package wireguard

import (
	"fmt"
	"os/exec"
)

// wg-quick is managed via systemd unit instances (wg-quick@<iface>).
// Reload-via-syncconf would be cheaper (no link flap) but needs more
// per-change diffing — for v1 we restart the unit, which takes ~1s
// and re-establishes peers cleanly. The sudoers entry shipped in
// postinst whitelists exactly these three commands.

func startWGQuick(iface string) error {
	cmd := exec.Command("sudo", "-n", "/usr/bin/systemctl", "start", "wg-quick@"+iface+".service")
	if out, err := cmd.CombinedOutput(); err != nil {
		return fmt.Errorf("systemctl start wg-quick@%s: %w: %s", iface, err, string(out))
	}
	return nil
}

func restartWGQuick(iface string) error {
	cmd := exec.Command("sudo", "-n", "/usr/bin/systemctl", "restart", "wg-quick@"+iface+".service")
	if out, err := cmd.CombinedOutput(); err != nil {
		return fmt.Errorf("systemctl restart wg-quick@%s: %w: %s", iface, err, string(out))
	}
	return nil
}

func stopWGQuick(iface string) error {
	cmd := exec.Command("sudo", "-n", "/usr/bin/systemctl", "stop", "wg-quick@"+iface+".service")
	// Ignore failures — unit may not exist.
	_ = cmd.Run()
	return nil
}