#!/bin/bash

set -e

# === CONFIGURATION ===
WG_INTERFACE="wg0"
WG_ADDRESS="10.0.0.1/32"
WG_LISTEN_PORT="123"
WG_PRIVATE_KEY_PATH="/etc/wireguard/privatekey"
WG_PUBLIC_KEY_PATH="/etc/wireguard/publickey"
WG_CONF_PATH="/etc/wireguard/${WG_INTERFACE}.conf"
WG_PEER_PUBLIC_KEY="YOUR_CLIENT_PUBLIC_KEY_HERE"

# IMPORTANT: Add all IP subnets that exist on the client-side LANs
WG_ALLOWED_IPS="136.145.187.0/24, 10.0.0.2/32, 192.168.0.0/24"
WG_KEEPALIVE=25

# === INSTALL WIREGUARD ===
echo " Installing WireGuard..."
sudo apt-get update
sudo apt-get install -y wireguard

# === GENERATE SERVER KEYS ===
echo "Generating WireGuard server keys..."
sudo mkdir -p /etc/wireguard
sudo chmod 700 /etc/wireguard

if [ ! -f "$WG_PRIVATE_KEY_PATH" ]; then
  umask 077
  wg genkey | sudo tee "$WG_PRIVATE_KEY_PATH" | wg pubkey | sudo tee "$WG_PUBLIC_KEY_PATH"
else
  echo " Private key already exists. Skipping key generation."
fi

PRIVATE_KEY=$(sudo cat "$WG_PRIVATE_KEY_PATH")

# === WRITE CONFIG ===
echo " Writing server config to $WG_CONF_PATH..."
sudo tee "$WG_CONF_PATH" > /dev/null <<EOF
[Interface]
PrivateKey = ${PRIVATE_KEY}
Address = ${WG_ADDRESS}
ListenPort = ${WG_LISTEN_PORT}

[Peer]
PublicKey = ${WG_PEER_PUBLIC_KEY}
AllowedIPs = ${WG_ALLOWED_IPS}
PersistentKeepalive = ${WG_KEEPALIVE}
EOF

sudo chmod 600 "$WG_CONF_PATH"

# === ENABLE IP FORWARDING ===
echo "Enabling IP forwarding..."
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf > /dev/null

# === START WIREGUARD SERVER ===
echo "Starting WireGuard interface ${WG_INTERFACE}..."
sudo wg-quick up "${WG_INTERFACE}"

echo "WireGuard server is now running and listening on port ${WG_LISTEN_PORT}."
echo "IMPORTANT: Make sure AllowedIPs includes all subnets from the client's local networks!"