234 lines
No EOL
6.8 KiB
Bash
234 lines
No EOL
6.8 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# ============================================
|
|
# Lifecycle
|
|
# ============================================
|
|
|
|
function cmd::add::on_load() {
|
|
flag::register --name
|
|
flag::register --type
|
|
flag::register --subtype
|
|
flag::register --rule
|
|
flag::register --group
|
|
flag::register --ip
|
|
flag::register --guest
|
|
flag::register --tunnel
|
|
flag::register --show-config
|
|
flag::register --show-qr
|
|
}
|
|
|
|
# ============================================
|
|
# Help
|
|
# ============================================
|
|
|
|
function cmd::add::help() {
|
|
cat <<EOF
|
|
Usage: wgctl add --name <name> --type <type> [options]
|
|
|
|
Add a new WireGuard client.
|
|
|
|
Options:
|
|
--name <name> Client name (e.g. nuno)
|
|
--type <type> Device type: desktop, laptop, phone, tablet, guest
|
|
--subtype <subtype> Guest subtype: desktop, laptop, phone, tablet (mostly used for guest)
|
|
--ip <ip> Override auto-assigned IP (optional)
|
|
--guest Shorthand for --type guest
|
|
--tunnel <mode> Tunnel mode: split|full (default: split)
|
|
--rule <rule> Assign rule on creation (default: user, guest types: guest)
|
|
--group <group> Add to group on creation (group must exist)
|
|
--show-config Shows the WireGuard peer config
|
|
--show-qr Shows the WireGuard config in a QR Code
|
|
|
|
Device Types and Subnets:
|
|
desktop 10.1.1.x
|
|
laptop 10.1.2.x
|
|
phone 10.1.3.x
|
|
tablet 10.1.4.x
|
|
guest 10.1.100.x
|
|
|
|
Rules:
|
|
Automatically assigned based on type (guest → guest rule, others → user rule).
|
|
Override with --rule. Manage rules with: wgctl rule help
|
|
|
|
Tunnel Modes:
|
|
split Route only VPN subnet + LAN through WireGuard (default)
|
|
full Route all traffic through WireGuard
|
|
|
|
Examples:
|
|
wgctl add --name nuno --type phone
|
|
wgctl add --name nuno --type laptop --ip 10.1.2.5
|
|
wgctl add --name nuno --type phone --tunnel full
|
|
wgctl add --name guest1 --type phone --guest
|
|
wgctl add --name restricted --type desktop
|
|
wgctl add --name dev --type laptop --rule dev-01
|
|
wgctl add --name visitor --type guest --show-qr
|
|
EOF
|
|
}
|
|
|
|
# ============================================
|
|
# Validation
|
|
# ============================================
|
|
|
|
function cmd::add::validate() {
|
|
local name="$1"
|
|
local type="$2"
|
|
local ip="$3"
|
|
local tunnel="$4"
|
|
|
|
if [[ -z "$name" ]]; then
|
|
log::error "Missing required flag: --name"
|
|
return 1
|
|
fi
|
|
|
|
if [[ -z "$type" ]]; then
|
|
log::error "Missing required flag: --type"
|
|
return 1
|
|
fi
|
|
|
|
if ! config::is_valid_type "$type"; then
|
|
log::error "Invalid device type: ${type}"
|
|
log::info "Valid types: $(config::device_types | tr ' ' ', ')"
|
|
return 1
|
|
fi
|
|
|
|
if [[ -n "$tunnel" && "$tunnel" != "split" && "$tunnel" != "full" ]]; then
|
|
log::error "Invalid tunnel mode: ${tunnel} (use 'split' or 'full')"
|
|
return 1
|
|
fi
|
|
|
|
if [[ -n "$ip" ]]; then
|
|
ip::require_valid "$ip"
|
|
fi
|
|
|
|
local full_name="${type}-${name}"
|
|
|
|
if [[ -f "$(ctx::clients)/${full_name}.conf" ]]; then
|
|
log::error "Client already exists: ${full_name}"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# ============================================
|
|
# Display helpers
|
|
# ============================================
|
|
|
|
function cmd::add::is_mobile() {
|
|
local type="$1"
|
|
[[ "$type" == "phone" || "$type" == "tablet" ]]
|
|
}
|
|
|
|
# ============================================
|
|
# Run
|
|
# ============================================
|
|
|
|
function cmd::add::run() {
|
|
local name=""
|
|
local type=""
|
|
local subtype=""
|
|
local rule=""
|
|
local group=""
|
|
local ip=""
|
|
local tunnel=""
|
|
local guest=false
|
|
local show_config=false
|
|
local show_qr=false
|
|
|
|
# Parse flags
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--name) name="$2"; shift 2 ;;
|
|
--type) type="$2"; shift 2 ;;
|
|
--subtype) subtype="$2"; shift 2 ;;
|
|
--rule) rule="$2"; shift 2 ;;
|
|
--group) group="$2"; shift 2 ;;
|
|
--ip) ip="$2"; shift 2 ;;
|
|
--guest) guest=true; shift ;;
|
|
--tunnel) tunnel="$2"; shift 2 ;;
|
|
--show-config) show_config=true; shift ;;
|
|
--show-qr) show_qr=true; shift ;;
|
|
--help) cmd::add::help; return ;;
|
|
*)
|
|
log::error "Unknown flag: $1"
|
|
cmd::add::help
|
|
return 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
$guest && type="guest"
|
|
|
|
local effective_type
|
|
effective_type=$(cmd::add::_resolve_type "$type" "$subtype") || return 1
|
|
|
|
local full_name="${type}-${name}"
|
|
cmd::add::validate "$name" "$type" "$ip" "$tunnel" || return 1
|
|
|
|
[[ -z "$tunnel" ]] && tunnel=$(config::default_tunnel_for "$type")
|
|
[[ -z "$rule" ]] && rule=$(cmd::add::_default_rule "$type")
|
|
|
|
rule::exists "$rule" || { log::error "Rule not found: ${rule}"; return 1; }
|
|
|
|
local allowed_ips
|
|
allowed_ips=$(config::allowed_ips_for "$effective_type" "$tunnel") || return 1
|
|
|
|
log::section "Adding client: ${full_name}"
|
|
[[ -z "$ip" ]] && ip=$(ip::next_for_type "$effective_type") || return 1
|
|
|
|
log::wg_add "Name: ${full_name}"
|
|
log::wg_add "Type: ${type}"
|
|
log::wg_add "IP: ${ip}"
|
|
log::wg_add "Tunnel: ${tunnel} (${allowed_ips})"
|
|
log::wg_add "Rule: ${rule:-none}"
|
|
|
|
keys::generate_pair "$full_name" || return 1
|
|
peers::create_client_config "$full_name" "$effective_type" "$ip" "$allowed_ips" || return 1
|
|
[[ -n "$subtype" ]] && peers::set_meta "$full_name" "subtype" "$subtype"
|
|
|
|
if [[ -n "$group" ]]; then
|
|
if ! group::exists "$group"; then
|
|
log::wg_warning "Group '${group}' not found — skipping group assignment"
|
|
else
|
|
group::add_peer "$group" "$full_name"
|
|
log::wg "Added to group: ${group}"
|
|
fi
|
|
fi
|
|
|
|
local public_key
|
|
public_key=$(keys::public "$full_name") || return 1
|
|
peers::add_to_server "$full_name" "$public_key" "$ip" || return 1
|
|
|
|
[[ -n "$rule" ]] && rule::apply "$rule" "$ip" || return 1
|
|
peers::reload || return 1
|
|
|
|
log::wg_success "Client added successfully: ${full_name} (${ip}) [${tunnel} tunnel]"
|
|
cmd::add::_show_result "$full_name" "${subtype:-$type}"
|
|
}
|
|
|
|
function cmd::add::_resolve_type() {
|
|
local type="$1" subtype="$2"
|
|
if [[ "$type" == "guest" && -n "$subtype" ]]; then
|
|
local valid_subtypes="desktop laptop phone tablet"
|
|
if ! echo "$valid_subtypes" | grep -qw "$subtype"; then
|
|
log::error "Invalid subtype: ${subtype} (valid: desktop, laptop, phone, tablet)"
|
|
return 1
|
|
fi
|
|
echo "guest-${subtype}"
|
|
else
|
|
echo "$type"
|
|
fi
|
|
}
|
|
|
|
function cmd::add::_default_rule() {
|
|
local type="$1"
|
|
config::is_guest_type "$type" && echo "guest" || echo "user"
|
|
}
|
|
|
|
function cmd::add::_show_result() {
|
|
local full_name="$1" display_type="$2"
|
|
if cmd::add::is_mobile "$display_type"; then
|
|
keys::qr "$full_name"
|
|
else
|
|
log::section "Client Config"
|
|
cat "$(ctx::clients)/${full_name}.conf"
|
|
fi
|
|
} |