#!/bin/bash
set -e

# Script to disable a VPN client (keeps keys but removes from WireGuard)
# Usage: ./disable-client.sh <client_name>

if [ "$EUID" -ne 0 ]; then
    echo "ERROR: Please run as root"
    exit 1
fi

if [ -z "$1" ]; then
    echo "Usage: $0 <client_name>"
    echo "Example: $0 phone"
    exit 1
fi

CLIENT_NAME="$1"
KEYS_DIR="/etc/wireguard/keys"
WG_INTERFACE="wg0"

# Check if client exists
if [ ! -f "${KEYS_DIR}/client_${CLIENT_NAME}.pub" ]; then
    echo "ERROR: Client '${CLIENT_NAME}' does not exist"
    exit 1
fi

CLIENT_PUBLIC_KEY=$(cat "${KEYS_DIR}/client_${CLIENT_NAME}.pub")

# Check if client is currently active
if ! wg show ${WG_INTERFACE} | grep -q "${CLIENT_PUBLIC_KEY}"; then
    echo "Client '${CLIENT_NAME}' is already disabled"
    exit 0
fi

echo "Disabling VPN client: ${CLIENT_NAME}"
echo ""

echo "[1/2] Removing peer from WireGuard interface..."
wg set ${WG_INTERFACE} peer ${CLIENT_PUBLIC_KEY} remove

echo "[2/2] Saving WireGuard configuration..."
wg-quick save ${WG_INTERFACE}

echo ""
echo "========================================="
echo "Client disabled successfully!"
echo "========================================="
echo ""
echo "Client '${CLIENT_NAME}' is now disabled"
echo "Keys and configuration are preserved"
echo "To re-enable, use: ./enable-client.sh ${CLIENT_NAME}"
echo ""