#!/bin/bash
set -euo pipefail

# Couleurs pour affichage
GREEN='\e[32m'
RED='\e[31m'
YELLOW='\e[33m'
NC='\e[0m'

# Variables configurables
WG_DIR="/etc/wireguard"
WG_CONF="$WG_DIR/wg0.conf"
CLIENT_KEY_DIR="$WG_DIR/clients"
LOG_FILE="/var/log/wireguard_client_add.log"
SERVER_PUBLIC_KEY_FILE="$WG_DIR/server_public.key"
WG_PORT=8022
VPN_SUBNET="10.0.0."

# Journalisation des événements
log() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}

# Gestion des erreurs
error_exit() {
    echo -e "${RED}Erreur: $1${NC}"
    log "Erreur: $1"
    exit 1
}

# Vérifications initiales
check_dependencies() {
    local dependencies=(wg wg-quick curl)
    for cmd in "${dependencies[@]}"; do
        command -v "$cmd" >/dev/null 2>&1 || error_exit "$cmd est requis mais non installé."
    done
}

check_root() {
    [[ $(id -u) -eq 0 ]] || error_exit "Ce script doit être exécuté en root."
}

backup_config() {
    local backup_file="${WG_CONF}.$(date '+%Y%m%d%H%M%S').bak"
    cp "$WG_CONF" "$backup_file"
    echo -e "${YELLOW}Configuration sauvegardée: $backup_file${NC}"
    log "Sauvegarde effectuée : $backup_file"
}

assign_client_ip() {
    local ip=2
    local candidate
    local used_ips=$(grep -Po "$VPN_SUBNET\d+" "$WG_CONF")

    while true; do
        candidate="${VPN_SUBNET}${ip}"
        if ! grep -q "$candidate" <<< "$used_ips"; then
            echo "$candidate/32"
            return
        fi
        ((ip++))
    done
}

generate_keys() {
    local client_name="$1"
    mkdir -p "$CLIENT_KEY_DIR"
    chmod 700 "$CLIENT_KEY_DIR"
    wg genkey | tee "$CLIENT_KEY_DIR/${client_name}_private.key" | wg pubkey > "$CLIENT_KEY_DIR/${client_name}_public.key"
}

get_server_ip() {
    curl -s --fail ifconfig.me || error_exit "Impossible de récupérer l'IP publique du serveur."
}

add_client() {
    read -rp "Nom du client (lettres, chiffres, tiret, underscore uniquement) : " CLIENT_NAME

    [[ "$CLIENT_NAME" =~ ^[a-zA-Z0-9_-]+$ ]] || error_exit "Nom invalide."
    [[ ! -f "$CLIENT_KEY_DIR/${CLIENT_NAME}_client.conf" ]] || error_exit "Client '$CLIENT_NAME' existe déjà."

    CLIENT_VPN_IP=$(assign_client_ip)
    generate_keys "$CLIENT_NAME"

    CLIENT_PRIV=$(<"$CLIENT_KEY_DIR/${CLIENT_NAME}_private.key")
    CLIENT_PUB=$(<"$CLIENT_KEY_DIR/${CLIENT_NAME}_public.key")
    SERVER_PUB=$(<"$SERVER_PUBLIC_KEY_FILE")
    SERVER_IP=$(get_server_ip)

    cat >> "$WG_CONF" <<EOF

[Peer] # $CLIENT_NAME
PublicKey = $CLIENT_PUB
AllowedIPs = $CLIENT_VPN_IP
EOF

    wg syncconf wg0 <(wg-quick strip wg0)

    # Affichage final clair et complet
    echo -e "${GREEN}\nClient '$CLIENT_NAME' ajouté avec succès!${NC}"
    echo -e "${YELLOW}--- Informations du Client ---${NC}"
    echo -e "${GREEN}Clé privée du client :${NC} $CLIENT_PRIV"
    echo -e "${GREEN}Adresse VPN du client :${NC} $CLIENT_VPN_IP"
    echo -e "${GREEN}Clé publique du serveur :${NC} $SERVER_PUB"
    echo -e "${GREEN}IP publique du serveur :${NC} $SERVER_IP"

    log "Client '$CLIENT_NAME' ajouté avec IP $CLIENT_VPN_IP"
}

# Exécution principale
main() {
    check_root
    check_dependencies

    [[ -f "$WG_CONF" ]] || error_exit "$WG_CONF introuvable. Installez d'abord le serveur WireGuard."
    [[ -f "$SERVER_PUBLIC_KEY_FILE" ]] || error_exit "$SERVER_PUBLIC_KEY_FILE introuvable."

    backup_config
    add_client
}

main