Mercurial > code > home > repos > infra

comparison wireguard.py @ 289:65e28d2e0cd8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
move static templates to files/ ; use inventory tags for selecting hosts+features ; other refactors
author drewp@bigasterisk.com
date Sun, 21 Apr 2024 17:07:23 -0700
parents 705698800bfb
children
comparison
equal deleted inserted replaced
288:3af02e24eaf9 289:65e28d2e0cd8
12 # https://github.com/mawalu/wireguard-private-networking 12 # https://github.com/mawalu/wireguard-private-networking
13 # 13 #
14 14
15 15
16 def peer_block(hostname, allowed_ips, endpoint=None, keepalive=None): 16 def peer_block(hostname, allowed_ips, endpoint=None, keepalive=None):
17 # if allowed_ips.startswith('10.5'): 17 # allowed_ips should be determined mostly from host.data.wireguard_address
18 # # k3s nets also need to travel over wg
19 # allowed_ips += ', 10.42.0.0/24, 10.43.0.0/24'
20 18
21 public_key = wireguard_pubkey.pubkey[hostname] 19 public_key = wireguard_pubkey.pubkey[hostname]
22 out = f'''\ 20 out = f'''\
23 21
24 [Peer] 22 [Peer]
31 if keepalive is not None: 29 if keepalive is not None:
32 out += f'PersistentKeepalive = {keepalive}\n' 30 out += f'PersistentKeepalive = {keepalive}\n'
33 return out 31 return out
34 32
35 33
34 def get_priv_key(wireguard_interface) -> str:
35 priv_key_lines = host.get_fact(FindInFile, path=f'/etc/wireguard/{wireguard_interface}.conf', pattern=r'PrivateKey.*')
36 if not priv_key_lines:
37 priv_key = subprocess.check_output(['wg', 'genkey']).strip().decode('ascii')
38 else:
39 priv_key = priv_key_lines[0].split(' = ')[1]
40 return priv_key
41
42
43 def compute_pub_key(priv_key: str) -> str:
44 pub_key = subprocess.check_output(['wg', 'pubkey'], input=priv_key.encode('ascii')).strip().decode('ascii')
45 # todo: if this was new, it should be added to a file of pubkeys that
46 # peer_block can refer to. meanwhile, edit the template.
47 return pub_key
48
49
36 for wireguard_interface in ['wg0', 'bogasterisk']: 50 for wireguard_interface in ['wg0', 'bogasterisk']:
37 if wireguard_interface == 'bogasterisk' and host.name != 'prime': 51 if wireguard_interface == 'bogasterisk' and host.name != 'prime':
38 continue 52 continue
39 53
40 # note- this is specific to the wg0 setup. Other conf files don't use it. 54 # note- this is specific to the wg0 setup. Other conf files don't use it.
42 if wireguard_interface == 'wg0' and wireguard_ip is None: 56 if wireguard_interface == 'wg0' and wireguard_ip is None:
43 continue 57 continue
44 58
45 # new pi may fail with 'Unable to access interface: Protocol not supported'. reboot fixes. 59 # new pi may fail with 'Unable to access interface: Protocol not supported'. reboot fixes.
46 60
47 priv_key_lines = host.get_fact(FindInFile, path=f'/etc/wireguard/{wireguard_interface}.conf', pattern=r'PrivateKey.*') 61 priv_key = get_priv_key(wireguard_interface)
48 if not priv_key_lines:
49 priv_key = subprocess.check_output(['wg', 'genkey']).strip().decode('ascii')
50 else:
51 priv_key = priv_key_lines[0].split(' = ')[1]
52 62
53 pub_key = subprocess.check_output(['wg', 'pubkey'], input=priv_key.encode('ascii')).strip().decode('ascii') 63 # unused since I still hand-maintain wireguard_pubkey.py :(
54 # todo: if this was new, it should be added to a file of pubkeys that 64 # pub_key = compute_pub_key(priv_key)
55 # peer_block can refer to. meanwhile, edit the template.
56 65
57 files.template( 66 files.template(
58 src=f'templates/wireguard/{wireguard_interface}.conf.j2', 67 src=f'templates/wireguard/{wireguard_interface}.conf.j2',
59 dest=f'/etc/wireguard/{wireguard_interface}.conf', 68 dest=f'/etc/wireguard/{wireguard_interface}.conf',
60 mode='600', 69 mode='600',
65 svc = f'wg-quick@{wireguard_interface}.service' 74 svc = f'wg-quick@{wireguard_interface}.service'
66 75
67 files.template(src='templates/wireguard/wg.service.j2', 76 files.template(src='templates/wireguard/wg.service.j2',
68 dest=f'/etc/systemd/system/{svc}', 77 dest=f'/etc/systemd/system/{svc}',
69 wireguard_interface=wireguard_interface) 78 wireguard_interface=wireguard_interface)
70 systemd.service(service=svc, enabled=True, restarted=True, daemon_reload=True)
71
72 systemd.service(service=svc, daemon_reload=True, restarted=True, enabled=True) 79 systemd.service(service=svc, daemon_reload=True, restarted=True, enabled=True)
73
74 # if host.name == 'bang':
75 # systemd.service(service=f'dnsmasq_10.5', enabled=True, restarted=True, daemon_reload=True)