#!/bin/sh
set -e
. /usr/share/debconf/confmodule

case "$1" in
    configure)
        # ── Read debconf answers ──────────────────────────────────────────────
        db_get cloud-router/local_addrs;           CLOUD_ROUTER_LOCAL_ADDRS="$RET"
        db_get cloud-router/local_fqdn;            CLOUD_ROUTER_LOCAL_FQDN="$RET"
        db_get cloud-router/local_id_mode;         CLOUD_ROUTER_LOCAL_ID_MODE="$RET"
        db_get cloud-router/local_cidrs;           CLOUD_ROUTER_LOCAL_CIDRS="$RET"
        db_get cloud-router/remote_addrs;          CLOUD_ROUTER_REMOTE_ADDRS="$RET"
        db_get cloud-router/remote_id;             CLOUD_ROUTER_REMOTE_ID="$RET"
        db_get cloud-router/psk;                   CLOUD_ROUTER_PSK="$RET"
        db_get cloud-router/remote_cidrs;          CLOUD_ROUTER_REMOTE_CIDRS="$RET"
        db_get cloud-router/router_int_gateway_ip; CLOUD_ROUTER_ROUTER_INT_GATEWAY_IP="$RET"
        db_get cloud-router/p2s_address_pool;      CLOUD_ROUTER_P2S_ADDRESS_POOL="$RET"
        db_get cloud-router/wg_enabled;            CLOUD_ROUTER_WG_ENABLED="$RET"
        db_get cloud-router/wg_address;            CLOUD_ROUTER_WG_ADDRESS="$RET"
        db_get cloud-router/wg_listen_port;        CLOUD_ROUTER_WG_LISTEN_PORT="$RET"

        # ── Render configuration files via Jinja2 templates ─────────────────
        export CLOUD_ROUTER_LOCAL_ADDRS CLOUD_ROUTER_LOCAL_FQDN \
               CLOUD_ROUTER_LOCAL_ID_MODE CLOUD_ROUTER_LOCAL_CIDRS \
               CLOUD_ROUTER_REMOTE_ADDRS CLOUD_ROUTER_REMOTE_ID \
               CLOUD_ROUTER_PSK CLOUD_ROUTER_REMOTE_CIDRS \
               CLOUD_ROUTER_ROUTER_INT_GATEWAY_IP CLOUD_ROUTER_P2S_ADDRESS_POOL \
               CLOUD_ROUTER_WG_ENABLED CLOUD_ROUTER_WG_ADDRESS \
               CLOUD_ROUTER_WG_LISTEN_PORT

        /usr/lib/cloud-router/configure

        db_set cloud-router/psk ""

        # ── Apply system settings ─────────────────────────────────────────────
        sysctl --system
        netplan apply
        systemctl daemon-reload
        systemctl restart systemd-resolved

        # ── UFW: ensure SSH is allowed then enable ────────────────────────────
        ufw allow 22/tcp
        ufw --force enable
        ufw reload

        # ── strongSwan ────────────────────────────────────────────────────────
        systemctl enable --now strongswan
        ;;
esac

#DEBHELPER#

db_stop
