wizard-run

#!/bin/vbash

#
# EdgeMAX Wizard "WireGuard" created 11/2021 by CHiL.at
# Version 1.7-20230916-pre
# ^-- previous line is used for version identification, dont remove this line!
#
# Github repository: https://github.com/vchrizz/ER-wizard-WireGuard/
#
# Works on all EdgeRouter and EdgePoint devices (EdgeOS versions 1.9.0+ and 2.0+)
#

wgdir="/config/user-data/wireguard/"
wgsettings="${wgdir}wgsettings.json"
wgsetupscriptfile="/config/scripts/post-config.d/wireguard_setup.sh"
wgautoupdatecronjob="/etc/cron.daily/wireguard_autoupdate"
log="${wgdir}wireguard-wizard.log"
wgpkgapi="https://api.github.com/repos/WireGuard/wireguard-vyatta-ubnt/releases/latest"
wgwizapi="https://api.github.com/repos/vchrizz/ER-wizard-WireGuard/releases/latest"

#
# DO NOT EDIT BELOW HERE !
#

ACTION=$1
INPUT=$2

# vyatta configuration node for wireguard
wgcfg="interfaces wireguard"

cmd=/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper
run=/opt/vyatta/bin/vyatta-op-cmd-wrapper
cli=cli-shell-api
# Viatta cli DOC in: https://vyos.dev/w/development/cli-shell-api/

# if wizard log is greater than 256KB then overwrite with new content
if [ $(wc -c <$log) -ge 262144 ]; then
    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [wizard] EdgeMAX WireGuard Wizard started - Session="$$ >$log
else
    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [wizard] EdgeMAX WireGuard Wizard started - Session="$$ >>$log
fi

writesetupscript () {
    mkdir -p $(dirname $wgsetupscriptfile)
    cat >$wgsetupscriptfile <<'ENDSCRIPTCONTENT'
#!/bin/bash
wgdir="/config/user-data/wireguard/"
log="${wgdir}/wireguard-wizard-setup.log"
echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [setup] Running WireGuard setup script ..." >$log
wireguardwizard=""
for i in $(find /config/wizard/feature/ -name wizard-run); do
    if [ "$(head $i -n 10 | grep -i 'wireguard')" ]; then
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [setup] WireGuard wizard found at $(dirname $i)" >>$log
        wireguardwizard=$i
        break
    fi
done
if [ ! -f $wireguardwizard ]; then
    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [setup] Error: WireGuard wizard not found! Exit." >>$log
    exit 1
fi
# Check if already installed, do nothing:
dpkg -l wireguard >>$log 2>>$log
if [ $? == 0 ]; then
    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [setup] wireguard package already installed! Exit" >>$log
    exit 0
fi
echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [setup] Running install function from wizard ... " >>$log
$wireguardwizard install >>$log
echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [setup] Finished WireGuard setup script..." >>$log
exit 0
ENDSCRIPTCONTENT
    chmod +x $wgsetupscriptfile
}

writecronjob () {
    cat >$wgautoupdatecronjob <<'ENDSCRIPTCONTENT'
#!/bin/bash
wgdir="/config/user-data/wireguard/"
log="${wgdir}/wireguard-wizard.log"
wireguardwizard=""
for i in $(find /config/wizard/feature/ -name wizard-run); do
    if [ "$(head $i -n 10 | grep -i 'wireguard')" ]; then
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [autoupdate] WireGuard wizard found at $(dirname $i)" >>$log
        wireguardwizard=$i
        break
    fi
done
if [ ! -f $wireguardwizard ]; then
    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [autoupdate] Error: WireGuard wizard not found!" >>$log
    exit 1
else
    onlinecheck="false"
    curl -s --retry 12 --retry-max-time 60 --retry-connrefused --connect-timeout 3 https://api.github.com >/dev/null
    if [ $? == 0 ]; then
        onlinecheck="true"
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [autoupdate] online-check succeeded ..."
    else
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [autoupdate] online-check failed. Exit."
        exit 1
    fi
    if [[ "$($wireguardwizard load | jq -r .data.pkgstatus)" =~ .*new version found.* ]]; then
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [autoupdate] New WireGuard package version found, upgrading ..." >>$log
        if [ "$onlinecheck" == "true" ]; then
            rm -f ${wgdir}/*.deb
            $wireguardwizard install >>$log
        fi
    else
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [autoupdate] Current WireGuard package version is up-to-date." >>$log
    fi
    if [[ "$($wireguardwizard load | jq -r .data.wizstatus)" =~ .*new version found.* ]]; then
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [autoupdate] New WireGuard wizard version found, upgrading ..." >>$log
        if [ "$onlinecheck" == "true" ]; then
            rm -f ${wgdir}/ER-wizard-WireGuard.tar
            # remove stale setupscript
            rm -f /config/scripts/post-config.d/wireguard_setup.sh
            # remove stale wgsettings files
            rm -f ${wgdir}wgsettings.*
            $wireguardwizard install >>$log
        fi
    else
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [autoupdate] Current WireGuard wizard version is up-to-date." >>$log
    fi
fi
exit 0
ENDSCRIPTCONTENT
    chmod +x $wgautoupdatecronjob
}

installwireguard () {
    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Starting installation of WireGuard from $wgdir ..."
    mkdir -p $wgdir
    cd $wgdir
    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] check if we are online (if we can reach github.com) ..."
    onlinecheck="false"
    curl -s --retry 12 --retry-max-time 60 --retry-connrefused --connect-timeout 3 https://api.github.com >/dev/null
    if [ $? == 0 ]; then
        onlinecheck="true"
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] online-check succeeded ..."
    else
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] online-check failed ..."
    fi
    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Check system where we are running ..."
    edgerouterhw=$(/usr/sbin/ubnt-hal-e getBoardIdE | sed 's/[0-9]$/0/')
    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Detected EdgeRouter $edgerouterhw system ..."
    edgeosversion=$(/usr/sbin/ubnt-hal show-version | awk '/Version/{split($2,v,".");print v[1];exit}')
    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Detected EdgeOS version $edgeosversion ..."
    pkgvariant="$edgerouterhw-$edgeosversion"
    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Checking for $pkgvariant deb-file in $(pwd) ..."
    for file in $(find $wgdir -name ${pkgvariant}*.deb); do
        if [[ "$file" =~ /${pkgvariant}*.deb/ ]]; then
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] File $pkgvariant deb-file in $(pwd) found: $file ..."
            wgpackage=$file
            break
        fi
    done
    if [ "$1" == "forceupgrade" ]; then
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] -> Forced upgrade from wizard ..."
        if [ "$onlinecheck" == "true" ]; then
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] We are online, remove ${pkgvariant} deb-file and download new one ..."
            rm -f ${wgdir}/${pkgvariant}*.deb
            rm -f ${wgdir}/ER-wizard-WireGuard.tar
        fi
    fi
    if [ ! -f "$wgpackage" ]; then
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] WireGuard deb-file not found, need to download from latest release ..."
        if [ "$onlinecheck" == "true" ]; then
            curl -sLo /tmp/wgpkglatest ${wgpkgapi}
            pkgurl=$(jq -r '.assets[].browser_download_url | select(contains("'$pkgvariant'"))' /tmp/wgpkglatest)
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Download of WireGuard starting from $pkgurl ..."
            curl -sLO $pkgurl
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] download done."
        else
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Error: we are not online, can not download. Missing deb-file. Exit."
            exit 1
        fi
    else
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] WireGuard deb-file $pkgvariant found in $(pwd) ..."
    fi
    # Check if already installed do https://github.com/WireGuard/wireguard-vyatta-ubnt/wiki/EdgeOS-and-Unifi-Gateway#upgrade
    # else install reusing last config or install normally if no config (no need for restart):
    dpkg -l wireguard
    if [ $? == 0 ]; then
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Upgrading WireGuard for $pkgvariant ..."
        eval "interfaces=($($cli listActiveNodes $wgcfg))"
        $cmd begin
        for interface in "${interfaces[@]}"; do
            $cmd set $wgcfg "$interface" route-allowed-ips false
            $cmd commit
        done
        $cmd delete $wgcfg
        $cmd commit
        rmmod wireguard
        dpkg -i ${pkgvariant}*.deb
        modprobe wireguard
        # The loaded configuration becomes the working configuration and must be committed before it becomes the active configuration.
        # config file is saved
        $cmd load
        $cmd commit
        # No need to save, config is restored from file (load) then commited to active config.
        $cmd end
    else
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Installing WireGuard for $pkgvariant ..."
        # if we have the previous config from wireguard on config.boot (currently loaded config) then:
        # TODO(tekert): test this
        eval "interfaces=($($cli listActiveNodes $wgcfg))"
        if [ "${interfaces[0]}" == "wg0" ]; then
            $cmd begin
            $cmd delete $wgcfg
            $cmd commit
            dpkg -i ${pkgvariant}*.deb
            modprobe wireguard
            $cmd load
            $cmd commit
            $cmd end
        else
            dpkg -i ${pkgvariant}*.deb
            modprobe wireguard
        fi
    fi
    # Security alert, only update if the user checked auto update or checked the box to manually do a forced update on Apply button.
    if [ "$1" == "forceupgrade" ] || [ -w $wgautoupdatecronjob ]; then
        if [ ! -f ER-wizard-WireGuard.tar ]; then
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] WireGuard Wizard tar-file not found, need to download from latest release ..."
            if [ "$onlinecheck" == "true" ]; then
                curl -sLo /tmp/wgwizlatest ${wgwizapi}
                wizurl=$(jq -r '.assets[].browser_download_url' /tmp/wgwizlatest)
                echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Download of Wizard starting from $wizurl ..."
                curl -sLO $wizurl
                echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] download done."
            else
                echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Error: we are not online, can not download. Missing tar-file. Exit."
                exit 1
            fi
        else
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] WireGuard Wizard tar-file found in $(pwd) - installing WireGuard Wizard..."
            wireguardwizard=""
            for i in $(find /config/wizard/feature/ -name wizard-run); do
                if [ "$(head $i -n 10 | grep -i 'wireguard')" ]; then
                    echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] WireGuard wizard found in $i" >>$log
                    wireguardwizard=$i
                    break
                fi
            done
        fi
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] Installing WireGuard wizard ..."
        tar -C $(dirname $wireguardwizard) -xf ER-wizard-WireGuard.tar
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [installer] WireGuard and Wizard installation done."
    fi
}

# function called when you click the wizard
load () {

    ###########################
    # WireGuard LOAD function #
    ###########################

    [ ! -d $wgdir ] && mkdir -p $wgdir

    wireguardwizard=""
    for i in $(find /config/wizard/feature/ -name wizard-run); do
        if [ "$(head $i -n 10 | grep -i 'wireguard')" ]; then
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [wizard] WireGuard wizard found at $i" >>$log
            wireguardwizard=$i
            break
        fi
    done

    # try to install wireguard and show status (with version information if installed)
    pkgstatus="\"pkgstatus\":\"error: not installed.\""
    dpkg -l wireguard >>$log 2>>$log
    if [ $? != 0 ]; then
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [wizard] wireguard package not installed! need to install packages." >>$log
        installwireguard >>$log 2>>$log
        if [ $? == 0 ]; then
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [wizard] wireguard package installed and configured. all done." >>$log
            pkgstatus="\"pkgstatus\":\"success: running wireguard installation ... completed.\""
        else
            pkgstatus="\"pkgstatus\":\"error: not installed, download or install problem. check $log\""
        fi
    else
        echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [wizard] wireguard package already installed! checking for new version on disk ..." >>$log
        # check if latest version is installed from packages available in $wgdir
        version_installed=$(dpkg -l wireguard | awk '/ii/ { print $3 }')
        version_latest=$(curl -s ${wgpkgapi} | jq -r .tag_name)
        dpkg --compare-versions $version_latest gt $version_installed
        if [ $? == 0 ]; then
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [wizard] new wireguard package found: $version_latest" >>$log
            pkgstatus="info: wireguard $version_installed installed. new version found: $version_latest"
        else
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [wizard] latest available wireguard package is already installed: $version_installed (found in $wgdir)" >>$log
            pkgstatus="success: wireguard $version_installed installed."
        fi
        pkgstatus="\"pkgstatus\":\"$pkgstatus\""
    fi

    # get wireguard process status if unning
    procstatus=$(ps x | grep -v awk | awk '/wg/ { print $1" "$5 }' | sed ':a;N;$!ba;s/\n/ /g')
    if [ -z "$procstatus" ]; then
        procstatus="not running"
    fi
    procstatus="\"procstatus\":\"$procstatus\""

    # get wizard update status
    wiz_installed=$(awk '/Version/{print $3;exit}' $wireguardwizard)
    if [ -z "$wiz_installed" ]; then
        wizstatus="not available"
    else
        wiz_latest=$(curl -s ${wgwizapi} | jq -r .tag_name)
        dpkg --compare-versions $wiz_latest gt $wiz_installed
        if [ $? == 0 ]; then
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [wizard] new wireguard wizard found: $wiz_latest" >>$log
            wizstatus="info: wizard $wiz_installed installed. new version found: $wiz_latest"
        else
            echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [wizard] latest available wireguard wizard is already installed: $wiz_installed (found in $wgdir)" >>$log
            wizstatus="success: wizard $wiz_installed installed."
        fi
    fi
    wizstatus="\"wizstatus\":\"$wizstatus\""

    # setup-config script in case of firmware upgrade
    wgsetupscript='"wgsetupscript":""'
    if [ -w $wgsetupscriptfile ]; then
        wgsetupscript='"wgsetupscript":"on"'
    fi

    # auto-upgrade cronjob script
    autoupdatefromgithub='"autoupdatefromgithub":""'
    if [ -w $wgautoupdatecronjob ]; then
        autoupdatefromgithub='"autoupdatefromgithub":"on"'
    fi

    #
    # Read current configuration
    #

    # Checkbox "Enable"
    wgenable="\"wgenable\":false"
    eval "interfaces=($($cli listActiveNodes $wgcfg))"
    if [ "${interfaces[0]}" == "wg0" ]; then
        # existsActive: Returns 0 if specified node exists in the current active (running) configuration, 1 otherwise.
        $cli existsActive $wgcfg ${interfaces[0]} disable
        if [ $? == 1 ]; then
            wgenable="\"wgenable\":\"on\"";
        fi
    fi

    # Inputfield "Server Port"
    eval "listenport=($($cli returnActiveValue $wgcfg ${interfaces[0]} listen-port))"
    listenport="\"listen-port\":\"$listenport\""

    # Checkbox "Route allowed IPs" (default value: true)
    routeallowedips=""
    routeallowedips_vyatta=$($cli returnActiveValue $wgcfg ${interfaces[0]} route-allowed-ips)
    if [ -n "$routeallowedips_vyatta" ] && [ $routeallowedips_vyatta == "true" ]; then
        routeallowedips="on"
    fi

    # Inputfield ip address
    ipaddress=''
    eval "ipaddrvalues=($($cli returnActiveValues $wgcfg ${interfaces[0]} address))"
    for ipaddrvalue in "${ipaddrvalues[@]}"; do
        [ -n "$ipaddress" ] && ipaddress+=','
        ipaddress+="\"$ipaddrvalue\""
    done
    ipaddress="\"ipaddress\":[$ipaddress]"

    # (disabled) Inputfield "My public key"
    eval "privatekey=($($run show $wgcfg ${interfaces[0]} private-key))"
    if [ -n "$privatekey" ]; then
        localpubkey=$(echo "$privatekey" | /usr/bin/wg pubkey)
    fi
    localpubkey="\"localpubkey\":\"$localpubkey\""

    # privatekeycfg can be a file path or key / privatekey always has a key
    eval "privatekeycfg=($($cli returnActiveValue $wgcfg ${interfaces[0]} private-key))"
    if [ -z "$privatekeycfg" ]; then
        echo "[INFO] privatekeycfg=($($cli returnActiveValue $wgcfg ${interfaces[0]} private-key)) is empty!." >> $log
    fi

    # (hidden) Inputfield "private key"
    privatekey="\"privatekey\":\"$privatekeycfg\""

    # Inputfield allowed ips for peers QR code
    eval "peersallowedips=($($run show configuration commands | awk '/wireguard-wizard-peers-allowed-ips/ {print $5}'))"
    peersallowedips="\"peers-allowed-ips\":[\"$peersallowedips\"]"
    peersallowedips=${peersallowedips//,/\",\"}

    # Inputfield DNS for peers QR code
    eval "peersdns=($($run show configuration commands | awk '/wireguard-wizard-peers-dns/ {print $5}'))"
    peersdns="\"peers-dns\":[\"$peersdns\"]"
    peersdns=${peersdns//,/\",\"}

    # Inputfield endpoint for peers QR code
    eval "peersendpoint=($($run show configuration commands | awk '/wireguard-wizard-peers-endpoint/ {print $5}'))"
    peersendpoint="\"peers-endpoint\":\"$peersendpoint\""

    # Peers:
    # get current wireguard configuration and return configured values to wizard.html
    peerlist=''
    eval "peers=($($cli listActiveNodes $wgcfg ${interfaces[0]} peer))"
    for peer in "${peers[@]}"; do
        if [ -n "$peerlist" ]; then
            peerlist+=",{\"public-key\":\"$peer\""
        else
            peerlist="{\"public-key\":\"$peer\""
        fi
        eval "settings=($($cli listActiveNodes $wgcfg ${interfaces[0]} peer $peer))"
        for setting in "${settings[@]}"; do
            if [ "$setting" == "allowed-ips" ]; then
                allowedips=''
                eval "values=($($cli returnActiveValues $wgcfg ${interfaces[0]} peer $peer allowed-ips))"
                for value in "${values[@]}"; do
                    [ -n "$allowedips" ] && allowedips+=','
                    allowedips+="\"$value\""
                done
                [ -n "$allowedips" ] && allowedips="\"allowed-ips\":[$allowedips]" && peerlist+=",$allowedips"
            fi
            if [ "$setting" == "description" ]; then
                description="$($cli returnActiveValue $wgcfg ${interfaces[0]} peer $peer description)"
                [ -n "$description" ] && description="\"description\":\"$description\"" && peerlist+=",$description"
            fi
            if [ "$setting" == "endpoint" ]; then
                eval "endpoint=($($cli returnActiveValue $wgcfg ${interfaces[0]} peer $peer endpoint))"
                [ -n "$endpoint" ] && endpoint="\"endpoint\":\"$endpoint\"" && peerlist+=",$endpoint"
            fi
            if [ "$setting" == "persistent-keepalive" ]; then
                eval "persistentkeepalive=($($cli returnActiveValue $wgcfg ${interfaces[0]} peer $peer persistent-keepalive))"
                [ -n "$persistentkeepalive" ] && persistentkeepalive="\"persistent-keepalive\":\"$persistentkeepalive\"" && peerlist+=",$persistentkeepalive"
            fi
            if [ "$setting" == "preshared-key" ]; then
                eval "presharedkey=($($cli returnActiveValue $wgcfg ${interfaces[0]} peer $peer preshared-key))"
                [ -n "$presharedkey" ] && presharedkey="\"preshared-key\":\"$presharedkey\"" && peerlist+=",$presharedkey"
            fi
        done
        latesthandshake="$(wg show wg0 latest-handshakes | grep "$peer" | awk '{print $2}')"
        latesthandshakeago="$(expr $(date +%s) - $latesthandshake)"
        latesthandshaketext="$(date -ud @$latesthandshakeago +'%M minutes %S seconds ago')"
        [ -n "$latesthandshake" ] && [ "$latesthandshake" -gt 0 ] && latesthandshake="\"latesthandshake\":\"$latesthandshaketext\"" && peerlist+=",$latesthandshake"
        peerlist+='}'
    done

    #
    # get all variables together for output
    #
    echo "{\"success\":\"1\",\"data\":{ $pkgstatus,$procstatus,$wizstatus,$wgsetupscript,$autoupdatefromgithub,$wgenable,$listenport,\"route-allowed-ips\":\"$routeallowedips\",$ipaddress,$localpubkey,$privatekey,$peersallowedips,$peersdns,$peersendpoint,\"peerlist\":[$peerlist] }}"
}

# function called when you click apply
apply () {

    parse () {
        local var=$1
        local exp=$2
        local val=$(cat $INPUT | jq "$exp" 2>/dev/null)
        if [ $(expr index "$exp" []) -eq 0 ]; then
            eval "$var=$val"
        else
            eval "$var=($val)"
        fi
    }

    # setup script
    if [ "$(jq -M -r '.wgsetupscript' $INPUT 2>/dev/null)" == "on" ]; then
        #if [ ! -f $wgsetupscriptfile ]; then
            writesetupscript
        #fi
    else
        rm -f $wgsetupscriptfile >/dev/null 2>/dev/null
    fi

    # manual upgrade trigger via wizard
    [ "$(jq -M -r '.updatefromgithub' $INPUT)" == "on" ] && installwireguard forceupgrade >>$log 2>>$log

    # auto-upgrade script
    if [ "$(jq -M -r '.autoupdatefromgithub' $INPUT 2>/dev/null)" == "on" ]; then
        if [ ! -f $wgautoupdatecronjob ]; then
            writecronjob
        fi
    else
        rm -f $wgautoupdatecronjob >/dev/null 2>/dev/null
    fi

    ############################
    # WireGuard APPLY function #
    ############################

    local ret=0
    local output=''
    local -A name

    parse wgenable '."wgenable"'
    parse privatekey '."privatekey"'
    if [ "$wgenable" == "on" ] && [ -z "$privatekey" ]; then
        # PROBLEM: EdgeOS WireGuard package "wireguard-vyatta-ubnt" has problems to handle private keys with slashes
        # FIX: Retry generation of private keys until one is generated without (forward) slashes.
        privatekey='/'
        until [[ "$privatekey" != *\/* ]]; do
            privatekey=$(wg genkey)
        done
    fi
    parse listenport '."listen-port"'
    parse routeallowedips '."route-allowed-ips"'
    mapfile -t ipaddress < <(cat $INPUT | jq -c '."ipaddress"' | sed 's/,/ /g;s/\[//;s/\]//;s/\"//g')
    #parse peersallowedips '."peers-allowed-ips"'
    peersallowedips=$(cat $INPUT | jq -c '."peers-allowed-ips"' | sed 's/\[//;s/\]//;s/\"//g')
    #parse peersdns '."peers-dns"'
    peersdns=$(cat $INPUT | jq -c '."peers-dns"' | sed 's/\[//;s/\]//;s/\"//g')
    parse peersendpoint '."peers-endpoint"'
    parse pubkeys '."peerlist"[]|select(has("public-key"?))."public-key"?'
    parse descriptions '."peerlist"[]|select(has("public-key"?))."description"?'
    parse endpoints '."peerlist"[]|select(has("public-key"?))."endpoint"?'
    parse presharedkeys '."peerlist"[]|select(has("public-key"?))."preshared-key"?'
    parse persistentkeepalives '."peerlist"[]|select(has("public-key"?))."persistent-keepalive"?'
    mapfile -t allowedips < <(cat $INPUT | jq -c '."peerlist"[]|select(has("public-key"?))."allowed-ips"?' | sed 's/,/ /g;s/\[//;s/\]//;s/\"//g')

    for pubkey in "${pubkeys[@]}"; do
        if [ -z "$pubkey" ] || [ "$pubkey" == null ]; then
            continue
        fi
        if [ -n "${name[${pubkey,,}]}" ]; then
            output="Public key <b>'${pubkey,,}'</b> exists more than once"
            ret=1
            break
        fi
        name[${pubkey,,}]=1
    done

    if [ $ret == 0 ]; then
        temp=$(mktemp)
        (
            $cmd begin
            ret=0
            if $cmd show | grep -q "wireguard-wizard-peers-allowed-ips"; then
                if ! $cmd delete custom-attribute wireguard-wizard-peers-allowed-ips; then
                    echo "$cmd delete custom-attribute wireguard-wizard-peers-allowed-ips failed." >> $log
                    ret=1
                fi
            fi
            if $cmd show | grep -q "wireguard-wizard-peers-dns"; then
                if ! $cmd delete custom-attribute wireguard-wizard-peers-dns; then
                    echo "$cmd delete custom-attribute wireguard-wizard-peers-dns failed." >> $log
                    ret=1
                fi
            fi
            eval "interfaces=($($cli listActiveNodes $wgcfg))"
            if [ ! "$wgenable" == "on" ]; then
                if [ -n "$interfaces" ]; then
                    $cmd delete $wgcfg ${interfaces[0]} disable
                    if ! $cmd set $wgcfg ${interfaces[0]} disable; then
                        echo "set $wgcfg ${interfaces[0]} disable failed." >> $log
                        ret=1
                    fi
                fi
            fi
            if [ "$wgenable" == "on" ]; then
                interfaces="wg0"
                $cmd delete $wgcfg ${interfaces[0]} disable

                if ! $cmd set $wgcfg ${interfaces[0]} private-key "${privatekey}"; then
                    echo "set $wgcfg ${interfaces[0]} private-key \"${privatekey}\" failed." >> $log
                    ret=1
                fi
                if [ -n "$listenport" ]; then
                    if ! $cmd set $wgcfg ${interfaces[0]} listen-port "${listenport}"; then
                        echo "set $wgcfg ${interfaces[0]} listen-port \"${listenport}\" failed." >> $log
                        ret=1
                    fi
                else
                    $cmd delete $wgcfg ${interfaces[0]} listen-port
                fi
                if [ "$routeallowedips" == "on" ]; then
                    if ! $cmd set $wgcfg ${interfaces[0]} route-allowed-ips true; then
                        echo "set $wgcfg ${interfaces[0]} route-allowed-ips true failed." >> $log
                        ret=1
                    fi
                else
                    if ! $cmd set $wgcfg ${interfaces[0]} route-allowed-ips false; then
                        echo "set $wgcfg ${interfaces[0]} route-allowed-ips false failed." >> $log
                        ret=1
                    fi
                fi
                if [ -n "${ipaddress}" ] && [ "${ipaddress}" != "null" ]; then
                    for oneipaddress in ${ipaddress}; do
                        if ! $cmd set $wgcfg ${interfaces[0]} address "$oneipaddress"; then
                            echo "set $wgcfg ${interfaces[0]} address \"$oneipaddress\" failed." >> $log
                            ret=1
                            break 2
                        fi
                    done
                else
                     $cmd delete $wgcfg ${interfaces[0]} address
                fi
                if [ -n "$peersallowedips" ]; then
                    if ! $cmd set custom-attribute wireguard-wizard-peers-allowed-ips; then
                        echo "set custom-attribute wireguard-wizard-peers-allowed-ips failed." >> $log
                    fi
                    if ! $cmd set custom-attribute wireguard-wizard-peers-allowed-ips value "$peersallowedips"; then
                        echo "set custom-attribute wireguard-wizard-peers-allowed-ips value \"$peersallowedips\" failed." >> $log
                    fi
                fi
                if [ -n "$peersdns" ]; then
                    if ! $cmd set custom-attribute wireguard-wizard-peers-dns; then
                        echo "set custom-attribute wireguard-wizard-peers-dns failed." >> $log
                    fi
                    if ! $cmd set custom-attribute wireguard-wizard-peers-dns value "$peersdns"; then
                        echo "set custom-attribute wireguard-wizard-peers-dns value \"$peersdns\" failed." >> $log
                    fi
                fi
                if [ -n "$peersendpoint" ]; then
                    if ! $cmd set custom-attribute wireguard-wizard-peers-endpoint; then
                        echo "set custom-attribute wireguard-wizard-peers-endpoint failed." >> $log
                    fi
                    if ! $cmd set custom-attribute wireguard-wizard-peers-endpoint value "$peersendpoint"; then
                        echo "set custom-attribute wireguard-wizard-peers-endpoint value \"$peersendpoint\" failed." >> $log
                    fi
                fi
                j=0
                for ((i = 0; i < ${#pubkeys[@]}; i++)); do
                    if [ -z "${pubkeys[i]}" ] || [ "${pubkeys[i]}" == null ]; then
                        continue
                    fi
                    if [ -n "${descriptions[i]}" ]; then
                        if ! $cmd set $wgcfg ${interfaces[0]} peer "${pubkeys[i]}" description "${descriptions[i]}"; then
                            echo "set $wgcfg ${interfaces[0]} peer \"${pubkeys[i]}\" description \"${descriptions[i]}\" failed." >> $log
                            ret=1
                            break
                        fi
                    else
                        $cmd delete $wgcfg ${interfaces[0]} peer "${pubkeys[i]}" description
                    fi
                    if [ -n "${endpoints[i]}" ]; then
                        if ! $cmd set $wgcfg ${interfaces[0]} peer "${pubkeys[i]}" endpoint "${endpoints[i]}"; then
                            echo "set $wgcfg ${interfaces[0]} peer \"${pubkeys[i]}\" endpoint \"${endpoints[i]}\" failed." >> $log
                            ret=1
                            break
                        fi
                    else
                        $cmd delete $wgcfg ${interfaces[0]} peer "${pubkeys[i]}" endpoint
                    fi
                    if [ -n "${persistentkeepalives[i]}" ]; then
                        if ! $cmd set $wgcfg ${interfaces[0]} peer "${pubkeys[i]}" persistent-keepalive "${persistentkeepalives[i]}"; then
                            echo "set $wgcfg ${interfaces[0]} peer \"${pubkeys[i]}\" persistent-keepalive \"${persistentkeepalives[i]}\" failed." >> $log
                            ret=1
                            break
                        fi
                    else
                        $cmd delete $wgcfg ${interfaces[0]} peer "${pubkeys[i]}" persistent-keepalive
                    fi
                    if [ -n "${presharedkeys[i]}" ]; then
                        if ! $cmd set $wgcfg ${interfaces[0]} peer "${pubkeys[i]}" preshared-key "${presharedkeys[i]}"; then
                            echo "set $wgcfg ${interfaces[0]} peer \"${pubkeys[i]}\" preshared-key \"${presharedkeys[i]}\" failed." >> $log
                            ret=1
                            break
                        fi
                    else
                        $cmd delete $wgcfg ${interfaces[0]} peer "${pubkeys[i]}" preshared-key
                    fi
                    if [ -n "${allowedips[j]}" ] && [ "${allowedips[j]}" != "null" ]; then
                        $cmd delete $wgcfg ${interfaces[0]} peer "${pubkeys[i]}" allowed-ips
                        for allowedip in ${allowedips[j]}; do
                            if ! $cmd set $wgcfg ${interfaces[0]} peer "${pubkeys[i]}" allowed-ips "$allowedip"; then
                                echo "set $wgcfg ${interfaces[0]} peer \"${pubkeys[i]}\" allowed-ips \"$allowedip\" failed." >> $log
                                ret=1
                                break 2
                            fi
                        done
                    fi
                    if [ $ret == 1 ]; then
                        echo "something failed, check log!" >> $log
                        break
                    fi
                    j=$(expr $j + 1)
                done
                
                # delete old peers
                eval "peers=($($cli listActiveNodes $wgcfg ${interfaces[0]} peer))"
                for peer in "${peers[@]}"; do
                    found=
                    for pubkey in "${pubkeys[@]}"; do
                        if [ $peer == $pubkey ]; then
                            found=1
                            break
                        fi
                    done
                    if [ ! $found ]; then
                        if ! $cmd delete $wgcfg ${interfaces[0]} peer "$peer"; then
                            echo "delete $wgcfg ${interfaces[0]} peer \"$peer\" failed." >> $log
                            ret=1
                            break
                        fi
                    fi
                done
            fi

            if [ $ret == 0 ]; then
                $cmd commit || ret=1
            fi
            if [ $ret == 0 ]; then
                $cmd save || ret=1
            fi
            $cmd end
            exit $ret
        ) >$temp 2>&1
        ret=$?

        output=$(cat $temp)
        rm -f $temp
    fi

    if [ $ret == 0 ]; then
        echo "{\"success\":\"1\"}"
    else
        output=$(echo $output)
        echo "{\"success\":\"0\",\"error\": \"${output//\"/\'}\"}"
    fi

}

case "$ACTION" in
    install)
        installwireguard $2
        ;;
    load)
        load
        ;;
    apply)
        apply
        ;;
esac

echo "$(date +%Y-%m-%d/%H:%M:%S.%N) [wizard] EdgeMAX WireGuard Wizard ended - Session="$$ >>$log