defaults = {
'apt': {
'packages': {
'wireguard': {},
},
'repos': {
'backports': {
'install_gpg_key': False, # default debian signing key
'items': [
'deb http://deb.debian.org/debian {os_release}-backports main',
],
},
},
},
'icinga2_api': {
'wireguard': {
'services': {
'WIREGUARD CONNECTED': {
'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_wireguard_connected',
},
},
},
},
'iptables': {
'bundle_rules': {
'wireguard': [
'iptables_both -A INPUT -p udp --dport 51820 -j ACCEPT',
'iptables_both -A FORWARD -i wg0 -j ACCEPT',
],
},
},
'wireguard': {
'privatekey': repo.libs.keys.gen_privkey(repo, f'{node.name} wireguard privatekey'),
},
}
@metadata_reactor
def get_wireguard_network_from_server(metadata):
# FIXME This will break if more than one node sets 'wireguard/network'
for rnode in repo.nodes:
if not rnode.has_bundle('wireguard'):
continue
if node.name in rnode.metadata.get('wireguard/peers', {}).keys():
network = rnode.metadata.get('wireguard/network', None)
if network:
return {
'wireguard': {
'network': network,
},
}
return {}
@metadata_reactor
def get_my_wireguard_peers(metadata):
peers = {}
for rnode in repo.nodes:
if not rnode.has_bundle('wireguard'):
continue
if node.name in rnode.metadata.get('wireguard/peers', {}).keys():
peers[rnode.name] = {
'pubkey': repo.libs.keys.get_pubkey_from_privkey(repo, f'{node.name} wireguard {rnode.name}', rnode.metadata.get('wireguard/privatekey')),
'psk': rnode.metadata.get('wireguard/psk', metadata.get('wireguard/psk', None)),
}
if not rnode.metadata.get(f'wireguard/peers/{node.name}/do_not_initiate_a_connection_from_your_side', False):
peers[rnode.name]['endpoint'] = f'{rnode.hostname}:51820'
peers[rnode.name]['ips'] = rnode.metadata.get('wireguard/subnets', set())
your_ip = rnode.metadata.get('wireguard/my_ip', None)
if your_ip:
peers[rnode.name]['ips'].add(your_ip)
return {
'wireguard': {
'peers': peers,
},
}