Mercurial > code > home > repos > infra
annotate wireguard/wireguard.py @ 332:d4893670f888 default tip
WIP: use watchdog reboot timer on pi
| author | drewp@bigasterisk.com |
|---|---|
| date | Thu, 27 Feb 2025 11:09:29 -0800 |
| parents | 5b88b38f2471 |
| children |
| rev | line source |
|---|---|
| 5 | 1 import subprocess |
| 2 | |
|
326
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
3 from pyinfra.context import host |
| 5 | 4 from pyinfra.facts.files import FindInFile |
| 259 | 5 from pyinfra.operations import files, systemd |
| 6 | |
|
326
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
7 import wireguard.wireguard_pubkey as wireguard_pubkey |
| 5 | 8 |
| 9 # other options: | |
| 10 # https://www.reddit.com/r/WireGuard/comments/fkr240/shortest_path_between_peers/ | |
| 11 # https://github.com/k4yt3x/wireguard-mesh-configurator | |
| 12 # https://github.com/mawalu/wireguard-private-networking | |
| 13 # | |
| 14 | |
| 15 | |
|
215
db8787bd800e
wireguard now uses ditto (and prime) as hubs for home/remote
drewp@bigasterisk.com
parents:
115
diff
changeset
|
16 def peer_block(hostname, allowed_ips, endpoint=None, keepalive=None): |
|
289
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
17 # allowed_ips should be determined mostly from host.data.wireguard_address |
|
89
2fddde57231b
no connman to surprisingly rewrite net configs
drewp@bigasterisk.com
parents:
76
diff
changeset
|
18 |
|
215
db8787bd800e
wireguard now uses ditto (and prime) as hubs for home/remote
drewp@bigasterisk.com
parents:
115
diff
changeset
|
19 public_key = wireguard_pubkey.pubkey[hostname] |
| 5 | 20 out = f'''\ |
| 21 | |
| 22 [Peer] | |
| 23 # {hostname} | |
| 24 PublicKey = {public_key} | |
| 25 AllowedIPs = {allowed_ips} | |
| 26 ''' | |
| 27 if endpoint is not None: | |
| 28 out += f'Endpoint = {endpoint}\n' | |
| 29 if keepalive is not None: | |
| 30 out += f'PersistentKeepalive = {keepalive}\n' | |
| 31 return out | |
| 32 | |
| 33 | |
|
289
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
34 def get_priv_key(wireguard_interface) -> str: |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
35 priv_key_lines = host.get_fact(FindInFile, path=f'/etc/wireguard/{wireguard_interface}.conf', pattern=r'PrivateKey.*') |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
36 if not priv_key_lines: |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
37 priv_key = subprocess.check_output(['wg', 'genkey']).strip().decode('ascii') |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
38 else: |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
39 priv_key = priv_key_lines[0].split(' = ')[1] |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
40 return priv_key |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
41 |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
42 |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
43 def compute_pub_key(priv_key: str) -> str: |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
44 pub_key = subprocess.check_output(['wg', 'pubkey'], input=priv_key.encode('ascii')).strip().decode('ascii') |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
45 # todo: if this was new, it should be added to a file of pubkeys that |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
46 # peer_block can refer to. meanwhile, edit the template. |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
47 return pub_key |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
48 |
|
65e28d2e0cd8
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
drewp@bigasterisk.com
parents:
272
diff
changeset
|
49 |
|
326
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
50 def wireguard(): |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
51 for wireguard_interface in ['wg0', 'bogasterisk']: |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
52 if wireguard_interface == 'bogasterisk' and host.name != 'prime': |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
53 continue |
| 5 | 54 |
|
326
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
55 # note- this is specific to the wg0 setup. Other conf files don't use it. |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
56 wireguard_ip = host.host_data.get('wireguard_address') |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
57 if wireguard_interface == 'wg0' and wireguard_ip is None: |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
58 continue |
| 5 | 59 |
|
326
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
60 # new pi may fail with 'Unable to access interface: Protocol not supported'. reboot fixes. |
| 5 | 61 |
|
326
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
62 priv_key = get_priv_key(wireguard_interface) |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
63 |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
64 # unused since I still hand-maintain wireguard_pubkey.py :( |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
65 # pub_key = compute_pub_key(priv_key) |
| 5 | 66 |
|
326
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
67 files.template( |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
68 src=f'wireguard/templates/{wireguard_interface}.conf.j2', |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
69 dest=f'/etc/wireguard/{wireguard_interface}.conf', |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
70 mode='600', |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
71 wireguard_ip=wireguard_ip, |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
72 priv_key=priv_key, |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
73 peer_block=peer_block, |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
74 ) |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
75 svc = f'wg-quick@{wireguard_interface}.service' |
| 5 | 76 |
|
326
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
77 files.template(src='wireguard/templates/wg.service.j2', |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
78 dest=f'/etc/systemd/system/{svc}', |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
79 wireguard_interface=wireguard_interface) |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
80 systemd.service(service=svc, daemon_reload=True, restarted=True, enabled=True) |
|
76
de387eae06cf
still trying to sequence dhcp->wireguard->dns startup
drewp@bigasterisk.com
parents:
71
diff
changeset
|
81 |
|
326
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
82 |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
83 operations = [ |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
84 wireguard, |
|
5b88b38f2471
huge reorg, reog toplevel functions in preparation of a ui with nice task lists
drewp@bigasterisk.com
parents:
289
diff
changeset
|
85 ] |