#
# Cookbook:: esh_wireguard
# Recipe:: server
#
# Copyright:: 2022, https://easyself.host
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apt_package 'wireguard'

file '/etc/wireguard/private.key' do
  content node['esh']['wireguard']['server']['privkey']
  owner 'root'
  group 'root'
  mode '0400'
  action :create
end

file '/etc/wireguard/public.key' do
  content node['esh']['wireguard']['server']['pubkey']
  owner 'root'
  group 'root'
  mode '0444'
  action :create
end

template '/etc/wireguard/wg0.conf' do
  source 'server.wg0.conf.erb'
  owner 'root'
  group 'root'
  mode '0400'
  variables privkey: node['esh']['wireguard']['server']['privkey'],
    address: node['esh']['wireguard']['server']['address'],
    listenport: node['esh']['wireguard']['server']['listenport'],
    pubint: node['esh']['wireguard']['server']['pubint']
  action :create
end

%w(net.ipv4.ip_forward net.ipv6.conf.all.forwarding).each do |key|
  sysctl key do
    value '1'
    action :apply
    only_if { node['esh']['wireguard']['server']['routing'] }
  end
end

service 'wg-quick@wg0.service' do
  action [:enable, :start]
end

node['esh']['wireguard']['server']['peers'].each do |peer, allowedips|
  execute 'wg allow peers' do
    command <<~EOT
    wg set wg0 \
      peer #{peer} \
      allowed-ips #{allowedips}
    EOT
    action :run
    not_if "wg | grep -q #{peer}"
  end
end