#!/usr/bin/env bash
# This reads wg-quick compatible configuration files from
# /etc/wireguard/mlv-LOCATION.conf
#
# Since they are autogenerated by nix and therefore world-readable, they do not
# include secrets like the private key and client address. Instead, they are
# manually added after wg-quick set up the tunnel by retrieving them with
# pass(1) from web/mullvad.net/wireguard.
#
# Format of pass entry:
#     PrivateKey: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
#     Address4: 10.0.0.1/32
#     Address6: fd00::1/128
set -euo pipefail

if (( $# < 1 )); then
	echo "USAGE: $0 LOCATION|off" >&2
	exit 1
fi

INTERFACE="mlv-$1"

cmd() {
	echo "[#] $*" >&2
	sudo "$@"
}

for interface in /sys/class/net/*; do
	interface="${interface#/sys/class/net/}"
	[[ $interface =~ ^mlv-(v6-)?[a-z]{2}(-[a-z]{3}-)?[0-9]*$ ]] && cmd wg-quick down "$interface"
done

if [ "$1" != "off" ]; then
	# Make sure gpg-agent is unlocked so the period where the interface exists but
	# no private key is set is minised.
	pass web/mullvad.net/wireguard >/dev/null

	cmd wg-quick up "$INTERFACE"
	pass web/mullvad.net/wireguard | while read -r line; do
		key="${line%%: *}"
		value="${line#*: }"
		case "$key" in
			PrivateKey)
				cmd wg set "$INTERFACE" private-key /dev/stdin <<< "$value"
				continue
				;;
			Address4)
				cmd ip -4 address add "$value" dev "$INTERFACE"
				continue
				;;
			Address6)
				cmd ip -6 address add "$value" dev "$INTERFACE"
				continue
				;;
			*)
				echo "Invalid key '$key'"
				exit 1
		esac
	done
fi