#!/bin/sh
# Configure local WireGuard interface to peer with the VMs.
#
# Expects /etc/wireguard/private.key and /etc/wireguard/public.key to exist.
# Generate with:
#   sudo sh -c 'wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key'
set -eu

SSH_USER=debian
SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
PROXY_HOST=10.10.0.2
IDP_HOST=10.10.0.3

WG_IFACE=wg-dev
LOCAL_WG_IP=10.0.0.3/24
WG_PORT=51820

# Get the VM public keys (runs as calling user, not root)
# shellcheck disable=SC2086
PROXY_PUBKEY=$(ssh $SSH_OPTS "${SSH_USER}@${PROXY_HOST}" 'sudo cat /etc/wireguard/public.key' 2>/dev/null)
# shellcheck disable=SC2086
IDP_PUBKEY=$(ssh $SSH_OPTS "${SSH_USER}@${IDP_HOST}" 'sudo cat /etc/wireguard/public.key' 2>/dev/null)

if [ -z "$PROXY_PUBKEY" ] || [ -z "$IDP_PUBKEY" ]; then
    echo "Failed to retrieve VM WireGuard public keys." >&2
    echo "Has the wireguard role been deployed?" >&2
    exit 1
fi

sudo tee /etc/wireguard/${WG_IFACE}.conf > /dev/null <<EOF
[Interface]
Address = ${LOCAL_WG_IP}
PrivateKey = $(sudo cat /etc/wireguard/private.key)

[Peer]
# vm-proxy
PublicKey = ${PROXY_PUBKEY}
Endpoint = ${PROXY_HOST}:${WG_PORT}
AllowedIPs = 10.0.0.1/32

[Peer]
# vm-idp
PublicKey = ${IDP_PUBKEY}
Endpoint = ${IDP_HOST}:${WG_PORT}
AllowedIPs = 10.0.0.2/32
EOF

sudo wg-quick down ${WG_IFACE} 2>/dev/null || true
sudo wg-quick up ${WG_IFACE}

echo "==> WireGuard ${WG_IFACE} up (${LOCAL_WG_IP})"