infra: wireguard.py annotate

annotate wireguard.py @ 76:de387eae06cf

still trying to sequence dhcp->wireguard->dns startup

author	drewp@bigasterisk.com
date	Sat, 11 Jun 2022 22:58:35 -0700
parents	52156d3898c5
children	2fddde57231b

rev	line source
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	1 import subprocess
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	2
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	3 from pyinfra import host
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	4 from pyinfra.facts.files import FindInFile
76 de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	5 from pyinfra.operations import apt, files, server, systemd
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	6
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	7 # other options:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	8 # https://www.reddit.com/r/WireGuard/comments/fkr240/shortest_path_between_peers/
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	9 # https://github.com/k4yt3x/wireguard-mesh-configurator
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	10 # https://github.com/mawalu/wireguard-private-networking
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	11 #
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	12
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	13
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	14 def peer_block(hostname, public_key, allowed_ips, endpoint=None, keepalive=None):
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	15 out = f'''\
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	16
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	17 [Peer]
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	18 # {hostname}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	19 PublicKey = {public_key}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	20 AllowedIPs = {allowed_ips}
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	21 '''
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	22 if endpoint is not None:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	23 out += f'Endpoint = {endpoint}\n'
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	24 if keepalive is not None:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	25 out += f'PersistentKeepalive = {keepalive}\n'
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	26 return out
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	27
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	28
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	29 for wireguard_interface in ['wg0', 'bogasterisk']:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	30 if wireguard_interface == 'bogasterisk' and host.name != 'prime':
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	31 continue
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	32
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	33 # note- this is specific to the wg0 setup. Other conf files don't use it.
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	34 wireguard_ip = host.host_data['wireguard_address']
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	35
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	36 apt.packages(packages=['wireguard'])
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	37 # new pi may fail with 'Unable to access interface: Protocol not supported'. reboot fixes.
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	38
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	39 priv_key_lines = host.get_fact(FindInFile, path=f'/etc/wireguard/{wireguard_interface}.conf', pattern=r'PrivateKey.*')
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	40 if not priv_key_lines:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	41 priv_key = subprocess.check_output(['wg', 'genkey']).strip().decode('ascii')
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	42 else:
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	43 priv_key = priv_key_lines[0].split(' = ')[1]
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	44
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	45 pub_key = subprocess.check_output(['wg', 'pubkey'], input=priv_key.encode('ascii')).strip().decode('ascii')
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	46 # todo: if this was new, it should be added to a file of pubkeys that peer_block can refer to
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	47
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	48 files.template(
12 15c5ce7c74b5 refactor, cleanup, split large deploys drewp@bigasterisk.com parents: 9 diff changeset	49 src=f'templates/wireguard/{wireguard_interface}.conf.j2',
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	50 dest=f'/etc/wireguard/{wireguard_interface}.conf',
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	51 mode='600',
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	52 wireguard_ip=wireguard_ip,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	53 priv_key=priv_key,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	54 peer_block=peer_block,
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	55 )
7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	56 svc = f'wg-quick@{wireguard_interface}.service'
76 de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	57
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	58 files.template(src='templates/wireguard/wg.service.j2',
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	59 dest=f'/etc/systemd/system/{svc}',
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	60 wireguard_interface=wireguard_interface)
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	61 systemd.service(service=f'{svc}', enabled=True, restarted=True, daemon_reload=True)
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	62
de387eae06cf still trying to sequence dhcp->wireguard->dns startup drewp@bigasterisk.com parents: 71 diff changeset	63 # files.link(path=f'/etc/systemd/system/multi-user.target.wants/{svc}', target='/lib/systemd/system/wg-quick@.service')
5 7e8c7de5b490 port wireguard setup drewp@bigasterisk.com parents: diff changeset	64
9 7e76e6dcc080 wg tweaks drewp@bigasterisk.com parents: 5 diff changeset	65 systemd.service(service=svc, daemon_reload=True, restarted=True, enabled=True)
71 52156d3898c5 mostly per-host network settings drewp@bigasterisk.com parents: 12 diff changeset	66
52156d3898c5 mostly per-host network settings drewp@bigasterisk.com parents: 12 diff changeset	67 if host.name == 'bang':
52156d3898c5 mostly per-host network settings drewp@bigasterisk.com parents: 12 diff changeset	68 # recompute, or else maybe dnsmasq_10.5 won't start
52156d3898c5 mostly per-host network settings drewp@bigasterisk.com parents: 12 diff changeset	69 server.shell("systemctl enable dnsmasq_10.2.service")
52156d3898c5 mostly per-host network settings drewp@bigasterisk.com parents: 12 diff changeset	70 server.shell("systemctl enable dnsmasq_10.5.service")
52156d3898c5 mostly per-host network settings drewp@bigasterisk.com parents: 12 diff changeset	71 server.shell("systemctl enable wg-quick@wg0.service")

Mercurial > code > home > repos > infra

annotate wireguard.py @ 76:de387eae06cf