#!/usr/bin/env bash
set -euo pipefail

# ── Abhängigkeiten prüfen / installieren ──────────────────────────────
need() {
    command -v "$1" &>/dev/null
}

if ! need pkcs11-tool; then
    echo "==> opensc wird installiert..."
    if   need apt-get; then sudo apt-get install -y -q opensc libengine-pkcs11-openssl
    elif need dnf;     then sudo dnf install -y -q opensc openssl-pkcs11
    elif need pacman;  then sudo pacman -Sy --noconfirm opensc
    else echo "Bitte opensc manuell installieren: https://github.com/OpenSC/OpenSC"; exit 1; fi
fi

if ! need wg-quick; then
    echo "==> wireguard-tools wird installiert..."
    if   need apt-get; then sudo apt-get install -y -q wireguard
    elif need dnf;     then sudo dnf install -y -q wireguard-tools
    elif need pacman;  then sudo pacman -Sy --noconfirm wireguard-tools
    else echo "Bitte WireGuard manuell installieren: https://www.wireguard.com/install/"; exit 1; fi
fi

# ── PKCS#11 Modul und Engine finden ───────────────────────────────────
find_lib() {
    for f in \
        /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so \
        /usr/lib/aarch64-linux-gnu/opensc-pkcs11.so \
        /usr/lib/arm-linux-gnueabihf/opensc-pkcs11.so \
        /usr/lib64/opensc-pkcs11.so \
        /usr/lib/opensc-pkcs11.so; do
        [[ -f "$f" ]] && echo "$f" && return 0
    done
    find /usr -name "opensc-pkcs11.so" 2>/dev/null | head -1
}

find_engine() {
    for f in \
        /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so \
        /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so \
        /usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so \
        /usr/lib/aarch64-linux-gnu/engines-1.1/pkcs11.so \
        /usr/lib64/engines-1.1/pkcs11.so \
        /usr/lib/engines-1.1/pkcs11.so; do
        [[ -f "$f" ]] && echo "$f" && return 0
    done
    find /usr -name "pkcs11.so" -path "*/engines*" 2>/dev/null | head -1
}

PKCS11_LIB=$(find_lib)     || { echo "opensc-pkcs11.so nicht gefunden"; exit 1; }
PKCS11_ENGINE=$(find_engine) || { echo "pkcs11 engine nicht gefunden — apt install libengine-pkcs11-openssl"; exit 1; }

# ── Temporäre OpenSSL-Konfiguration ───────────────────────────────────
TMP=$(mktemp /tmp/pkcs11.XXXXXX.cnf)
trap 'rm -f "$TMP"' EXIT
cat > "$TMP" <<EOF
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id    = pkcs11
dynamic_path = ${PKCS11_ENGINE}
MODULE_PATH  = ${PKCS11_LIB}
init = 0
EOF

# ── Config laden ───────────────────────────────────────────────────────
echo "Config wird geladen... (YubiKey ggf. berühren)"

OPENSSL_CONF="$TMP" curl \
    --engine pkcs11 \
    --key-type ENG --key  "pkcs11:slot-id=0;type=private" \
    --cert-type ENG --cert "pkcs11:slot-id=0;type=cert" \
    --silent --show-error --fail \
    "https://get.fifty5.top/wg.conf" -o /tmp/wg0.conf

# ── Tunnel einrichten ──────────────────────────────────────────────────
sudo install -m 600 /tmp/wg0.conf /etc/wireguard/wg0.conf
rm /tmp/wg0.conf

sudo wg-quick up wg0
echo "Fertig. WireGuard ist aktiv."