kunsi/bundlewrap
1
0
Fork 0
Code Issues 1 Pull requests 1 Releases Activity

bundles/wireguard: name wg interfaces according to their peers

Browse source
This commit is contained in:
Franzi 2023-09-09 13:54:27 +02:00
parent 7b8740601f
commit 7df6b1d13a
Signed by: kunsi
GPG key ID: 12E3D2136B818350
4 changed files with 20 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
bundles/bird/metadata.py
View file

@ -62,7 +62,8 @@ def neighbor_info_from_wireguard(metadata):
) )
def my_ip(metadata): def my_ip(metadata):
if node.has_bundle('wireguard'): if node.has_bundle('wireguard'):
my_ip = sorted(metadata.get('interfaces/wg0/ips'))[0].split('/')[0] wg_iface = sorted({iface for iface in metadata.get('interfaces').keys() if iface.startswith('wg_')})[0]
my_ip = sorted(metadata.get(f'interfaces/{wg_iface}/ips'))[0].split('/')[0]
else: else:
my_ip = str(sorted(repo.libs.tools.resolve_identifier(repo, node.name))[0]) my_ip = str(sorted(repo.libs.tools.resolve_identifier(repo, node.name))[0])

2
bundles/wireguard/files/wg.netdev
View file

@ -1,5 +1,5 @@
[NetDev] [NetDev]
Name=wg${number} Name=wg_${iface}
Kind=wireguard Kind=wireguard
Description=WireGuard connection to ${peer} Description=WireGuard connection to ${peer}

6
bundles/wireguard/items.py
View file

@ -14,15 +14,15 @@ if node.has_bundle('apt'):
deps.add('pkg_apt:wireguard') deps.add('pkg_apt:wireguard')
health_checks = {} health_checks = {}
for number, (peer, config) in enumerate(sorted(node.metadata.get('wireguard/peers', {}).items())): for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()):
files[f'/etc/systemd/network/wg{number}.netdev'] = { files[f'/etc/systemd/network/wg_{config["iface"]}.netdev'] = {
'content_type': 'mako', 'content_type': 'mako',
'source': 'wg.netdev', 'source': 'wg.netdev',
'owner': 'systemd-network', 'owner': 'systemd-network',
'mode': '0600', 'mode': '0600',
'context': { 'context': {
'endpoint': config.get('endpoint'), 'endpoint': config.get('endpoint'),
'number': number, 'iface': config['iface'],
'peer': peer, 'peer': peer,
'port': config['my_port'], 'port': config['my_port'],
'privatekey': node.metadata.get('wireguard/privatekey'), 'privatekey': node.metadata.get('wireguard/privatekey'),

29
bundles/wireguard/metadata.py
View file

@ -1,4 +1,5 @@
from ipaddress import ip_network from ipaddress import ip_network
from re import sub
from bundlewrap.exceptions import NoSuchNode from bundlewrap.exceptions import NoSuchNode
from bundlewrap.metadata import atomic from bundlewrap.metadata import atomic
@ -39,20 +40,18 @@ if node.has_bundle('telegraf'):
@metadata_reactor.provides( @metadata_reactor.provides(
'wireguard/peers', 'wireguard/peers',
) )
def peer_psks(metadata): def peer_psks_and_iface_names(metadata):
peers = {} peers = {}
for peer_name in metadata.get('wireguard/peers', {}): for peer_name in metadata.get('wireguard/peers', {}):
peers[peer_name] = {} peers[peer_name] = {
'iface': sub('[^a-z0-9-_]+', '_', peer_name)[:20],
}
if node.name < peer_name: if node.name < peer_name:
peers[peer_name] = { peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{node.name} wireguard {peer_name}')
'psk': repo.vault.random_bytes_as_base64_for(f'{node.name} wireguard {peer_name}'),
}
else: else:
peers[peer_name] = { peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{peer_name} wireguard {node.name}')
'psk': repo.vault.random_bytes_as_base64_for(f'{peer_name} wireguard {node.name}'),
}
return { return {
'wireguard': { 'wireguard': {
@ -156,12 +155,12 @@ def peer_endpoints(metadata):
def icinga2(metadata): def icinga2(metadata):
services = {} services = {}
for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())): for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
if config.get('exclude_from_monitoring', False): if config.get('exclude_from_monitoring', False):
continue continue
services[f'WIREGUARD CONNECTION {peer}'] = { services[f'WIREGUARD CONNECTION {peer}'] = {
'command_on_monitored_host': config['pubkey'].format_into(f'sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg{number} {{}}'), 'command_on_monitored_host': config['pubkey'].format_into(f'sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg_{config["iface"]} {{}}'),
} }
return { return {
@ -198,12 +197,12 @@ def firewall(metadata):
) )
def interface_ips(metadata): def interface_ips(metadata):
interfaces = {} interfaces = {}
for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())): for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
if '/' in config['my_ip']: if '/' in config['my_ip']:
my_ip = config['my_ip'] my_ip = config['my_ip']
else: else:
my_ip = '{}/31'.format(config['my_ip']) my_ip = '{}/31'.format(config['my_ip'])
interfaces[f'wg{number}'] = { interfaces[f'wg_{config["iface"]}'] = {
'ips': { 'ips': {
my_ip, my_ip,
}, },
@ -221,9 +220,9 @@ def snat(metadata):
raise DoNotRunAgain raise DoNotRunAgain
rules = set() rules = set()
for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())): for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
rules.add(f'inet filter forward iifname wg{number} accept') rules.add(f'inet filter forward iifname wg_{config["iface"]} accept')
rules.add(f'inet filter forward oifname wg{number} accept') rules.add(f'inet filter forward oifname wg_{config["iface"]} accept')
if 'snat_to' in config: if 'snat_to' in config:
rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format( rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format(