#!/usr/bin/env bash
## script to generate client wireguard configs as qr codes
# requires package `qrencode` from the repos

# does not handle cases such as multiple wireguard interfaces; modify as needed

# exit if a command fails
set -o errexit

# exit if required variables are not set
set -o nounset

# return the exit status of the final command before a failure
set -o pipefail

# check for dependencies
script_commands="drill iptables qrencode sudo wg"
missing_counter=0
for needed_command in ${script_commands}; do
  if ! hash "${needed_command}" >/dev/null 2>&1; then
    printf "Command not found in PATH: %s\n" "${needed_command}" >&2
    ((missing_counter++))
  fi
done
if ((missing_counter > 0)); then
  printf "Minimum %d commands are missing in PATH, aborting.\n" "${missing_counter}" >&2
  exit 1
fi

# make sure the correct number of arguments are passed; if not, output syntax and exit
if [ "$#" -ne 3 ]; then
  echo -e "\nUsage: $0 <access|site> <client name> <last octet of ip address>\n"
  exit 1
fi

# set the private subnets to be used (please change these to fit your needs)
subnet_v4="10.25.0"
mask_v4="24"

# set wireguard server public ip address (using drill to make chef happy, despite lacking the +short argument)
server="$(drill -4 myip.opendns.com @resolver1.opendns.com | awk '{if(NF > 0 && substr($1,1,1) != ";") print $NF }')"

# set server port
port="$(sudo wg | grep "listening port" | awk '{print $3}')"

# set wireguard tunnel interface name
interface="wg0"

# set peer name in uci config
peer_name="wgpeer"

# determine the routes to add
if [ "$1" = "access" ]; then
  route_v4="0.0.0.0/0"
elif [ "$1" = "site" ]; then
  route_v4="${subnet_v4}.0/${mask_v4}"
else
  echo "Connection type must be either access or site."
  exit 1
fi

# assign arguments to variables
client="$2"
ip_addr="$3"

# set imagebuilder directory
cert_dir="${HOME}/wireguard/${client}"

# set logfile location
log_file="${cert_dir}/certgen.log"

# delete any old builds if they exist
if [ -d "${cert_dir}" ]; then
  echo -e "\nRemoving old wireguard keys..." >> "${log_file}" 2>&1
  rm -rf "${cert_dir}"
fi

# create base directory for account
mkdir -p "${cert_dir}"

# display log location
echo -e "\nLogging all output to ${log_file}\n"

# prepend timestamp to logfile
echo -e "\nCertificate generation began at $(date +%Y/%m/%d-%H:%M)." >> "${log_file}" 2>&1

# wrap the script into a function for logging purposes
{

# generate public and private keys for the client
umask 077
wg genkey | tee "${cert_dir}"/privatekey | wg pubkey > "${cert_dir}"/publickey

# generate preshared key for the client
preshared_key="$(wg genpsk)"

# set variables for keys
client_public_key="$(cat "${cert_dir}"/publickey)"
client_private_key="$(cat "${cert_dir}"/privatekey)"
server_public_key="$(cat /etc/wireguard/publickey)"

# add peer to wireguard server configuration
echo -e "\n### Begin server config ###"
cat <<EOL | tee "${cert_dir}"/peer.conf
[Peer]
PublicKey = ${client_public_key}
PresharedKey = ${preshared_key}
AllowedIPs = ${subnet_v4}.${ip_addr}/32
EOL
echo -e "### End server config ###\n"

# generate client configuration
echo -e "\n### Begin client config ###"
cat <<EOL | tee "${cert_dir}"/client.conf
[Interface]
PrivateKey = ${client_private_key}
Address = ${subnet_v4}.${ip_addr}/${mask_v4}
DNS = ${subnet_v4}.1

[Peer]
PublicKey = ${server_public_key}
PresharedKey = ${preshared_key}
Endpoint = ${server}:${port}
AllowedIPs = ${route_v4}
PersistentKeepalive = 25
EOL
echo -e "### End client config ###\n"

# generate openwrt flat file configuration
echo -e "\n### Begin OpenWRT /etc/config/network ###"
cat <<EOL | tee "${cert_dir}"/openwrt-file.conf
config interface '${interface}'
option proto 'wireguard'
option private_key '${client_private_key}'
list addresses '${subnet_v4}.${ip_addr}/${mask_v4}'

config wireguard_${interface}
option public_key '${server_public_key}'
option preshared_key '${preshared_key}'
option persistent_keepalive '25'
option endpoint_port '${port}'
option endpoint_host '${server}'
option route_allowed_ips '1'
list allowed_ips '${route_v4}'
EOL
echo -e "### End OpenWRT /etc/config/network ###\n"

# generate openwrt uci configuration
echo -e "\n### Begin OpenWRT UCI commands ###"
cat <<EOL | tee "${cert_dir}"/openwrt-uci.conf
uci set network.${interface}=interface
uci set network.${interface}.proto='wireguard'
uci set network.${interface}.private_key='${client_private_key}'
uci add_list network.${interface}.addresses='${subnet_v4}.${ip_addr}/${mask_v4}'
sectionname="\$(uci add network wireguard_${interface})"
uci rename network.\$sectionname=${peer_name}
uci commit network
uci set network.${peer_name}=wireguard_${interface}
uci set network.${peer_name}.public_key='${server_public_key}'
uci set network.${peer_name}.persistent_keepalive='25'
uci set network.${peer_name}.endpoint_port='${port}'
uci set network.${peer_name}.endpoint_host='${server}'
uci set network.${peer_name}.preshared_key='${preshared_key}'
uci set network.${peer_name}.route_allowed_ips='1'
uci add_list network.${peer_name}.allowed_ips='${route_v4}'
uci commit network
/etc/init.d/network restart
EOL
echo -e "### End OpenWRT UCI commands ###\n"

# generate edgeos configuration
echo -e "\n### Begin EdgeOS commands ###"
cat <<EOL | tee "${cert_dir}"/edgeos.conf
set interfaces wireguard wg0 address '${subnet_v4}.${ip_addr}/${mask_v4}'
set interfaces wireguard wg0 description WIREGUARD
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 mtu 1420
set interfaces wireguard wg0 peer '${server_public_key}' allowed-ips '${route_v4}'
set interfaces wireguard wg0 peer '${server_public_key}' description "$client"
set interfaces wireguard wg0 peer '${server_public_key}' endpoint '${server}:${port}'
set interfaces wireguard wg0 peer '${server_public_key}' persistent-keepalive '25'
set interfaces wireguard wg0 peer '${server_public_key}' preshared-key '${preshared_key}'
set interfaces wireguard wg0 private-key '${client_private_key}'
set interfaces wireguard wg0 route-allowed-ips true
EOL
echo -e "### End EdgeOS commands ###\n\n"

# generate mikrotik routeros configuration
echo -e "\n### Begin RouterOS commands ###"
cat <<EOL | tee "${cert_dir}"/routeros.conf
/interface wireguard add mtu=1420 name=wg0 private-key="${client_private_key}"
/ip address add address=${subnet_v4}.${ip_addr}/${mask_v4} interface=wg0 network=${subnet_v4}.0
/interface wireguard peers add allowed-address=${route_v4} endpoint-address=${server} endpoint-port=${port} interface=wg0 persistent-keepalive=25 preshared-key="${preshared_key}" public-key="${server_public_key}"
EOL
echo -e "### End RouterOS commands ###\n\n"

# generate nixos confirguration
echo -e "\n### Begin NixOS commands ###"
cat <<EOL | tee "${cert_dir}"/nixos-client.conf
    # Wireguard tunnel
    wireguard.interfaces = {
      wg0 = {
        ips = [ "${subnet_v4}.${ip_addr}/${mask_v4}" ];
        listenPort = 51820;
        privateKeyFile = "/etc/nixos/wireguard.key";

        peers = [
          {
            publicKey = "${server_public_key}";
            presharedKey = "${preshared_key}";
            allowedIPs = [ "${route_v4}" ];
            endpoint = "${server}:${port}";
            persistentKeepalive = 25;
          }
        ];
      };
    };
EOL
echo "${client_private_key}" > "${cert_dir}"/wireguard.key
cat <<EOL | tee "${cert_dir}"/nixos-server.conf
          {
            publicKey = "${client_public_key}";
            presharedKey = "${preshared_key}";
            allowedIPs = [ "${subnet_v4}.${ip_addr}/32" ];
          }
EOL
echo -e "### End NixOS commands ###\n\n"

# generate qr encoding of client configuration
qrencode -t ansiutf8 < "${cert_dir}"/client.conf | tee "${cert_dir}"/qrcode.conf

# end function
} 2>&1 | tee -a "${log_file}" >/dev/null

# append timestamp to logfile
echo -e "\nFinished generating Wireguard certs.\n\nCertificate generation finished at $(date +%Y/%m/%d-%H:%M).\n" >> "${log_file}"

# display client config as qr code
echo -e "\n$(cat "${cert_dir}"/qrcode.conf)\n"