bundles/wireguard: name wg interfaces according to their peers

2023-09-09 13:54:27 +02:00 · 2023-09-09 13:54:27 +02:00 · 7df6b1d13a
parent 7b8740601f
commit 7df6b1d13a
4 changed files with 20 additions and 20 deletions
--- a/bundles/bird/metadata.py
+++ b/bundles/bird/metadata.py
@ -62,7 +62,8 @@ def neighbor_info_from_wireguard(metadata):
 )
 def my_ip(metadata):
    if node.has_bundle('wireguard'):
-        my_ip = sorted(metadata.get('interfaces/wg0/ips'))[0].split('/')[0]
+        wg_iface = sorted({iface for iface in metadata.get('interfaces').keys() if iface.startswith('wg_')})[0]
+        my_ip = sorted(metadata.get(f'interfaces/{wg_iface}/ips'))[0].split('/')[0]
    else:
        my_ip = str(sorted(repo.libs.tools.resolve_identifier(repo, node.name))[0])

--- a/bundles/wireguard/files/wg.netdev
+++ b/bundles/wireguard/files/wg.netdev
@ -1,5 +1,5 @@
 [NetDev]
-Name=wg${number}
+Name=wg_${iface}
 Kind=wireguard
 Description=WireGuard connection to ${peer}

--- a/bundles/wireguard/items.py
+++ b/bundles/wireguard/items.py
@ -14,15 +14,15 @@ if node.has_bundle('apt'):
    deps.add('pkg_apt:wireguard')

 health_checks = {}
-for number, (peer, config) in enumerate(sorted(node.metadata.get('wireguard/peers', {}).items())):
-    files[f'/etc/systemd/network/wg{number}.netdev'] = {
+for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()):
+    files[f'/etc/systemd/network/wg_{config["iface"]}.netdev'] = {
        'content_type': 'mako',
        'source': 'wg.netdev',
        'owner': 'systemd-network',
        'mode': '0600',
        'context': {
            'endpoint': config.get('endpoint'),
-            'number': number,
+            'iface': config['iface'],
            'peer': peer,
            'port': config['my_port'],
            'privatekey': node.metadata.get('wireguard/privatekey'),
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -1,4 +1,5 @@
 from ipaddress import ip_network
+from re import sub

 from bundlewrap.exceptions import NoSuchNode
 from bundlewrap.metadata import atomic
@ -39,20 +40,18 @@ if node.has_bundle('telegraf'):
@metadata_reactor.provides(
    'wireguard/peers',
 )
-def peer_psks(metadata):
+def peer_psks_and_iface_names(metadata):
    peers = {}

    for peer_name in metadata.get('wireguard/peers', {}):
-        peers[peer_name] = {}
+        peers[peer_name] = {
+            'iface': sub('[^a-z0-9-_]+', '_', peer_name)[:20],
+        }

        if node.name < peer_name:
-            peers[peer_name] = {
-                'psk': repo.vault.random_bytes_as_base64_for(f'{node.name} wireguard {peer_name}'),
-            }
+            peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{node.name} wireguard {peer_name}')
        else:
-            peers[peer_name] = {
-                'psk': repo.vault.random_bytes_as_base64_for(f'{peer_name} wireguard {node.name}'),
-            }
+            peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{peer_name} wireguard {node.name}')

    return {
        'wireguard': {
@ -156,12 +155,12 @@ def peer_endpoints(metadata):
 def icinga2(metadata):
    services = {}

-    for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())):
+    for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
        if config.get('exclude_from_monitoring', False):
            continue

        services[f'WIREGUARD CONNECTION {peer}'] = {
-            'command_on_monitored_host': config['pubkey'].format_into(f'sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg{number} {{}}'),
+            'command_on_monitored_host': config['pubkey'].format_into(f'sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg_{config["iface"]} {{}}'),
        }

    return {
@ -198,12 +197,12 @@ def firewall(metadata):
 )
 def interface_ips(metadata):
    interfaces = {}
-    for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())):
+    for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
        if '/' in config['my_ip']:
            my_ip = config['my_ip']
        else:
            my_ip = '{}/31'.format(config['my_ip'])
-        interfaces[f'wg{number}'] = {
+        interfaces[f'wg_{config["iface"]}'] = {
            'ips': {
                my_ip,
            },
@ -221,9 +220,9 @@ def snat(metadata):
        raise DoNotRunAgain

    rules = set()
-    for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())):
-        rules.add(f'inet filter forward iifname wg{number} accept')
-        rules.add(f'inet filter forward oifname wg{number} accept')
+    for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
+        rules.add(f'inet filter forward iifname wg_{config["iface"]} accept')
+        rules.add(f'inet filter forward oifname wg_{config["iface"]} accept')

        if 'snat_to' in config:
            rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format(