From 4f260932c375ac478760cf70a8eabefec70d1148 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 11 Sep 2023 09:09:09 +0200 Subject: [PATCH] bundles/wireguard: health checks for everyone --- bundles/wireguard/items.py | 22 +++++++--------------- bundles/wireguard/metadata.py | 34 ++++++++++++++++++++++++++++++++++ nodes/fkusei-locutus.py | 3 ++- nodes/home/router.py | 4 +--- nodes/ovh/wireguard.py | 4 +--- 5 files changed, 45 insertions(+), 22 deletions(-) diff --git a/bundles/wireguard/items.py b/bundles/wireguard/items.py index e9f1d71..5bbd7d3 100644 --- a/bundles/wireguard/items.py +++ b/bundles/wireguard/items.py @@ -13,7 +13,6 @@ deps = set() if node.has_bundle('apt'): deps.add('pkg_apt:wireguard') -health_checks = {} for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()): files[f'/etc/systemd/network/wg_{config["iface"]}.netdev'] = { 'content_type': 'mako', @@ -35,20 +34,13 @@ for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()): }, } - if config.get('health_check', False): - health_checks[peer] = config['their_ip'] - -if health_checks: - files['/usr/local/bin/wg_health_check'] = { - 'content_type': 'mako', - 'context': { - 'peers': health_checks, - }, - 'mode': '0755', - } - files['/etc/cron.d/wg_health_check'] = { - 'content': '* * * * * root /usr/local/bin/wg_health_check | logger -t wg_health_check\n', - } +files['/usr/local/bin/wg_health_check'] = { + 'content_type': 'mako', + 'context': { + 'peers': node.metadata.get('wireguard/health_checks'), + }, + 'mode': '0755', +} if node.has_bundle('pppd'): files['/etc/ppp/ip-up.d/reconnect-wireguard'] = { diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py index 0823dbf..8bc3ddd 100644 --- a/bundles/wireguard/metadata.py +++ b/bundles/wireguard/metadata.py @@ -244,3 +244,37 @@ def snat(metadata): }, }, } + + +@metadata_reactor.provides( + 'wireguard/health_checks', + 'systemd-timers/timers/wg-health-check', +) +def health_checks(metadata): + checks = {} + + for peer, config in metadata.get('wireguard/peers', {}).items(): + if ( + config.get('exclude_from_monitoring', False) + or 'endpoint' not in config + ): + continue + + checks[peer] = config['their_ip'] + + if not checks: + return {} + + return { + 'systemd-timers': { + 'timers': { + 'wg-health-check': { + 'command': '/usr/local/bin/wg_health_check', + 'when': 'minutely', + }, + }, + }, + 'wireguard': { + 'health_checks': checks, + }, + } diff --git a/nodes/fkusei-locutus.py b/nodes/fkusei-locutus.py index 397e851..b7f9215 100644 --- a/nodes/fkusei-locutus.py +++ b/nodes/fkusei-locutus.py @@ -134,11 +134,12 @@ nodes['fkusei-locutus'] = { 'privatekey': vault.decrypt('smedia$NotViaThisRepository'), 'peers': { 'smedia': { + 'endpoint': '185.122.180.82:51820', 'my_ip': '10.200.128.2/20', 'my_port': 51820, - 'endpoint': '185.122.180.82:51820', 'psk': vault.decrypt('smedia$NotViaThisRepository'), 'pubkey': vault.decrypt('smedia$NotViaThisRepository'), + 'their_ip': '10.200.128.1', }, }, }, diff --git a/nodes/home/router.py b/nodes/home/router.py index 747935b..1806918 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -163,9 +163,7 @@ nodes['home.router'] = { 'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS 'snat_ip': '172.19.138.1', 'peers': { - 'ovh.wireguard': { - 'health_check': True, - }, + 'ovh.wireguard': {}, 'icinga2': {}, }, }, diff --git a/nodes/ovh/wireguard.py b/nodes/ovh/wireguard.py index 334e1b3..c3405e9 100644 --- a/nodes/ovh/wireguard.py +++ b/nodes/ovh/wireguard.py @@ -35,9 +35,7 @@ nodes['ovh.wireguard'] = { 'wireguard': { 'peers': { 'ovh.icinga2': {}, - 'home.router': { - 'health_check': True, - }, + 'home.router': {}, 'htz-cloud.wireguard': {}, 'kunsi-oneplus3': { 'their_ip': '172.19.136.65',