#!/usr/bin/env bash
set -euo pipefail
WG=/etc/wireguard/wg0.conf
if [[ ! -f "$WG" ]]; then
  echo "Missing $WG" >&2; exit 1
fi
NAME="${1:-peer}"
IP_BASE="${2:-10.10.11}"
LAST_OCT="${3:-$(shuf -i 2-250 -n 1)}"
PEER_IP="${IP_BASE}.${LAST_OCT}/32"

umask 077
priv=$(wg genkey)
pub=$(printf "%s" "$priv" | wg pubkey)

cat <<EOF | sudo tee -a "$WG"
[Peer]
# $NAME
PublicKey = $pub
AllowedIPs = $PEER_IP
EOF

wg set wg0 peer "$pub" allowed-ips "$PEER_IP" || true

echo "=== CLIENT CONFIG ==="
srv_pub=$(wg show wg0 public-key || true)
endpoint="$(hostname -I | awk '{print $1}'):51820"
cat <<EOF
[Interface]
PrivateKey = $priv
Address = ${PEER_IP}
DNS = 10.10.10.1

[Peer]
PublicKey = $srv_pub
AllowedIPs = 10.10.11.0/24, 10.10.10.0/24
Endpoint = $endpoint
PersistentKeepalive = 25
EOF