bundles/wireguard: health checks for everyone

bundles/wireguard/items.py

@@ -13,7 +13,6 @@ deps = set()
 if node.has_bundle('apt'):
     deps.add('pkg_apt:wireguard')
 
-health_checks = {}
 for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()):
     files[f'/etc/systemd/network/wg_{config["iface"]}.netdev'] = {
         'content_type': 'mako',
@@ -35,20 +34,13 @@ for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()):
         },
     }
 
-    if config.get('health_check', False):
+files['/usr/local/bin/wg_health_check'] = {
-        health_checks[peer] = config['their_ip']
-
-if health_checks:
-    files['/usr/local/bin/wg_health_check'] = {
     'content_type': 'mako',
     'context': {
-            'peers': health_checks,
+        'peers': node.metadata.get('wireguard/health_checks'),
     },
     'mode': '0755',
-    }
+}
-    files['/etc/cron.d/wg_health_check'] = {
-        'content': '* * * * *    root    /usr/local/bin/wg_health_check | logger -t wg_health_check\n',
-    }
 
 if node.has_bundle('pppd'):
     files['/etc/ppp/ip-up.d/reconnect-wireguard'] = {

bundles/wireguard/metadata.py

@@ -244,3 +244,37 @@ def snat(metadata):
             },
         },
     }
+
+
+@metadata_reactor.provides(
+    'wireguard/health_checks',
+    'systemd-timers/timers/wg-health-check',
+)
+def health_checks(metadata):
+    checks = {}
+
+    for peer, config in metadata.get('wireguard/peers', {}).items():
+        if (
+            config.get('exclude_from_monitoring', False)
+            or 'endpoint' not in config
+        ):
+            continue
+
+        checks[peer] = config['their_ip']
+
+    if not checks:
+        return {}
+
+    return {
+        'systemd-timers': {
+            'timers': {
+                'wg-health-check': {
+                    'command': '/usr/local/bin/wg_health_check',
+                    'when': 'minutely',
+                },
+            },
+        },
+        'wireguard': {
+            'health_checks': checks,
+        },
+    }

nodes/fkusei-locutus.py

@@ -134,11 +134,12 @@ nodes['fkusei-locutus'] = {
             'privatekey': vault.decrypt('smedia$NotViaThisRepository'),
             'peers': {
                 'smedia': {
+                    'endpoint': '185.122.180.82:51820',
                     'my_ip': '10.200.128.2/20',
                     'my_port': 51820,
-                    'endpoint': '185.122.180.82:51820',
                     'psk': vault.decrypt('smedia$NotViaThisRepository'),
                     'pubkey': vault.decrypt('smedia$NotViaThisRepository'),
+                    'their_ip': '10.200.128.1',
                 },
             },
         },

nodes/home/router.py

@@ -163,9 +163,7 @@ nodes['home.router'] = {
             'external_hostname': 'franzi-home.kunbox.net', # Set via DynDNS
             'snat_ip': '172.19.138.1',
             'peers': {
-                'ovh.wireguard': {
+                'ovh.wireguard': {},
-                    'health_check': True,
-                },
                 'icinga2': {},
             },
         },

nodes/ovh/wireguard.py

@@ -35,9 +35,7 @@ nodes['ovh.wireguard'] = {
         'wireguard': {
             'peers': {
                 'ovh.icinga2': {},
-                'home.router': {
+                'home.router': {},
-                    'health_check': True,
-                },
                 'htz-cloud.wireguard': {},
                 'kunsi-oneplus3': {
                     'their_ip': '172.19.136.65',