#!/usr/bin/env bash

# DESCRIPTION:
#   creating or deleting client config for wireguard
#   and
#   sending config and info to email
#
# DEPENDENCIES:
#   - privileged rights
#   - wireguard
#   - qrencode
#   - grepcidr
#   - Python 3
#   - existing /usr/local/bin/sendmail.py
#
# PARAMETERS:
#   1: "add|del" - add or delete client config
#   2: username - client username
#   3: address - client ip address
#   -f|--force - service will restart after username add|del
#
# FUNCTIONS:
#

#######################################
# Print message and add to log.
# Globals:
#   logs
# Arguments:
#   1: message to print and logging
#######################################
addtologs() {
  echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}"
}

#######################################
# Exit procedure.
# Globals:
#   show
# Arguments:
#   None
#######################################
execquite() {
  addtologs "execution time is $(($(date +%s)-time)) seconds, exit"
  exit
}

#######################################
# Error exit procedure
# Globals:
#   None
# Arguments:
#   1: message to print and logging
#######################################
execerror() {
  addtologs "error: $1"
  execquite
}

#######################################
# Checking user rights.
# Globals:
#   None
# Arguments:
#   None
# return:
#   0 - if privileged rights, 1 - if not privileged rights
#######################################
checkroot() {
  if [ "${EUID}" -ne 0 ]; then
    return 1 # false
  else
    return 0 # true
  fi
}

#######################################
# Send email notification about client connect
# Globals:
#   clientname
#   faqprofile
# Arguments:
#   None
#######################################
startsendmail() {
  subj="[WG Settings] $(cat /etc/hostname): ${clientname} client profile"
  (
    python3 /usr/local/bin/sendmail.py \
    -u "$(grep "from=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
    -p "$(grep "pass=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
    -d "$(grep "dest=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
    --smtp "$(grep "smtp=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
    --port "$(grep "port=" /usr/local/bin/sendmail.config | cut -d= -f2)" \
    --stls "True" \
    --subj "${subj}" \
    --text "${faqprofile}" \
    --file "/etc/wireguard/${clientname}.png,/etc/wireguard/${clientname}.conf" \
    >> /dev/null 2>&1 &
  )
  addtologs "sent mail with subject '${subj}'"
}

#######################################
# Create wireguard client certificates
# Globals:
#   clientname
#   clientaddr
#   servercfgname
# Arguments:
#   None
#######################################
createcert() {
  wg genkey | tee "/etc/wireguard/pki/${clientname}-private.key" | wg pubkey > "/etc/wireguard/pki/${clientname}-public.key"
  clientpublkey=$(cat "/etc/wireguard/pki/${clientname}-public.key")
  clientprivkey=$(cat "/etc/wireguard/pki/${clientname}-private.key")
  wg set wg0 peer "${clientpublkey}" allowed-ips "${clientaddr}/32"
  {
    echo -e "[Peer]"
    echo -e "  PublicKey = ${clientpublkey}"
    echo -e "  AllowedIPs = ${clientaddr}/32"
  } >> ${servercfgname}
  ip -4 route add "${clientaddr}/32" dev wg0
}

#######################################
# Create wireguard client configuration
# Globals:
#   clientname
#   clientaddr
#   clientconfdef
#   clientprivkey
#   serverpublkey
# Arguments:
#   None
#######################################
createconf() {
  clientconf=$(cat "${clientconfdef}")
  clientconf=${clientconf//clientaddr/${clientaddr}}
  clientconf=${clientconf//clientprivkey/${clientprivkey}}
  clientconf=${clientconf//serverpublkey/${serverpublkey}}
  clientconf=${clientconf//clientaddrs/${clientaddr}}
  printf "%s\n" "${clientconf}" > "/etc/wireguard/${clientname}.conf"
}

#######################################
# Create wireguard client info, qr-code
# Globals:
#   clientname
# Arguments:
#   None
#######################################
createinfo() {
faqprofile=$(cat <<END
WireGuard client:
https://www.wireguard.com/install/
END
)
  qrencode -o "/etc/wireguard/${clientname}.png" -t png -s 6 < "/etc/wireguard/${clientname}.conf"
}

#######################################
# Delete wireguard client certificates
# Globals:
#   clientname
#   clientpublkey
#   servercfgname
# Arguments:
#   None
#######################################
deletecert() {
  clientpublkey=$(cat "/etc/wireguard/pki/${clientname}-public.key")
  clientprivkey=$(cat "/etc/wireguard/pki/${clientname}-private.key")
  wg set wg0 peer "${clientpublkey}" remove
  rm -f "/etc/wireguard/pki/${clientname}-public.key"
  rm -f "/etc/wireguard/pki/${clientname}-private.key"
  s2=$(grep -n "${clientpublkey}" ${servercfgname} | cut -d":" -f1)
  s1=$(( s2 - 1 ))
  s3=$(( s2 + 1 ))
  sed -i "${s1}d;${s2}d;${s3}d" ${servercfgname}
  ip -4 route del "${clientaddr}/32" dev wg0
}

#######################################
# Delete wireguard client configuration
# Globals:
#   clientname
# Arguments:
#   None
#######################################
deleteconf() {
  rm -f "/etc/wireguard/${clientname}.conf"
}

#######################################
# Delete wireguard client qr-code
# Globals:
#   clientname
# Arguments:
#   None
#######################################
deleteinfo() {
  rm -f "/etc/wireguard/${clientname}.png"
}

#
# VARIABLES:
#

clienttodo=$1
clientname=$2
clientaddr=$3

resetforce=0
for argument in "${@}"; do
  case $argument in
  -f | --force )
    resetforce=1
    ;;
  -* )
    ;;
  esac
done

time=$(date +%s)
logs=/dev/null

if ! command -v qrencode &> /dev/null || \
  ! command -v /usr/local/bin/sendmail.py &> /dev/null || \
  ! command -v python3 &> /dev/null; then
  execerror "Not found dependencies"
fi

#
# MAIN:
#

if checkroot; then
  serverpublkey=$(cat /etc/wireguard/pki/server-public.key)
  servercfgname="/etc/wireguard/wg0.conf"
  clientpublkey=''
  clientprivkey=''
  clientconfdef="/etc/wireguard/client.conf.default"
  logs=/var/log/wireguard/$(basename -s .sh "$0").log

  if [ "${clienttodo}" == "add" ] && \
     [ -n "${clientname}" ] && \
     grepcidr "0.0.0.0/0" <(echo "${clientaddr}") >/dev/null; then
    if [ -f "/etc/wireguard/${clientname}.conf" ] || \
      grep -q -w "${clientaddr}/32" ${servercfgname}; then
      execerror "wireguard config exist or address used, exit"
    else
      createcert && addtologs "created certificate for ${clientname}"
      createconf && addtologs "created wg config file for ${clientname}"
      createinfo && addtologs "created info file for ${clientname}"
      startsendmail
    fi
    if [ "${resetforce}" -eq 1 ];then
      addtologs "restarting wg-quick@wg0..."
      systemctl restart wg-quick@wg0
    fi
  elif [ "${clienttodo}" == "del" ] && \
     [ -n "${clientname}" ] && \
     grepcidr "0.0.0.0/0" <(echo "${clientaddr}") >/dev/null; then
    if [ -f "/etc/wireguard/${clientname}.conf" ]; then
      deleteconf && addtologs "deleted wg config file for ${clientname}"
    fi
    if [ -f "/etc/wireguard/${clientname}.png" ]; then
      deleteinfo && addtologs "deleted info file for ${clientname}"
    fi
    if grep -q -w "${clientaddr}/32" ${servercfgname}; then
      deletecert && addtologs "deleted certificate for ${clientname}"
    fi
    if [ "${resetforce}" -eq 1 ];then
      addtologs "restarting wg-quick@wg0..."
      systemctl restart wg-quick@wg0
    fi
  else
    printf "%s\n" "Usage example: $0 'add' 'username(surname)' 'address(ww.xx.yy.zz) -f'"
    printf "%s\n" "Usage example: $0 'del' 'username(surname)' 'address(ww.xx.yy.zz)'"
  fi
else
  execerror "Restart this as root!"
fi
execquite