#!/bin/bash
# VPS Setup Script - Run on your Debian VPS as root

set -e

echo "=== Installing WireGuard ==="
apt update
apt install -y wireguard

echo "=== Generating Keys ==="
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

echo ""
echo "========================================"
echo "VPS Private Key (put in wg0.conf):"
cat privatekey
echo ""
echo "VPS Public Key (put in home server config):"
cat publickey
echo "========================================"
echo ""

echo "=== Copy your wg0.conf to /etc/wireguard/wg0.conf ==="
echo "=== Then replace VPS_PRIVATE_KEY with the private key above ==="
echo "=== And replace HOME_PUBLIC_KEY with your home server's public key ==="
echo ""

echo "=== Enabling IP Forwarding ==="
echo 'net.ipv4.ip_forward=1' > /etc/sysctl.d/99-wireguard.conf
sysctl -p /etc/sysctl.d/99-wireguard.conf

echo "=== Setting up iptables rules ==="
# Get the main network interface (usually eth0 or ens3)
INTERFACE=$(ip route | grep default | awk '{print $5}' | head -n1)
echo "Detected interface: $INTERFACE"

# Forward ports 80 and 443 to home server via WireGuard
iptables -t nat -A PREROUTING -i $INTERFACE -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
iptables -t nat -A PREROUTING -i $INTERFACE -p tcp --dport 443 -j DNAT --to-destination 10.0.0.2:443
iptables -A FORWARD -i $INTERFACE -o wg0 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $INTERFACE -o wg0 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i wg0 -o $INTERFACE -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE

echo "=== Making iptables persistent ==="
apt install -y iptables-persistent
netfilter-persistent save

echo "=== Enabling WireGuard service ==="
systemctl enable wg-quick@wg0
echo ""
echo "=== After you update wg0.conf with keys, run: ==="
echo "systemctl start wg-quick@wg0"
echo ""
echo "=== Done! ==="