bundles/wireguard: add netdev and network files, add iptables rules

bundles/wireguard/files/wg0.netdev

@@ -0,0 +1,24 @@
+[NetDev]
+Name=wg0
+Kind=wireguard
+Description=WireGuard server
+
+[WireGuard]
+PrivateKey=${privatekey}
+ListenPort=51820
+
+% for peer, config in sorted(peers.items()):
+# Peer ${peer}
+[WireGuardPeer]
+PublicKey=${config['pubkey']}
+%   if len(peers) == 1: # FIXME
+AllowedIPs=${network}
+%   else:
+AllowedIPs=${','.join(sorted(config['ips']))}
+%   endif
+PresharedKey=${config['psk']}
+%   if 'endpoint' in config:
+Endpoint=${config['endpoint']}
+%   endif
+
+% endfor

bundles/wireguard/files/wg0.network

@@ -0,0 +1,8 @@
+[Match]
+Name=wg0
+
+[Network]
+Address=${my_ip}
+
+[Route]
+Destination=${network}

bundles/wireguard/items.py

@@ -0,0 +1,26 @@
+assert node.has_bundle('systemd-networkd')
+
+files = {
+    '/etc/systemd/network/99-wg0.netdev': {
+        'source': 'wg0.netdev',
+        'content_type': 'mako',
+        'context': node.metadata['wireguard'],
+        'needs': {
+            'pkg_apt:wireguard',
+        },
+        'triggers': {
+            'svc_systemd:systemd-networkd:restart',
+        },
+    },
+    '/etc/systemd/network/99-wg0.network': {
+        'source': 'wg0.network',
+        'content_type': 'mako',
+        'context': node.metadata['wireguard'],
+        'needs': {
+            'pkg_apt:wireguard',
+        },
+        'triggers': {
+            'svc_systemd:systemd-networkd:restart',
+        },
+    },
+}

bundles/wireguard/metadata.py

@@ -0,0 +1,76 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'wireguard': {},
+        },
+        'repos': {
+            'backports': {
+                'install_gpg_key': False, # default debian signing key
+                'items': [
+                    'deb http://deb.debian.org/debian {os_release}-backports main',
+                ],
+            },
+        },
+    },
+    'iptables': {
+        'bundle_rules': {
+            'wireguard': [
+                'iptables_both -A INPUT -p udp --dport 51820 -j ACCEPT',
+                'iptables_both -A FORWARD -i wg0 -j ACCEPT',
+            ],
+        },
+    },
+    'wireguard': {
+        'privatekey': repo.libs.keys.gen_privkey(repo, f'{node.name} wireguard privatekey'),
+    },
+}
+
+
+@metadata_reactor
+def get_wireguard_network_from_server(metadata):
+    # FIXME This will break if more than one node sets 'wireguard/network'
+    for rnode in repo.nodes:
+        if not rnode.has_bundle('wireguard'):
+            continue
+
+        if node.name in rnode.metadata.get('wireguard/peers', {}).keys():
+            network = rnode.metadata.get('wireguard/network', None)
+
+            if network:
+                return {
+                    'wireguard': {
+                        'network': network,
+                    },
+                }
+
+    return {}
+
+
+@metadata_reactor
+def get_my_wireguard_peers(metadata):
+    peers = {}
+
+    for rnode in repo.nodes:
+        if not rnode.has_bundle('wireguard'):
+            continue
+
+        if node.name in rnode.metadata.get('wireguard/peers', {}).keys():
+            peers[rnode.name] = {
+                'pubkey': repo.libs.keys.get_pubkey_from_privkey(repo, f'{node.name} wireguard {rnode.name}', rnode.metadata.get('wireguard/privatekey')),
+                'psk': rnode.metadata.get('wireguard/psk', metadata.get('wireguard/psk', None)),
+            }
+
+            if not rnode.metadata.get(f'wireguard/peers/{node.name}/do_not_initiate_a_connection_from_your_side', False):
+                peers[rnode.name]['endpoint'] = f'{rnode.hostname}:51820'
+
+            peers[rnode.name]['ips'] = rnode.metadata.get('wireguard/subnets', set())
+
+            your_ip = rnode.metadata.get('wireguard/my_ip', None)
+            if your_ip:
+                peers[rnode.name]['ips'].add(your_ip)
+
+    return {
+        'wireguard': {
+            'peers': peers,
+        },
+    }