wgctl/commands/remove.command.sh

120 lines
2.7 KiB
Bash

#!/usr/bin/env bash
# ============================================
# Lifecycle
# ============================================
function cmd::remove::on_load() {
flag::register --name
flag::register --type
flag::register --force
}
# ============================================
# Help
# ============================================
function cmd::remove::help() {
cat <<EOF
Usage: wgctl remove --name <name> [options]
Permanently remove a WireGuard client.
This will delete the client config, keys, and remove it from the server.
Options:
--name <name> Full client name (e.g. phone-nuno)
--force Skip confirmation prompt
Examples:
wgctl remove --name phone-nuno
wgctl rm --name phone-nuno --force
EOF
}
# ============================================
# Run
# ============================================
function cmd::remove::run() {
local name=""
local type=""
local force=false
while [[ $# -gt 0 ]]; do
case "$1" in
--name) name="$2"; shift 2 ;;
--type) type="$2"; shift 2 ;;
--force) force=true; shift ;;
--help) cmd::remove::help; return ;;
*)
log::error "Unknown flag: $1"
cmd::remove::help
return 1
;;
esac
done
if [[ -z "$name" ]]; then
log::error "Missing required flag: --name"
cmd::remove::help
return 1
fi
name=$(peers::resolve_and_require "$name" "$type") || return 1
# Confirmation prompt unless --force
if ! $force; then
read -r -p "Are you sure you want to permanently remove '${name}'? [y/N] " confirm
case "$confirm" in
[yY][eE][sS]|[yY]) ;;
*)
log::info "Aborted"
return 0
;;
esac
fi
log::section "Removing client: ${name}"
local client_ip
client_ip=$(peers::get_ip "$name")
local was_blocked=false
peers::is_blocked "$name" && was_blocked=true
# Unapply rule if assigned
local assigned_rule
assigned_rule=$(peers::get_meta "$name" "rule")
if [[ -z "$assigned_rule" ]]; then
assigned_rule=$(peers::default_rule "$name")
fi
# Flush all iptables rules for this peer IP
if [[ -n "$client_ip" ]]; then
fw::flush_peer "$client_ip"
fi
# Remove peer from server config
peers::remove_from_server "$name" || return 1
# Remove client config
peers::remove_client_config "$name" || return 1
# Remove keys
keys::remove "$name" || return 1
# Remove block rules only if client was fully blocked
if [[ -n "$client_ip" ]] && $was_blocked; then
fw::unblock_all "$client_ip"
fi
fw::remove_block_file "$name" 2>/dev/null || true
peers::remove_meta "$name" 2>/dev/null || true
# Reload WireGuard
peers::reload || return 1
log::wg_success "Client removed: ${name}"
}