aboutsummaryrefslogtreecommitdiff
path: root/scripts/import-wireguard-configs.sh
blob: ae6ca7eb4c258d6d73e2226c9054a1607d719cfe (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/bin/bash
# Import the assets/wireguard-config Proton configs into NetworkManager as
# wireguard connections with autoconnect off. Two NM quirks handled here:
#
# - The import filename must be a valid interface name (<= 15 chars), and
#   several config names are longer — so every file imports through a temp
#   copy named wgpvpn.conf and the connection is renamed to the real config
#   name right after (by the UUID parsed from the import output, so a stray
#   same-named connection can't be hit). All profiles share the wgpvpn
#   interface, which is fine (they're mutually exclusive full-tunnel
#   configs), and the wg prefix keeps the net doctor's tunnel-down repair
#   on the NM path.
# - Imports default to autoconnect yes, and these are full-tunnel
#   (AllowedIPs 0.0.0.0/0) — a VPN that arms itself on boot is not a default
#   anyone chose, so the modify runs immediately after each import.
#
# A connection still literally named wgpvpn means an earlier run died
# between import and rename — and it still has autoconnect on. The script
# refuses to run until that's cleaned up rather than guessing.
#
# Idempotent: already-imported names skip.
#
# Usage: import-wireguard-configs.sh [config-dir]
set -euo pipefail

dir="${1:-$(cd "$(dirname "$0")/.." && pwd)/assets/wireguard-config}"
[ -d "$dir" ] || { echo "no such config dir: $dir" >&2; exit 1; }

if nmcli -t -f NAME connection show | grep -Fxq "wgpvpn"; then
    echo "stale 'wgpvpn' connection found (an earlier run died mid-import; it has autoconnect ON)" >&2
    echo "inspect and remove it first: nmcli connection delete wgpvpn" >&2
    exit 1
fi

tmp="$(mktemp -d)"
trap 'rm -rf "$tmp"' EXIT

shopt -s nullglob
found=0
for conf in "$dir"/*.conf; do
    found=1
    name="$(basename "$conf" .conf)"
    if nmcli -t -f NAME connection show | grep -Fxq "$name"; then
        echo "skip: $name (already imported)"
        continue
    fi
    cp "$conf" "$tmp/wgpvpn.conf"
    out="$(nmcli connection import type wireguard file "$tmp/wgpvpn.conf")"
    uuid="$(grep -oE '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' <<<"$out" | head -1 || true)"
    if [ -z "$uuid" ]; then
        echo "could not parse a UUID from the import output for $name:" >&2
        echo "  $out" >&2
        exit 1
    fi
    nmcli connection modify "$uuid" connection.id "$name" \
        connection.autoconnect no
    echo "imported: $name (autoconnect off, iface wgpvpn)"
done
[ "$found" = 1 ] || { echo "no .conf files in $dir" >&2; exit 1; }