### START-WIREGUARD

# This OpenWrt (LEDE) /etc/rc.local script sets up the WireGuard profile
# "uncle-task" from the "streisand-demo-site" Streisand server.

# Note that this script will replace the router's Internet access;
# only run it when you're connected to the LAN/WiFi connection.

# Open the LuCI web admin interface to the "System:Startup" page.
# Paste this whole file into the "Local Startup" box. During the next
# reboot, the script will run, and erase itself. It will leave a
# success/failure message in the "Local Startup" box.

# If you're using the web admin UI, you need the "luci-app-wireguard"
# and "luci-proto-wireguard" packages installed.

# LuCI instructions end here.

############

# If you aren't using LuCI, you need the "kmod-wireguard" and
# "wireguard-tools" packages. You may need to reboot after running
# this script (just restarting /etc/init.d/network may not be enough.)

# Commenting out the next line will stop this script from messing
# around with /etc/rc.local.

trap self_cleanup 0

# Instructions end here.

################################################################

# Make errors fatal.
set -e

wireguard_completed="# Wireguard setup did not complete."

self_cleanup () {
    sed -i.bak -e '/^### START-WIREGUARD/,/^### END-WIREGUARD/ d' \
               -e "\$ a $wireguard_completed" \
        /etc/rc.local
}

. /lib/functions.sh

# This should be rewritten in terms of /lib/functions.sh callbacks.
move_to_firewall_zone () {
    ifname="$1"
    fwzone="$2"
    for i in $(seq 0 20); do
	# No more zones?
	name=$(uci get "firewall.@zone[$i].name" 2>/dev/null) || return
	networks=$(uci get "firewall.@zone[$i].network")
	if list_contains networks "$ifname"; then
	    # Shell programmer wanted.
	    networks=$(echo "$networks" | sed "s/ *\\b${ifname}\\b *//")
	fi
	if [ "$name" = "$fwzone" ]; then
	    append networks "$ifname"
	fi
	uci set "firewall.@zone[$i].network=$networks"
    done
}

ifname="uncle_task"

if ! uci get "network.$ifname" >/dev/null 2>&1; then
    # Clean out any old peers
    uci delete "network.@wireguard_$ifname[0]" >/dev/null 2>&1 || true

    uci batch <<EOF


# The local interface
set network.$ifname=interface

set network.$ifname.proto='wireguard'
set network.$ifname.private_key='6HjMcl2nK/G+hNnsoxH4WjwN5eOGRVzniSnQsyB96G4='
set network.$ifname.addresses='10.192.122.4/32'
set network.$ifname.listen_port='51820'

# The remote peer, i.e., the Streisand server
add network wireguard_$ifname

set network.@wireguard_$ifname[-1].public_key='MTIwOQJlpl/djvppsdHOht5ylloBpKA++gXnR7v6tHg='
set network.@wireguard_$ifname[-1].endpoint_host='52.15.254.140'
set network.@wireguard_$ifname[-1].endpoint_port='51820'

# Route *everything* through this peer.
add_list network.@wireguard_$ifname[-1].allowed_ips='0.0.0.0/0'
set network.@wireguard_$ifname[-1].route_allowed_ips='1'

# It is much more painful to debug when this is needed but missing.
set network.@wireguard_$ifname[-1].persistent_keepalive='25'


EOF

    move_to_firewall_zone "$ifname" wan || true # FIXME

    # Set the system-wide DNS
    uci delete dhcp.@dnsmasq[0].server || true
    uci add_list dhcp.@dnsmasq[0].server=10.192.122.1
    uci set dhcp.@dnsmasq[0].noresolv=1

    uci commit
    # This seems necessary, and a full reboot may be as well.
    /etc/init.d/network restart
fi

wireguard_completed="# Wireguard interface configured successfully"

### END-WIREGUARD
#
# Status