infra: wireguard.py annotate

annotate wireguard.py @ 305:58d8e6072dcc

update syncthing

author	drewp@bigasterisk.com
date	Sat, 24 Aug 2024 15:06:51 -0700
parents	65e28d2e0cd8
children

rev	line source
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	1 import subprocess
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	2
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	3 from pyinfra import host
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	4 from pyinfra.facts.files import FindInFile
259 e45e93a797b0 wg updates drewp@bigasterisk.com parents: 215 diff changeset	5 from pyinfra.operations import files, systemd
e45e93a797b0 wg updates drewp@bigasterisk.com parents: 215 diff changeset	6
215 db8787bd800e wireguard now uses ditto (and prime) as hubs for home/remote drewp@bigasterisk.com parents: 115 diff changeset	7 import wireguard_pubkey
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	8
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	9 # other options:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	10 # https://www.reddit.com/r/WireGuard/comments/fkr240/shortest_path_between_peers/
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	11 # https://github.com/k4yt3x/wireguard-mesh-configurator
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	12 # https://github.com/mawalu/wireguard-private-networking
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	13 #
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	14
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	15
215 db8787bd800e wireguard now uses ditto (and prime) as hubs for home/remote drewp@bigasterisk.com parents: 115 diff changeset	16 def peer_block(hostname, allowed_ips, endpoint=None, keepalive=None):
289 65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	17 # allowed_ips should be determined mostly from host.data.wireguard_address
89 2fddde57231b no connman to surprisingly rewrite net configs drewp@bigasterisk.com parents: 76 diff changeset	18
215 db8787bd800e wireguard now uses ditto (and prime) as hubs for home/remote drewp@bigasterisk.com parents: 115 diff changeset	19 public_key = wireguard_pubkey.pubkey[hostname]
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	20 out = f'''\
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	21
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	22 [Peer]
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	23 # {hostname}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	24 PublicKey = {public_key}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	25 AllowedIPs = {allowed_ips}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	26 '''
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	27 if endpoint is not None:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	28 out += f'Endpoint = {endpoint}\n'
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	29 if keepalive is not None:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	30 out += f'PersistentKeepalive = {keepalive}\n'
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	31 return out
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	32
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	33
289 65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	34 def get_priv_key(wireguard_interface) -> str:
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	35 priv_key_lines = host.get_fact(FindInFile, path=f'/etc/wireguard/{wireguard_interface}.conf', pattern=r'PrivateKey.*')
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	36 if not priv_key_lines:
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	37 priv_key = subprocess.check_output(['wg', 'genkey']).strip().decode('ascii')
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	38 else:
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	39 priv_key = priv_key_lines[0].split(' = ')[1]
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	40 return priv_key
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	41
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	42
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	43 def compute_pub_key(priv_key: str) -> str:
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	44 pub_key = subprocess.check_output(['wg', 'pubkey'], input=priv_key.encode('ascii')).strip().decode('ascii')
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	45 # todo: if this was new, it should be added to a file of pubkeys that
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	46 # peer_block can refer to. meanwhile, edit the template.
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	47 return pub_key
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	48
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	49
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	50 for wireguard_interface in ['wg0', 'bogasterisk']:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	51 if wireguard_interface == 'bogasterisk' and host.name != 'prime':
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	52 continue
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	53
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	54 # note- this is specific to the wg0 setup. Other conf files don't use it.
259 e45e93a797b0 wg updates drewp@bigasterisk.com parents: 215 diff changeset	55 wireguard_ip = host.host_data.get('wireguard_address')
e45e93a797b0 wg updates drewp@bigasterisk.com parents: 215 diff changeset	56 if wireguard_interface == 'wg0' and wireguard_ip is None:
e45e93a797b0 wg updates drewp@bigasterisk.com parents: 215 diff changeset	57 continue
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	58
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	59 # new pi may fail with 'Unable to access interface: Protocol not supported'. reboot fixes.
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	60
289 65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	61 priv_key = get_priv_key(wireguard_interface)
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	62
289 65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	63 # unused since I still hand-maintain wireguard_pubkey.py :(
65e28d2e0cd8 move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors drewp@bigasterisk.com parents: 272 diff changeset	64 # pub_key = compute_pub_key(priv_key)
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	65
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	66 files.template(
12 15c5ce7c74b5 refactor, cleanup, split large deploys drewp@bigasterisk.com parents: 9 diff changeset	67 src=f'templates/wireguard/{wireguard_interface}.conf.j2',
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	68 dest=f'/etc/wireguard/{wireguard_interface}.conf',
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	69 mode='600',
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	70 wireguard_ip=wireguard_ip,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	71 priv_key=priv_key,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	72 peer_block=peer_block,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	73 )
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	74 svc = f'wg-quick@{wireguard_interface}.service'
76 de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	75
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	76 files.template(src='templates/wireguard/wg.service.j2',
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	77 dest=f'/etc/systemd/system/{svc}',
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	78 wireguard_interface=wireguard_interface)
9 7e76e6dcc080 wg tweaks drewp@bigasterisk.com parents: 5 diff changeset	79 systemd.service(service=svc, daemon_reload=True, restarted=True, enabled=True)

Mercurial > code > home > repos > infra

annotate wireguard.py @ 305:58d8e6072dcc