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: fix-ufw-ds
  namespace: kube-system
spec:
  selector:
    matchLabels:
      name: fix-ufw
  template:
    metadata:
      labels:
        name: fix-ufw
    spec:
      hostPID: true
      containers:
      - name: fix
        image: alpine
        imagePullPolicy: IfNotPresent
        securityContext:
          privileged: true
        command: ["nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "sh", "-c"]
        args:
          - |
            # Ensure critical kernel modules are loaded for K3s/Flannel/IPTables
            for mod in br_netfilter overlay xt_conntrack xt_comment xt_mark xt_MASQUERADE; do
              if ! lsmod | grep -q "^$mod"; then
                echo "Attempting to load module $mod..."
                modprobe $mod || echo "Failed to load $mod"
              fi
            done

            if command -v ufw >/dev/null; then
              ufw allow 8472/udp
              ufw allow 80/tcp
              ufw allow 443/tcp
              ufw allow 8443/tcp
              ufw allow 8443/udp
              ufw allow 10250/tcp
              ufw allow from 10.42.0.0/16
              ufw allow from 10.43.0.0/16
              ufw allow from 172.16.0.0/12
              ufw allow from 192.168.0.0/16
              ufw allow from 10.0.0.0/8
              ufw allow from 37.60.237.100
              ufw allow from 167.86.68.48
              ufw allow from 95.111.235.130
              ufw allow from 80.241.209.235
            elif command -v firewall-cmd >/dev/null; then
              firewall-cmd --permanent --add-port=8472/udp
              firewall-cmd --permanent --add-port=80/tcp
              firewall-cmd --permanent --add-port=443/tcp
              firewall-cmd --permanent --add-port=8443/tcp
              firewall-cmd --permanent --add-port=8443/udp
              firewall-cmd --permanent --add-port=10250/tcp
              firewall-cmd --permanent --add-source=10.42.0.0/16
              firewall-cmd --permanent --add-source=10.43.0.0/16
              firewall-cmd --permanent --add-source=172.16.0.0/12
              firewall-cmd --permanent --add-source=192.168.0.0/16
              firewall-cmd --permanent --add-source=10.0.0.0/8
              firewall-cmd --permanent --add-source=37.60.237.100
              firewall-cmd --permanent --add-source=167.86.68.48
              firewall-cmd --permanent --add-source=95.111.235.130
              firewall-cmd --permanent --add-source=80.241.209.235
              firewall-cmd --reload
            elif command -v dnf >/dev/null && grep -q "Rocky Linux 10" /etc/os-release 2>/dev/null; then
              # Specific fix for Rocky 10 missing legacy netfilter modules
              KVER=$(uname -r)
              if ! lsmod | grep -q "xt_conntrack"; then
                dnf install -y kernel-modules-extra-$KVER || dnf install -y kernel-modules-extra
                modprobe br_netfilter overlay xt_conntrack xt_comment xt_mark xt_MASQUERADE
              fi
            fi
            sleep 3600