#!/bin/sh
# Parahub Mesh — VPS WireGuard Gateway Setup
# Called by heartbeat to auto-configure the VPS tunnel for guest internet.
#
# Usage: parahub-vps-setup <endpoint> <public_key> <assigned_ip> <keepalive>
# Example: parahub-vps-setup 185.47.131.84:51820 <base64_key> 10.99.0.2/16 25

ENDPOINT="$1"
PUBKEY="$2"
ASSIGNED_IP="$3"
KEEPALIVE="${4:-25}"
STATE_FILE="/tmp/vps_gateway_state"

if [ -z "$ENDPOINT" ] || [ -z "$PUBKEY" ] || [ -z "$ASSIGNED_IP" ]; then
    logger -t parahub-vps "Error: missing arguments"
    exit 1
fi

# Check if config unchanged and interface is up — skip reconfiguration
if [ -f "$STATE_FILE" ]; then
    OLD_STATE=$(cat "$STATE_FILE")
    NEW_STATE="${ENDPOINT}|${PUBKEY}|${ASSIGNED_IP}|${KEEPALIVE}"
    if [ "$OLD_STATE" = "$NEW_STATE" ]; then
        # Check if interface is actually up
        if ip link show vps_gateway >/dev/null 2>&1; then
            exit 0
        fi
    fi
fi

logger -t parahub-vps "Configuring VPS gateway: ${ENDPOINT} -> ${ASSIGNED_IP}"

# Bootstrap: create interface + zone + forwarding if missing (OTA from pre-VPS firmware)
if ! uci -q get network.vps_gateway >/dev/null 2>&1; then
    logger -t parahub-vps "Bootstrap: creating vps_gateway interface (OTA upgrade)"
    uci batch <<-BOOTSTRAP_NET
set network.vps_gateway=interface
set network.vps_gateway.proto='wireguard'
set network.vps_gateway.private_key='$(cat /etc/parahub/wg_vps_private.key)'
set network.vps_gateway.mtu='1420'
set network.vps_gateway.ip4table='100'
BOOTSTRAP_NET
    uci commit network
fi

# Bootstrap firewall zone if missing
ZONE_EXISTS=0
idx=0
while uci -q get "firewall.@zone[$idx]" >/dev/null 2>&1; do
    zname=$(uci -q get "firewall.@zone[$idx].name")
    if [ "$zname" = "vps_gateway" ]; then
        ZONE_EXISTS=1
        break
    fi
    idx=$((idx + 1))
done

if [ "$ZONE_EXISTS" = "0" ]; then
    logger -t parahub-vps "Bootstrap: creating vps_gateway firewall zone"
    uci batch <<-BOOTSTRAP_FW
add firewall zone
set firewall.@zone[-1].name='vps_gateway'
set firewall.@zone[-1].input='REJECT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
set firewall.@zone[-1].masq='1'
set firewall.@zone[-1].mtu_fix='1'
add_list firewall.@zone[-1].network='vps_gateway'
BOOTSTRAP_FW

    # Add guest → vps_gateway forwarding if no guest forwarding exists
    FWD_EXISTS=0
    fidx=0
    while uci -q get "firewall.@forwarding[$fidx]" >/dev/null 2>&1; do
        src=$(uci -q get "firewall.@forwarding[$fidx].src")
        if [ "$src" = "guest" ]; then
            FWD_EXISTS=1
            break
        fi
        fidx=$((fidx + 1))
    done

    if [ "$FWD_EXISTS" = "0" ]; then
        uci add firewall forwarding >/dev/null
        uci set "firewall.@forwarding[-1].src=guest"
        uci set "firewall.@forwarding[-1].dest=vps_gateway"
    fi

    uci commit firewall
fi

# Remove old peer sections
while uci -q delete network.@wireguard_vps_gateway[0] 2>/dev/null; do :; done

# Set address and add peer
uci -q delete network.vps_gateway.addresses 2>/dev/null || true
uci add_list network.vps_gateway.addresses="${ASSIGNED_IP}"

# Split endpoint into host:port
EP_HOST="${ENDPOINT%:*}"
EP_PORT="${ENDPOINT##*:}"

uci batch <<-PEER_EOF
add network wireguard_vps_gateway
set network.@wireguard_vps_gateway[-1].public_key='${PUBKEY}'
set network.@wireguard_vps_gateway[-1].endpoint_host='${EP_HOST}'
set network.@wireguard_vps_gateway[-1].endpoint_port='${EP_PORT}'
add_list network.@wireguard_vps_gateway[-1].allowed_ips='0.0.0.0/0'
set network.@wireguard_vps_gateway[-1].route_allowed_ips='1'
set network.@wireguard_vps_gateway[-1].persistent_keepalive='${KEEPALIVE}'
PEER_EOF

# Enable interface (remove auto='0')
uci -q delete network.vps_gateway.auto 2>/dev/null || true
uci commit network

# Bring up the interface (minimal restart)
ifup vps_gateway 2>/dev/null

# Reload firewall rules
fw4 reload 2>/dev/null

# Save state for next run
echo "${ENDPOINT}|${PUBKEY}|${ASSIGNED_IP}|${KEEPALIVE}" > "$STATE_FILE"

logger -t parahub-vps "VPS gateway activated: ${ASSIGNED_IP} via ${ENDPOINT}"