#!/bin/bash
set -euo pipefail

ZONE_URL="{{ geoblock_zone_url }}"
ZONE_FILE="{{ geoblock_zone_path }}"
IPSET_NAME="{{ geoblock_ipset_name }}"
IPSET_TMP="${IPSET_NAME}-tmp"

mkdir -p "$(dirname "$ZONE_FILE")"

curl -fsSL -o "$ZONE_FILE" "$ZONE_URL"

ipset create "$IPSET_TMP" hash:net -exist
ipset flush "$IPSET_TMP"

while IFS= read -r cidr; do
    [[ -z "$cidr" || "$cidr" == \#* ]] && continue
    ipset add "$IPSET_TMP" "$cidr" -exist
done < "$ZONE_FILE"

ipset create "$IPSET_NAME" hash:net -exist
ipset swap "$IPSET_TMP" "$IPSET_NAME"
ipset destroy "$IPSET_TMP"

if ! iptables -C OUTPUT -m set --match-set "$IPSET_NAME" dst -j DROP 2>/dev/null; then
    iptables -A OUTPUT -m set --match-set "$IPSET_NAME" dst -j DROP
fi