defaults = { 'apt': { 'packages': { 'wireguard': {}, }, 'repos': { 'backports': { 'install_gpg_key': False, # default debian signing key 'items': [ 'deb http://deb.debian.org/debian {os_release}-backports main', ], }, }, }, 'icinga2_api': { 'wireguard': { 'services': { 'WIREGUARD CONNECTED': { 'command_on_monitored_host': 'sudo /usr/local/share/icinga/plugins/check_wireguard_connected', }, }, }, }, 'iptables': { 'bundle_rules': { 'wireguard': [ 'iptables_both -A INPUT -p udp --dport 51820 -j ACCEPT', 'iptables_both -A FORWARD -i wg0 -j ACCEPT', ], }, }, 'wireguard': { 'privatekey': repo.libs.keys.gen_privkey(repo, f'{node.name} wireguard privatekey'), }, } @metadata_reactor def get_wireguard_network_from_server(metadata): # FIXME This will break if more than one node sets 'wireguard/network' for rnode in repo.nodes: if not rnode.has_bundle('wireguard'): continue if node.name in rnode.metadata.get('wireguard/peers', {}).keys(): network = rnode.metadata.get('wireguard/network', None) if network: return { 'wireguard': { 'network': network, }, } return {} @metadata_reactor def get_my_wireguard_peers(metadata): peers = {} for rnode in repo.nodes: if not rnode.has_bundle('wireguard'): continue if node.name in rnode.metadata.get('wireguard/peers', {}).keys(): peers[rnode.name] = { 'pubkey': repo.libs.keys.get_pubkey_from_privkey(repo, f'{node.name} wireguard {rnode.name}', rnode.metadata.get('wireguard/privatekey')), 'psk': rnode.metadata.get('wireguard/psk', metadata.get('wireguard/psk', None)), } if not rnode.metadata.get(f'wireguard/peers/{node.name}/do_not_initiate_a_connection_from_your_side', False): peers[rnode.name]['endpoint'] = f'{rnode.hostname}:51820' peers[rnode.name]['ips'] = rnode.metadata.get('wireguard/subnets', set()) your_ip = rnode.metadata.get('wireguard/my_ip', None) if your_ip: peers[rnode.name]['ips'].add(your_ip) return { 'wireguard': { 'peers': peers, }, }