#!/bin/sh

: "${WIREGUARD_INTERFACE_NAME:=wg-firezone}"
# Note: we keep legacy default values for those variables to avoid breaking existing deployments,
# but they will go away in the 0.8.0 release.
: "${WIREGUARD_IPV4_ADDRESS:=10.3.2.1}"
: "${WIREGUARD_IPV4_ENABLED:=true}"
: "${WIREGUARD_IPV4_NETWORK:=10.3.2.0/24}"
: "${WIREGUARD_IPV6_ADDRESS:=fd00::3:2:1}"
: "${WIREGUARD_IPV6_ENABLED:=true}"
: "${WIREGUARD_IPV6_NETWORK:=fd00::3:2:0/120}"
: "${WIREGUARD_MTU:=1280}"

setup_interface()
{
  if ! ip link show ${WIREGUARD_INTERFACE_NAME} &> /dev/null; then
    echo "Creating WireGuard interface ${WIREGUARD_INTERFACE_NAME}"
    ip link add ${WIREGUARD_INTERFACE_NAME} type wireguard
  fi

  if [ "$WIREGUARD_IPV4_ENABLED" = "true" ]; then
    ip address replace ${WIREGUARD_IPV4_ADDRESS} dev ${WIREGUARD_INTERFACE_NAME}
  fi

  if [ "$WIREGUARD_IPV6_ENABLED" = "true" ]; then
    ip -6 address replace ${WIREGUARD_IPV6_ADDRESS} dev ${WIREGUARD_INTERFACE_NAME}
  fi

  ip link set mtu ${WIREGUARD_MTU} up dev ${WIREGUARD_INTERFACE_NAME}
}

add_routes()
{
  if [ "$WIREGUARD_IPV4_ENABLED" = "true" ]; then
    if ! ip route show dev ${WIREGUARD_INTERFACE_NAME} | grep -q "${WIREGUARD_IPV4_NETWORK}"; then
      echo "Adding route ${WIREGUARD_IPV4_NETWORK} for interface ${WIREGUARD_INTERFACE_NAME}"
      ip route add ${WIREGUARD_IPV4_NETWORK} dev ${WIREGUARD_INTERFACE_NAME}
    fi
  fi

  if [ "$WIREGUARD_IPV6_ENABLED" = "true" ]; then
    if ! ip -6 route show dev ${WIREGUARD_INTERFACE_NAME} | grep -q "${WIREGUARD_IPV6_NETWORK}"; then
      echo "Adding route ${WIREGUARD_IPV6_NETWORK} for interface ${WIREGUARD_INTERFACE_NAME}"
      ip -6 route add ${WIREGUARD_IPV6_NETWORK} dev ${WIREGUARD_INTERFACE_NAME}
    fi
  fi
}

setup_telemetry() {
  [ -f /var/firezone/.tid ] || cat /proc/sys/kernel/random/uuid > /var/firezone/.tid
  export TELEMETRY_ID=$(cat /var/firezone/.tid)
}

gen_cert() {
  openssl req \
    -x509 \
    -sha256 \
    -nodes \
    -days 365 \
    -newkey rsa:2048 \
    -keyout /var/firezone/saml.key \
    -out /var/firezone/saml.crt \
    -subj "/C=US/ST=Denial/L=Firezone/O=Dis/CN=www.example.com"
}

setup_saml() {
  ([ -f /var/firezone/saml.key ] && [ -f /var/firezone/saml.crt ]) || gen_cert
}

setup_interface
add_routes

setup_saml
setup_telemetry

cd -P -- "$(dirname -- "$0")"
