#!/usr/bin/env bash # ============================================ # Lifecycle # ============================================ function cmd::remove::on_load() { flag::register --name flag::register --type flag::register --force } # ============================================ # Help # ============================================ function cmd::remove::help() { cat < [options] Permanently remove a WireGuard client. This will delete the client config, keys, and remove it from the server. Options: --name Full client name (e.g. phone-nuno) --force Skip confirmation prompt Examples: wgctl remove --name phone-nuno wgctl rm --name phone-nuno --force EOF } # ============================================ # Run # ============================================ function cmd::remove::run() { local name="" local type="" local force=false while [[ $# -gt 0 ]]; do case "$1" in --name) name="$2"; shift 2 ;; --type) type="$2"; shift 2 ;; --force) force=true; shift ;; --help) cmd::remove::help; return ;; *) log::error "Unknown flag: $1" cmd::remove::help return 1 ;; esac done if [[ -z "$name" ]]; then log::error "Missing required flag: --name" cmd::remove::help return 1 fi name=$(peers::resolve_and_require "$name" "$type") || return 1 # Confirmation prompt unless --force if ! $force; then read -r -p "Are you sure you want to permanently remove '${name}'? [y/N] " confirm case "$confirm" in [yY][eE][sS]|[yY]) ;; *) log::info "Aborted" return 0 ;; esac fi log::section "Removing client: ${name}" local client_ip client_ip=$(peers::get_ip "$name") local was_blocked=false peers::is_blocked "$name" && was_blocked=true # Unapply rule if assigned local assigned_rule assigned_rule=$(peers::get_meta "$name" "rule") if [[ -z "$assigned_rule" ]]; then assigned_rule=$(peers::default_rule "$name") fi # Flush all iptables rules for this peer IP if [[ -n "$client_ip" ]]; then fw::flush_peer "$client_ip" fi # Remove peer from server config peers::remove_from_server "$name" || return 1 # Remove client config peers::remove_client_config "$name" || return 1 # Remove keys keys::remove "$name" || return 1 # Remove block rules only if client was fully blocked if [[ -n "$client_ip" ]] && $was_blocked; then fw::unblock_all "$client_ip" fi fw::remove_block_file "$name" 2>/dev/null || true peers::remove_meta "$name" 2>/dev/null || true # Reload WireGuard peers::reload || return 1 log::wg_success "Client removed: ${name}" }