bundles/wireguard: use one wireguard connection per peer instead of one for all

2021-09-29 19:27:13 +02:00 · 2021-09-29 19:27:13 +02:00 · 902840ee7f
commit 902840ee7f
parent 8110ec508e
5 changed files with 110 additions and 94 deletions
--- a/bundles/wireguard/items.py
+++ b/bundles/wireguard/items.py
@ -2,14 +2,24 @@ from ipaddress import ip_network

 repo.libs.tools.require_bundle(node, 'systemd-networkd')

-network = ip_network(node.metadata['wireguard']['my_ip'], strict=False)
-
 files = {
-    '/etc/systemd/network/wg0.netdev': {
+    '/usr/local/share/icinga/plugins/check_wireguard_connected': {
+        'mode': '0755',
+    },
+}
+
+for number, (peer, config) in enumerate(sorted(node.metadata.get('wireguard/peers', {}).items())):
+    files[f'/etc/systemd/network/wg{number}.netdev'] = {
        'content_type': 'mako',
+        'source': 'wg.netdev',
        'context': {
-            'network': f'{network.network_address}/{network.prefixlen}',
-            **node.metadata['wireguard'],
+            'endpoint': config.get('endpoint'),
+            'number': number,
+            'peer': peer,
+            'port': config['my_port'],
+            'privatekey': node.metadata.get('wireguard/privatekey'),
+            'psk': config['psk'],
+            'pubkey': config['pubkey'],
        },
        'needs': {
            'pkg_apt:wireguard',
@ -17,15 +27,4 @@ files = {
        'triggers': {
            'svc_systemd:systemd-networkd:restart',
        },
-    },
-    '/usr/local/share/icinga/plugins/check_wireguard_connected': {
-        'mode': '0755',
-    },
-}
-
-if node.has_bundle('pppd'):
-    files['/etc/ppp/ip-up.d/reconnect-wireguard'] = {
-        'source': 'pppd-ip-up',
-        'content_type': 'mako',
-        'mode': '0755',
    }