infra: wireguard.py annotate

annotate wireguard.py @ 279:1cb4aeec8fc6

pi_setup code to prepare a pi for netboot

author	drewp@bigasterisk.com
date	Sun, 14 Apr 2024 20:54:35 -0700
parents	705698800bfb
children	65e28d2e0cd8

rev	line source
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	1 import subprocess
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	2
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	3 from pyinfra import host
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	4 from pyinfra.facts.files import FindInFile
259 e45e93a797b0 wg updates drewp@bigasterisk.com parents: 215 diff changeset	5 from pyinfra.operations import files, systemd
e45e93a797b0 wg updates drewp@bigasterisk.com parents: 215 diff changeset	6
215 db8787bd800e wireguard now uses ditto (and prime) as hubs for home/remote drewp@bigasterisk.com parents: 115 diff changeset	7 import wireguard_pubkey
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	8
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	9 # other options:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	10 # https://www.reddit.com/r/WireGuard/comments/fkr240/shortest_path_between_peers/
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	11 # https://github.com/k4yt3x/wireguard-mesh-configurator
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	12 # https://github.com/mawalu/wireguard-private-networking
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	13 #
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	14
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	15
215 db8787bd800e wireguard now uses ditto (and prime) as hubs for home/remote drewp@bigasterisk.com parents: 115 diff changeset	16 def peer_block(hostname, allowed_ips, endpoint=None, keepalive=None):
89 2fddde57231b no connman to surprisingly rewrite net configs drewp@bigasterisk.com parents: 76 diff changeset	17 # if allowed_ips.startswith('10.5'):
2fddde57231b no connman to surprisingly rewrite net configs drewp@bigasterisk.com parents: 76 diff changeset	18 # # k3s nets also need to travel over wg
2fddde57231b no connman to surprisingly rewrite net configs drewp@bigasterisk.com parents: 76 diff changeset	19 # allowed_ips += ', 10.42.0.0/24, 10.43.0.0/24'
2fddde57231b no connman to surprisingly rewrite net configs drewp@bigasterisk.com parents: 76 diff changeset	20
215 db8787bd800e wireguard now uses ditto (and prime) as hubs for home/remote drewp@bigasterisk.com parents: 115 diff changeset	21 public_key = wireguard_pubkey.pubkey[hostname]
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	22 out = f'''\
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	23
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	24 [Peer]
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	25 # {hostname}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	26 PublicKey = {public_key}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	27 AllowedIPs = {allowed_ips}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	28 '''
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	29 if endpoint is not None:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	30 out += f'Endpoint = {endpoint}\n'
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	31 if keepalive is not None:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	32 out += f'PersistentKeepalive = {keepalive}\n'
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	33 return out
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	34
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	35
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	36 for wireguard_interface in ['wg0', 'bogasterisk']:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	37 if wireguard_interface == 'bogasterisk' and host.name != 'prime':
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	38 continue
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	39
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	40 # note- this is specific to the wg0 setup. Other conf files don't use it.
259 e45e93a797b0 wg updates drewp@bigasterisk.com parents: 215 diff changeset	41 wireguard_ip = host.host_data.get('wireguard_address')
e45e93a797b0 wg updates drewp@bigasterisk.com parents: 215 diff changeset	42 if wireguard_interface == 'wg0' and wireguard_ip is None:
e45e93a797b0 wg updates drewp@bigasterisk.com parents: 215 diff changeset	43 continue
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	44
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	45 # new pi may fail with 'Unable to access interface: Protocol not supported'. reboot fixes.
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	46
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	47 priv_key_lines = host.get_fact(FindInFile, path=f'/etc/wireguard/{wireguard_interface}.conf', pattern=r'PrivateKey.*')
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	48 if not priv_key_lines:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	49 priv_key = subprocess.check_output(['wg', 'genkey']).strip().decode('ascii')
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	50 else:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	51 priv_key = priv_key_lines[0].split(' = ')[1]
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	52
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	53 pub_key = subprocess.check_output(['wg', 'pubkey'], input=priv_key.encode('ascii')).strip().decode('ascii')
115 8012f6095220 update to current configs drewp@bigasterisk.com parents: 97 diff changeset	54 # todo: if this was new, it should be added to a file of pubkeys that
8012f6095220 update to current configs drewp@bigasterisk.com parents: 97 diff changeset	55 # peer_block can refer to. meanwhile, edit the template.
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	56
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	57 files.template(
12 15c5ce7c74b5 refactor, cleanup, split large deploys drewp@bigasterisk.com parents: 9 diff changeset	58 src=f'templates/wireguard/{wireguard_interface}.conf.j2',
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	59 dest=f'/etc/wireguard/{wireguard_interface}.conf',
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	60 mode='600',
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	61 wireguard_ip=wireguard_ip,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	62 priv_key=priv_key,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	63 peer_block=peer_block,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	64 )
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	65 svc = f'wg-quick@{wireguard_interface}.service'
76 de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	66
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	67 files.template(src='templates/wireguard/wg.service.j2',
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	68 dest=f'/etc/systemd/system/{svc}',
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	69 wireguard_interface=wireguard_interface)
272 705698800bfb workaround for wg+dns problem drewp@bigasterisk.com parents: 259 diff changeset	70 systemd.service(service=svc, enabled=True, restarted=True, daemon_reload=True)
76 de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	71
9 7e76e6dcc080 wg tweaks drewp@bigasterisk.com parents: 5 diff changeset	72 systemd.service(service=svc, daemon_reload=True, restarted=True, enabled=True)
71 52156d3898c5 mostly per-host network settings drewp@bigasterisk.com parents: 12 diff changeset	73
97 9b7d7ea79f16 stop trying separate dns on 10.5 net. just use names like 'bang5' drewp@bigasterisk.com parents: 89 diff changeset	74 # if host.name == 'bang':
9b7d7ea79f16 stop trying separate dns on 10.5 net. just use names like 'bang5' drewp@bigasterisk.com parents: 89 diff changeset	75 # systemd.service(service=f'dnsmasq_10.5', enabled=True, restarted=True, daemon_reload=True)

Mercurial > code > home > repos > infra

annotate wireguard.py @ 279:1cb4aeec8fc6