#!/bin/bash # Import the assets/wireguard-config Proton configs into NetworkManager as # wireguard connections with autoconnect off. Two NM quirks handled here: # # - The import filename must be a valid interface name (<= 15 chars), and # several config names are longer — so every file imports through a temp # copy named wgpvpn.conf and the connection is renamed to the real config # name right after (by the UUID parsed from the import output, so a stray # same-named connection can't be hit). All profiles share the wgpvpn # interface, which is fine (they're mutually exclusive full-tunnel # configs), and the wg prefix keeps the net doctor's tunnel-down repair # on the NM path. # - Imports default to autoconnect yes, and these are full-tunnel # (AllowedIPs 0.0.0.0/0) — a VPN that arms itself on boot is not a default # anyone chose, so the modify runs immediately after each import. # # A connection still literally named wgpvpn means an earlier run died # between import and rename — and it still has autoconnect on. The script # refuses to run until that's cleaned up rather than guessing. # # Idempotent: already-imported names skip. # # Usage: import-wireguard-configs.sh [config-dir] set -euo pipefail dir="${1:-$(cd "$(dirname "$0")/.." && pwd)/assets/wireguard-config}" [ -d "$dir" ] || { echo "no such config dir: $dir" >&2; exit 1; } if nmcli -t -f NAME connection show | grep -Fxq "wgpvpn"; then echo "stale 'wgpvpn' connection found (an earlier run died mid-import; it has autoconnect ON)" >&2 echo "inspect and remove it first: nmcli connection delete wgpvpn" >&2 exit 1 fi tmp="$(mktemp -d)" trap 'rm -rf "$tmp"' EXIT shopt -s nullglob found=0 for conf in "$dir"/*.conf; do found=1 name="$(basename "$conf" .conf)" if nmcli -t -f NAME connection show | grep -Fxq "$name"; then echo "skip: $name (already imported)" continue fi cp "$conf" "$tmp/wgpvpn.conf" out="$(nmcli connection import type wireguard file "$tmp/wgpvpn.conf")" uuid="$(grep -oE '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' <<<"$out" | head -1 || true)" if [ -z "$uuid" ]; then echo "could not parse a UUID from the import output for $name:" >&2 echo " $out" >&2 exit 1 fi nmcli connection modify "$uuid" connection.id "$name" \ connection.autoconnect no echo "imported: $name (autoconnect off, iface wgpvpn)" done [ "$found" = 1 ] || { echo "no .conf files in $dir" >&2; exit 1; }