bundles/wireguard: name wg interfaces according to their peers
This commit is contained in:
parent
7b8740601f
commit
7df6b1d13a
GPG key ID:
12E3D2136B818350
4 changed files with 20 additions and 20 deletions
|
|
@ -62,7 +62,8 @@ def neighbor_info_from_wireguard(metadata):
|
|||
)
|
||||
def my_ip(metadata):
|
||||
if node.has_bundle('wireguard'):
|
||||
my_ip = sorted(metadata.get('interfaces/wg0/ips'))[0].split('/')[0]
|
||||
wg_iface = sorted({iface for iface in metadata.get('interfaces').keys() if iface.startswith('wg_')})[0]
|
||||
my_ip = sorted(metadata.get(f'interfaces/{wg_iface}/ips'))[0].split('/')[0]
|
||||
else:
|
||||
my_ip = str(sorted(repo.libs.tools.resolve_identifier(repo, node.name))[0])
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
[NetDev]
|
||||
Name=wg${number}
|
||||
Name=wg_${iface}
|
||||
Kind=wireguard
|
||||
Description=WireGuard connection to ${peer}
|
||||
|
||||
|
|
|
|||
|
|
@ -14,15 +14,15 @@ if node.has_bundle('apt'):
|
|||
deps.add('pkg_apt:wireguard')
|
||||
|
||||
health_checks = {}
|
||||
for number, (peer, config) in enumerate(sorted(node.metadata.get('wireguard/peers', {}).items())):
|
||||
files[f'/etc/systemd/network/wg{number}.netdev'] = {
|
||||
for peer, config in sorted(node.metadata.get('wireguard/peers', {}).items()):
|
||||
files[f'/etc/systemd/network/wg_{config["iface"]}.netdev'] = {
|
||||
'content_type': 'mako',
|
||||
'source': 'wg.netdev',
|
||||
'owner': 'systemd-network',
|
||||
'mode': '0600',
|
||||
'context': {
|
||||
'endpoint': config.get('endpoint'),
|
||||
'number': number,
|
||||
'iface': config['iface'],
|
||||
'peer': peer,
|
||||
'port': config['my_port'],
|
||||
'privatekey': node.metadata.get('wireguard/privatekey'),
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
from ipaddress import ip_network
|
||||
from re import sub
|
||||
|
||||
from bundlewrap.exceptions import NoSuchNode
|
||||
from bundlewrap.metadata import atomic
|
||||
|
|
@ -39,20 +40,18 @@ if node.has_bundle('telegraf'):
|
|||
@metadata_reactor.provides(
|
||||
'wireguard/peers',
|
||||
)
|
||||
def peer_psks(metadata):
|
||||
def peer_psks_and_iface_names(metadata):
|
||||
peers = {}
|
||||
|
||||
for peer_name in metadata.get('wireguard/peers', {}):
|
||||
peers[peer_name] = {}
|
||||
peers[peer_name] = {
|
||||
'iface': sub('[^a-z0-9-_]+', '_', peer_name)[:20],
|
||||
}
|
||||
|
||||
if node.name < peer_name:
|
||||
peers[peer_name] = {
|
||||
'psk': repo.vault.random_bytes_as_base64_for(f'{node.name} wireguard {peer_name}'),
|
||||
}
|
||||
peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{node.name} wireguard {peer_name}')
|
||||
else:
|
||||
peers[peer_name] = {
|
||||
'psk': repo.vault.random_bytes_as_base64_for(f'{peer_name} wireguard {node.name}'),
|
||||
}
|
||||
peers[peer_name]['psk'] = repo.vault.random_bytes_as_base64_for(f'{peer_name} wireguard {node.name}')
|
||||
|
||||
return {
|
||||
'wireguard': {
|
||||
|
|
@ -156,12 +155,12 @@ def peer_endpoints(metadata):
|
|||
def icinga2(metadata):
|
||||
services = {}
|
||||
|
||||
for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())):
|
||||
for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
|
||||
if config.get('exclude_from_monitoring', False):
|
||||
continue
|
||||
|
||||
services[f'WIREGUARD CONNECTION {peer}'] = {
|
||||
'command_on_monitored_host': config['pubkey'].format_into(f'sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg{number} {{}}'),
|
||||
'command_on_monitored_host': config['pubkey'].format_into(f'sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg_{config["iface"]} {{}}'),
|
||||
}
|
||||
|
||||
return {
|
||||
|
|
@ -198,12 +197,12 @@ def firewall(metadata):
|
|||
)
|
||||
def interface_ips(metadata):
|
||||
interfaces = {}
|
||||
for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())):
|
||||
for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
|
||||
if '/' in config['my_ip']:
|
||||
my_ip = config['my_ip']
|
||||
else:
|
||||
my_ip = '{}/31'.format(config['my_ip'])
|
||||
interfaces[f'wg{number}'] = {
|
||||
interfaces[f'wg_{config["iface"]}'] = {
|
||||
'ips': {
|
||||
my_ip,
|
||||
},
|
||||
|
|
@ -221,9 +220,9 @@ def snat(metadata):
|
|||
raise DoNotRunAgain
|
||||
|
||||
rules = set()
|
||||
for number, (peer, config) in enumerate(sorted(metadata.get('wireguard/peers', {}).items())):
|
||||
rules.add(f'inet filter forward iifname wg{number} accept')
|
||||
rules.add(f'inet filter forward oifname wg{number} accept')
|
||||
for peer, config in sorted(metadata.get('wireguard/peers', {}).items()):
|
||||
rules.add(f'inet filter forward iifname wg_{config["iface"]} accept')
|
||||
rules.add(f'inet filter forward oifname wg_{config["iface"]} accept')
|
||||
|
||||
if 'snat_to' in config:
|
||||
rules.add('nat postrouting ip saddr {} ip daddr != {} snat to {}'.format(
|
||||
|
|
|
|||
Loading…
Reference in a new issue