#!/bin/bash

set -e

# Remove unattended-upgrades
apt remove --purge -y unattended-upgrades

# Update and upgrade
apt update && apt upgrade -y

# Install basic tools and WireGuard
apt install -y git curl wget tmux nano net-tools unzip zip gnupg tzdata qrencode wireguard

# Setup WireGuard directory
WG_DIR="/etc/wireguard"
mkdir -p "$WG_DIR/self"
cd "$WG_DIR/self"

# Generate server keys
wg genkey | tee private | wg pubkey > public

# Enable IP forwarding
echo "net.ipv4.ip_forward=1" | tee -a /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" | tee -a /etc/sysctl.conf
sysctl -p

# Create basic wg0.conf if it doesn't exist
WG_CONF="$WG_DIR/wg0.conf"
if [ ! -f "$WG_CONF" ]; then
  SERVER_PRIVATE_KEY=$(cat private)
  SERVER_PUBLIC_KEY=$(cat public)
  SERVER_PORT=51820
  SERVER_INTERFACE=$(ip route get 8.8.8.8 | awk '{print $5; exit}') # Detect network interface (e.g., eth0, ens3, etc.)

  cat > "$WG_CONF" <<EOF
[Interface]
Address = 10.0.0.1/24
ListenPort = $SERVER_PORT
PrivateKey = $SERVER_PRIVATE_KEY
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -A FORWARD -o wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $SERVER_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o $SERVER_INTERFACE -j MASQUERADE
EOF
fi

# Enable and start WireGuard
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

# Detect public IP
PUBLIC_IP=$(curl -4 -s ifconfig.me)

# Setup Mobile Peer
MOBILE_DIR="$WG_DIR/mobile_1"
mkdir -p "$MOBILE_DIR"
cd "$MOBILE_DIR"

# Generate mobile peer keys
wg genkey | tee private | wg pubkey > public

MOBILE_PRIVATE_KEY=$(cat private)
MOBILE_PUBLIC_KEY=$(cat public)

# Create peer config for mobile
cat > mobile.conf <<EOF
[Interface]
PrivateKey = $MOBILE_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = $(cat "$WG_DIR/self/public")
Endpoint = $PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
EOF

# Add mobile peer to server config
cat >> "$WG_CONF" <<EOF

[Peer]
PublicKey = $MOBILE_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32
EOF

# Restart WireGuard to apply new peer
systemctl restart wg-quick@wg0

# Generate QR code for mobile
qrencode -t ansiutf8 < mobile.conf

echo
echo "✅ WireGuard server setup complete!"
echo "📱 Scan the above QR code from your mobile WireGuard app!"
echo
echo "If needed, your mobile config is saved here: $MOBILE_DIR/mobile.conf"