#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
source "$SCRIPT_DIR/_common.sh"

: "${WG_PORT:=51820}"
: "${WG_CIDR:=10.200.0.1/24}"
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
: "${BACKUP_DIR:=$OUTPUT_DIR/backups}"

main() {
  require_root
  confirm_gate
  need wg
  mkdir -p "$OUTPUT_DIR" "$BACKUP_DIR"
  mkdir -p /etc/wireguard

  backup_file "/etc/wireguard/wg0.conf" "$BACKUP_DIR"

  if [[ ! -f /etc/wireguard/privatekey ]]; then
    log_info "Generating WireGuard keys..."
    wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
    chown root:root /etc/wireguard/privatekey /etc/wireguard/publickey
    chmod 600 /etc/wireguard/privatekey
    chmod 644 /etc/wireguard/publickey || true
  else
    log_warn "WireGuard privatekey exists; not overwriting."
  fi

  privkey="$(cat /etc/wireguard/privatekey)"
  cat > /etc/wireguard/wg0.conf <<EOF
[Interface]
Address = $WG_CIDR
ListenPort = $WG_PORT
PrivateKey = $privkey

# Add peers below. Never commit private keys to git.
# [Peer]
# PublicKey = <peer-public-key>
# AllowedIPs = 10.200.0.2/32
EOF
  chmod 600 /etc/wireguard/wg0.conf

  systemctl enable wg-quick@wg0
  systemctl start wg-quick@wg0

  log_info "WireGuard started. Public key:"
  cat /etc/wireguard/publickey | tee "$OUTPUT_DIR/wireguard_publickey.txt"
}
main "$@"