#!/bin/bash
# WireGuard Secure Installer
# Copyright (c) 2025 Muhammad Fadhila Abiyyu Faris
# GitHub: [github.com/fadhila36/wireguard-secure-installer](https://github.com/fadhila36/wireguard-secure-installer)

generate_keys() {
    if [ -f "$WG_CONFIG" ]; then
        log_warn "WireGuard config already exists. Skipping key generation to prevent overwrite."
        # Extract existing private key for context if needed, or just return
        SERVER_PRIV_KEY=$(grep "PrivateKey" "$WG_CONFIG" | cut -d ' ' -f 3)
        SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" | wg pubkey)
        return
    fi

    log_info "Generating Server Keys..."
    umask 077
    SERVER_PRIV_KEY=$(wg genkey)
    SERVER_PUB_KEY=$(echo "$SERVER_PRIV_KEY" | wg pubkey)
}

generate_server_config() {
    if [ -f "$WG_CONFIG" ]; then
        log_warn "WireGuard config already exists. Skipping config generation."
        return
    fi

    log_info "Generating Server Config..."
    
    cat > "$WG_CONFIG" <<EOF
[Interface]
Address = 10.66.66.1/24,fd42:42:42::1/64
ListenPort = $SERVER_PORT
PrivateKey = $SERVER_PRIV_KEY
PostUp = iptables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -A POSTROUTING -o $MAIN_NIC -j MASQUERADE; ip6tables -A FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $MAIN_NIC -j MASQUERADE
PostDown = iptables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; iptables -t nat -D POSTROUTING -o $MAIN_NIC -j MASQUERADE; ip6tables -D FORWARD -i $SERVER_WG_NIC -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $MAIN_NIC -j MASQUERADE

EOF
    chmod 600 "$WG_CONFIG"
}

start_wireguard() {
    log_info "Starting WireGuard Service..."
    systemctl enable "wg-quick@$SERVER_WG_NIC" >> "$LOG_FILE" 2>&1
    systemctl start "wg-quick@$SERVER_WG_NIC" >> "$LOG_FILE" 2>&1
    
    # Verify status
    if systemctl is-active --quiet "wg-quick@$SERVER_WG_NIC"; then
        log_info "WireGuard Service is RUNNING."
    else
        fatal_error "Failed to start WireGuard service."
    fi
}

create_client_config() {
    local CLIENT_NAME=$1
    local CLIENT_IP_SUFFIX=$2 # e.g., 2 for 10.66.66.2

    log_info "Creating Client: $CLIENT_NAME"

    CLIENT_PRIV_KEY=$(wg genkey)
    CLIENT_PUB_KEY=$(echo "$CLIENT_PRIV_KEY" | wg pubkey)
    CLIENT_PRESHARED_KEY=$(wg genpsk)

    # Add peer to server config
    cat >> "$WG_CONFIG" <<EOF

### Client: $CLIENT_NAME
[Peer]
PublicKey = $CLIENT_PUB_KEY
PresharedKey = $CLIENT_PRESHARED_KEY
AllowedIPs = 10.66.66.$CLIENT_IP_SUFFIX/32,fd42:42:42::$CLIENT_IP_SUFFIX/128

EOF

    # Update live interface
    wg syncconf "$SERVER_WG_NIC" <(wg-quick strip "$SERVER_WG_NIC")

    # Generate Client Config File
    mkdir -p "$INSTALL_DIR/clients"
    cat > "$INSTALL_DIR/clients/$CLIENT_NAME.conf" <<EOF
[Interface]
PrivateKey = $CLIENT_PRIV_KEY
Address = 10.66.66.$CLIENT_IP_SUFFIX/24,fd42:42:42::$CLIENT_IP_SUFFIX/64
DNS = $SERVER_DNS

[Peer]
PublicKey = $SERVER_PUB_KEY
PresharedKey = $CLIENT_PRESHARED_KEY
Endpoint = $PUBLIC_IP:$SERVER_PORT
AllowedIPs = $ALLOWED_IPS
PersistentKeepalive = 25
EOF

    log_info "Client config saved to: $INSTALL_DIR/clients/$CLIENT_NAME.conf"
    
    # Show QR Code
    echo -e "${BLUE}Scan this QR Code to connect:${NC}"
    qrencode -t ansiutf8 < "$INSTALL_DIR/clients/$CLIENT_NAME.conf"
}