#! /bin/bash

## usage: mk_conf [options] peername [peer.wild]
##

ipsecd="/etc/ipsec.d"
libdir="/usr/lib/ipsec"
pub=$ipsecd/pub

if test -r "$pub/this.host" ; then
  leftname=$( cat $pub/this.host ) || exit $?
else
  leftname=$( hostname | cut -d . -f 1) || exit $?
fi

function usage(){
  echo "Usage:  mk_conf [options] peername [peer.wild]"
  echo " --4rw          normal, default: just listen for incoming rw"
  echo " --24           initiate outgoing conn; also listen for incoming non-rw"
  echo " --keyingtries N \tgive up after N tries [default: 0, meaning never]"
  echo ""
  echo "The handle for this host is '$leftname'"
}

function needwild(){
  if test -z "$rightwild" ; then
    1>&2 echo "Please specify a wild-side addr for peer '$rightname'"
    1>&2 echo "Perhaps something like '${rightid#*@}'"
    1>&2 echo "Or add a 'wild=...' line in $rightname.key"
    exit 1
  fi
}

function mkpatch() {
## Useful tricks:
## To make a patch file, showing how the downup script
## differs from the updown script:
 cd $libdir
 install -d old
 if ! test -L new ; then ln -s . new ; fi
 cp _updown old/_downup
 diff -C 3 old/_downup new/_downup > downup.patch

: <<EoF
## then you can recreate (or port) the patches by something like
 cd $libdir
 cp _updown _downup
 <downup.patch patch
EoF
}

if test -z "$*" ; then
  usage
  exit 0
fi

kt=0;
mode="4rw"      ## the default
stuff=""
while test -n "$*" ; do
  word="$1" ; shift
  case "$word" in
    -patch|--patch) mkpatch ; exit 0 ;;
    -4rw|--4rw) mode="4rw" ;;
    -24|--24)   mode="24" ;;
    -h|--help)  usage ; exit ;;
    -k|--k|--keyingtries)       kt="$1" ; shift ;;
    -*)         1>&2 usage ; exit 1 ;;
    *)          stuff="$stuff $word" ;;
  esac
done

set $stuff

if false ; then
  echo $stuff
  echo "mode: $mode kt: $kt"
  exit
fi

rightname="$1"
if test -z "$rightname" ; then
  1>&2 usage
  exit 1
fi

if test "$rightname" = "$leftname" ; then
  1>&2 echo "Cannot connect '$rightname' to self"
  exit 1
fi

##////////////////////////////////////////
leftfile="$pub/$leftname.key"
if ! test -r "$leftfile" ; then
  1>&2 echo "Cannot read keyfile $leftfile"
  exit 1
fi

id=""
wild=
subnet=""
rsasigkey=""
. $leftfile || exit $?
if test -z "$id" ; then
  1>&2 echo "Need 'id' in $leftfile"
  exit 1
fi
if test -z "$subnet" ; then
  1>&2 echo "Need 'subnet' in $leftfile"
  exit 1
fi
if test -z "$rsasigkey" ; then
  1>&2 echo "Need 'rsasigkey' in $leftfile"
  exit 1
fi
leftid="$id"
leftsubnet="$subnet"
leftrsasigkey="$rsasigkey"
leftwild="$wild"
##////////////////////////////////////////
## same as above, but switched left->right
##////////////////////////////////////////
rightfile="$pub/$rightname.key"
if ! test -r "$rightfile" ; then
  1>&2 echo "Cannot read keyfile $rightfile"
  exit 1
fi

id=""
wild=
subnet=""
rsasigkey=""
. $rightfile || exit $?
if test -z "$id" ; then
  1>&2 echo "Need 'id' in $rightfile"
  exit 1
fi
if test -z "$subnet" ; then
  1>&2 echo "Need 'subnet' in $rightfile"
  exit 1
fi
if test -z "$rsasigkey" ; then
  1>&2 echo "Need 'rsasigkey' in $rightfile"
  exit 1
fi
rightid="$id"
rightsubnet="$subnet"
rightrsasigkey="$rsasigkey"
rightwild="$wild"
##////////////////////////////////////////


if test -n "$2" ; then
  rightwild=$( dq $2 ) || exit $?
fi

case $mode in
  4rw)                  ## listen for RW
        flags="custom rw $rightname"
        rightwild="%any"
        cname="${leftname}_4_${rightname}"
        auto=add
        ;;
  24)                   ## initiate (also listen)
        flags=""
        needwild
        cname="${leftname}_24_${rightname}"
        auto=start
        ;;
esac

ofile="$ipsecd/conn/$cname.conf"

<<EoF cat > $ofile
conn $cname
  ## Automatically created by mk_conf
  ## so you probably don't want to be editing this.
        leftid="$leftid"
        left="%defaultroute"
        leftsubnet="$leftsubnet"
        leftrsasigkey="$leftrsasigkey"
        leftupdown="$libdir/_downup $flags"
  ##
        rightid="$rightid"
        right="$rightwild"
        rightsubnet="$rightsubnet"
        rightrsasigkey="$rightrsasigkey"
        auto="$auto"
        keyingtries="$kt"
EoF

exit