infra: wireguard.py annotate

annotate wireguard.py @ 5:7e8c7de5b490

port wireguard setup

author	drewp@bigasterisk.com
date	Wed, 10 Nov 2021 09:51:54 -0800
parents
children	7e76e6dcc080

rev	line source
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	1 import subprocess
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	2
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	3 from pyinfra import host
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	4 from pyinfra.facts.files import FindInFile
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	5 from pyinfra.operations import apt, files, systemd
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	6
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	7 # other options:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	8 # https://www.reddit.com/r/WireGuard/comments/fkr240/shortest_path_between_peers/
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	9 # https://github.com/k4yt3x/wireguard-mesh-configurator
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	10 # https://github.com/mawalu/wireguard-private-networking
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	11 #
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	12
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	13
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	14 def peer_block(hostname, public_key, allowed_ips, endpoint=None, keepalive=None):
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	15 out = f'''\
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	16
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	17 [Peer]
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	18 # {hostname}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	19 PublicKey = {public_key}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	20 AllowedIPs = {allowed_ips}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	21 '''
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	22 if endpoint is not None:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	23 out += f'Endpoint = {endpoint}\n'
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	24 if keepalive is not None:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	25 out += f'PersistentKeepalive = {keepalive}\n'
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	26 return out
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	27
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	28
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	29 for wireguard_interface in ['wg0', 'bogasterisk']:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	30 if wireguard_interface == 'bogasterisk' and host.name != 'prime':
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	31 continue
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	32
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	33 # note- this is specific to the wg0 setup. Other conf files don't use it.
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	34 wireguard_ip = host.host_data['wireguard_address']
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	35
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	36 apt.packages(packages=['wireguard'])
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	37 # new pi may fail with 'Unable to access interface: Protocol not supported'. reboot fixes.
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	38
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	39 priv_key_lines = host.get_fact(FindInFile, path=f'/etc/wireguard/{wireguard_interface}.conf', pattern=r'PrivateKey.*')
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	40 if not priv_key_lines:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	41 priv_key = subprocess.check_output(['wg', 'genkey']).strip().decode('ascii')
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	42 else:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	43 priv_key = priv_key_lines[0].split(' = ')[1]
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	44
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	45 pub_key = subprocess.check_output(['wg', 'pubkey'], input=priv_key.encode('ascii')).strip().decode('ascii')
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	46 # todo: if this was new, it should be added to a file of pubkeys that peer_block can refer to
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	47
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	48 files.template(
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	49 src=f'templates/wireguard_{wireguard_interface}.conf.j2',
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	50 dest=f'/etc/wireguard/{wireguard_interface}.conf',
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	51 mode='600',
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	52 wireguard_ip=wireguard_ip,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	53 priv_key=priv_key,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	54 peer_block=peer_block,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	55 )
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	56 svc = f'wg-quick@{wireguard_interface}.service'
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	57 files.link(path=f'/etc/systemd/system/multi-user.target.wants/{svc}', target='/lib/systemd/system/wg-quick@.service')
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	58
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	59 systemd.service(service=svc, daemon_reload=True, running=True, enabled=True)

Mercurial > code > home > repos > infra

annotate wireguard.py @ 5:7e8c7de5b490