#!/bin/bash
set -euo pipefail

if [[ $# -lt 1 || $# -gt 2 ]]; then
    echo "Usage: $(basename $0) IP [Port]"
    exit 1
fi
wireguard_ip="$1"
if [[ -z $2 ]]; then
    wireguard_port=9271
else
    wireguard_port="$2"
fi

sudo apt update
sudo apt install -y wireguard

cd /etc/wireguard/
echo "Configuring wireguard ..."
(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee wg0.conf > /dev/null)
wg genkey | sudo tee -a wg0.conf | wg pubkey | sudo tee wg0.pubkey > /dev/null
echo "ListenPort = ${wireguard_port:?}
SaveConfig = true
Address = ${wireguard_ip:?}/24" | sudo tee -a wg0.conf > /dev/null

if [[ -e /etc/nftables.firewall ]]; then
    echo "detected firewall config: nftables.firewall"
    echo "opening port $wireguard_port on firewall ..."
    line="tcp dport 9271 accept"
    regex="$line"
    sed -E -e "/$regex/{s/.*/$line/;:a;n;ba;q}" -e "\$a $line" /etc/nftables.firewall | sudo tee nftables.firewall >/dev/null
    sudo /etc/nftables.conf
else
    echo "No firewall detected."
    echo "If you are using a firewall, make sure port $wireguard_port is open."
fi

echo "Starting wireguard ..."
sudo systemctl start wg-quick@wg0
read -p "Enable wireguard to automatically start on boot? [Y/n] " tmp
while true; do
    case tmp in
	''|y|Y|yes|Yes)
	    sudo systemctl enable wg-quick@wg0
	    echo "Wireguard will now automatically start on boot."
	    echo "To disable, run 'sudo systemctl disable wg-quick@wg0'"
	    break
	    ;;
	n|N|no|No)
	    echo "Wireguard will not start on boot."
	    echo "To enable auto-start, run 'sudo systemctl enable wg-quick@wg0'"
	    break
	    ;;
	*) echo "error: unrecognized input";;
    esac
done