#!/bin/sh
ROUTER_IP=68.48.18.140
ROUTER_NAME=andy

CLIENT_KEY_BASENAME=ssh_host_rsa_key
CLIENT_KEY_DIRNAME=/etc/ssh
CLIENT_KEY=${CLIENT_KEY_DIRNAME}/${CLIENT_KEY_BASENAME}

ssh2der()
{
	ssh-keygen -e -f "$1" -m PEM | openssl rsa -RSAPublicKey_in -outform DER
}

match_and_drop_first_word()
{
	expect=$1
       	while read word rest
       	do
		if [ "$word" = "$expect" ]
		then
			printf '%s\n' "$rest"
			return
		fi
       	done
	false
}

keyscan()
{
	if [ -e keyscan.cache ]
	then
		cat keyscan.cache
	else
		ssh-keyscan -t rsa "$1"
	fi
}

write_successfully()
{
    local f=$(mktemp) || return
    local out="$1"
    [ "$2" = -- ] || return
    shift 2
    if "$@" > "$f"
    then
        if [ "$NO_ACT" ]
        then
            echo "mv $f $out" >&2
        else
            mv "$f" "$out"
        fi
    else
        rm -f "$f"
        return 1
    fi
}

keycopy()
{
    private_key_tmp="$(mktemp)" || return
    cp "$CLIENT_KEY" "$private_key_tmp"
    ssh-keygen -N '' -P '' -p -m PEM -f "$private_key_tmp"
    trap 'rm -f "$private_key_tmp"' EXIT

    write_successfully /etc/swanctl/private/"$CLIENT_KEY_BASENAME"    -- openssl rsa -in "$private_key_tmp" -outform DER
    write_successfully /etc/swanctl/pubkey/"$CLIENT_KEY_BASENAME".pub -- openssl rsa -in "$private_key_tmp" -outform DER -pubout

    trap - EXIT
    rm -f "$private_key_tmp"

	  t=$(mktemp)
	  keyscan "$ROUTER_IP" | match_and_drop_first_word "$ROUTER_IP" > "$t"
    write_successfully /etc/swanctl/pubkey/"$ROUTER_NAME".pub -- ssh2der "$t"
	  rm -f "$t"
}

nocomments()
{
	  sed 's/#.*//; /^ *$/d'
}


config()
{
    local conn="$1" remote_addrs="$2" id="$3"
    local remote_ts=0::0/0 vips=::
    local public_key_file="${CLIENT_KEY_BASENAME}.pub" private_key_file="${CLIENT_KEY_BASENAME}"
    sed -e 's/^        //' <<END
        connections {
            ${conn} {
                remote_addrs = ${remote_addrs}
                vips = ${vips}
                local {
                    pubkeys = ${public_key_file}
                    id = ${id}
                }
                remote {
                    id = "${remote_addrs}"
                    pubkeys = ${conn}.pub
                }
                children {
                    child {
                        remote_ts = ${remote_ts}
                        dpd_action = restart
                    }
                }
            }
        }
        secrets {
            private {
                file = ${private_key_file}
            }
        }
END
}

get_my_mac()
{
	  iface=$(ip -oneline route get "$1"  | sed -ne 's/.* dev \([^ ]*\) .*/\1/p')
	  [ "$iface" ] || return
	  my_mac=$(ip -oneline -6 addr  show dev "$iface" | sed -ne 's/.* inet6 fe80::\([^/]*\)\/.*/\1/p')
	  [ "$my_mac" ]
}

NO_ACT()
{
    [ "$NO_ACT" ] || "$@"
}

write_config()
{
    get_my_mac "$ROUTER_IP" || return
    write_successfully /etc/swanctl/conf.d/"$ROUTER_NAME".conf -- config "$ROUTER_NAME" "$ROUTER_IP" "$my_mac"
}

test_new_config()
{
    NO_ACT ipsec stop

	  write_config

	  NO_ACT ipsec start
	  NO_ACT sleep 2
	  NO_ACT swanctl -c
	  NO_ACT ipsec listpubkeys
	  NO_ACT ipsec up ${ROUTER_NAME}
}

NO_ACT=y
set -e
keycopy
test_new_config