#!/bin/sh

# Assumptions:
# - pib (APU) is factory reset OpenWRT
# - WAN port is connected with an active upstream (pib has internet connectivity via WAN port)
# - You are connected via LAN and you can ssh into it

# How it works
#

if [ $# -lt 2 ]; then
    echo "$0 ip-address vpn-network [wireguard-private-key]"
    echo "    ip-address: where to find the PIB"
    echo "    network: 2a0a:e5c0:123::/48"
    echo "    private-key: specify if you already have a private key"
    exit 1
fi

my_ip=$1; shift
my_network=$1; shift

if [ $# -eq 1 ]; then
    private_key=$1; shift
else
    private_key=$(wg genkey)
fi

my_prefix=$(echo $my_network | sed 's,::/.*,,')
my_hostname=pib-$(echo ${my_prefix} | sed 's/:/-/g')

my_wireguard_ip=${my_prefix}::42
my_lan_ip=${my_prefix}:cafe::42

public_key=$(echo $private_key | wg pubkey)

vpn_endpoint_host=vpn-2a0ae5c1.ungleich.ch
vpn_endpoint_pubkey=hi60lGP+xEUQ+kVnqA7PlJAO1SVqTS1W36g0LhFP0xQ=

cat <<EOF | ssh -t "root@${my_ip}" || exit 1
set -x

# Check if we can reach upstream - otherwise abort
ping6 -c5 ungleich.ch || ping -c5 ungleich.ch || exit 1

# update the sources & allow https handling
opkg update
opkg install libustream-openssl ca-bundle ca-certificates

# install wireguard + gui
opkg install wireguard luci-app-wireguard

# We are never authoritative for IPv4
uci delete dhcp.@dnsmasq[0].authoritative

# Do not announce ULA - we have GUA
uci delete network.globals.ula_prefix

# Setup hostname
uci set system.@system[0].hostname="${my_hostname}"

# Do not set/get? Was necessary, don't recall why
uci set dhcp.@dnsmasq[0].noresolv='1'

# Fix DNS: make the OS use the locally provided DNS servers
# otherwise the VPN tunnel cannot be established
uci set dhcp.@dnsmasq[0].localuse='0'

# Remove static IPv4 on LAN
uci delete network.lan.ipaddr
uci delete network.lan.netmask

# Setup IPv6 on LAN
uci add_list network.lan.ip6addr='${my_lan_ip}/64'

# IPv6 announcements
uci set dhcp.lan.ra='server'
uci set dhcp.lan.ra_management='1'

# No DHCP server on the LAN
uci set dhcp.lan.ignore='1'

# Cleanup dhcp options

# Disable any dynamic leases
uci set dhcp.lan.dynamicdhcp='0'

# Remove dhcpv6 server
uci delete dhcp.lan.dhcpv6

# Remove leftover from the dhcpv4 server items
uci delete dhcp.lan.start
uci delete dhcp.lan.limit
uci delete dhcp.lan.leasetime

# VPN / Wireguard
uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key='${private_key}'
uci set network.wg0.listen_port='51820'
uci set network.wg0.addresses='${my_wireguard_ip}/64'

if ! uci get network.@wireguard_wg0[0]; then
   uci add network wireguard_wg0
fi

uci set network.@wireguard_wg0[0]=wireguard_wg0
uci set network.@wireguard_wg0[0].persistent_keepalive='25'
uci set network.@wireguard_wg0[0].public_key='${vpn_endpoint_pubkey}'
uci set network.@wireguard_wg0[0].description='IPv6VPN.ch by ungleich'
uci set network.@wireguard_wg0[0].allowed_ips='::/0'
uci set network.@wireguard_wg0[0].endpoint_host='${vpn_endpoint_host}'
uci set network.@wireguard_wg0[0].endpoint_port='51820'
uci set network.@wireguard_wg0[0].route_allowed_ips='1'

# Firewall configuration
if ! uci show firewall | grep "name='Allow-SSH'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-SSH'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].target='ACCEPT'
fi

if ! uci show firewall | grep "name='Allow-HTTPS'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-HTTPS'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='443'
uci set firewall.@rule[-1].target='ACCEPT'
fi

if ! uci show firewall | grep "name='Allow-HTTP'"; then
uci add firewall rule
uci set firewall.@rule[-1].name='Allow-HTTP'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].dest_port='80'
uci set firewall.@rule[-1].target='ACCEPT'
fi

# Add interfaces to the right network zone
uci set firewall.@zone[0].network='lan lanv6'
uci set firewall.@zone[1].network='wan wg0'

# DNS upstream over VPN gives DNS64
uci delete dhcp.@dnsmasq[0].server
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:0:a::a'
uci add_list dhcp.@dnsmasq[0].server='2a0a:e5c0:2:a::a'

# This is the save & apply button in LUCI (or just save button)
uci commit

reboot

EOF

my_ip=$my_lan_ip

echo "Waiting for it to come back..."
while ! ping -c1 ${my_ip}; do
    echo "Cannot ping $my_ip yet - waiting"
    sleep 2
done

echo "Wireguard public key and id: ${id} ${public_key}"
echo ${public_key} > ${my_hostname}.public_key

cat <<EOF
Open steps:

- Remove your ssh key(s) from the device (if any are present)
- Setup a secure root password and forward it to the customer
- Ensure that the VPN works
- Connect to the LAN port and surf in the Internet IPv6 only!

EOF