bundlewrap/bundles/wireguard/metadata.py

defaults = {
    'apt': {
        'packages': {
            'wireguard': {},
        },
        'repos': {
            'backports': {
                'install_gpg_key': False, # default debian signing key
                'items': [
                    'deb http://deb.debian.org/debian {os_release}-backports main',
                ],
            },
        },
    },
    'iptables': {
        'bundle_rules': {
            'wireguard': [
                'iptables_both -A INPUT -p udp --dport 51820 -j ACCEPT',
                'iptables_both -A FORWARD -i wg0 -j ACCEPT',
                'iptables_both -A FORWARD -o wg0 -j ACCEPT',
            ],
        },
    },
    'wireguard': {
        'privatekey': repo.libs.keys.gen_privkey(repo, f'{node.name} wireguard privatekey'),
    },
}


@metadata_reactor.provides(
    'wireguard/network',
)
def get_wireguard_network_from_server(metadata):
    # FIXME This will break if more than one node sets 'wireguard/network'
    for rnode in repo.nodes:
        if not rnode.has_bundle('wireguard'):
            continue

        if node.name in rnode.metadata.get('wireguard/peers', {}).keys():
            network = rnode.metadata.get('wireguard/network', None)

            if network:
                return {
                    'wireguard': {
                        'network': network,
                    },
                }

    return {}


@metadata_reactor.provides(
    'wireguard/peers',
)
def get_my_wireguard_peers(metadata):
    peers = {}

    for rnode in repo.nodes:
        if not rnode.has_bundle('wireguard'):
            continue

        if node.name in rnode.metadata.get('wireguard/peers', {}).keys():
            peers[rnode.name] = {
                'pubkey': repo.libs.keys.get_pubkey_from_privkey(repo, f'{node.name} wireguard {rnode.name}', rnode.metadata.get('wireguard/privatekey')),
                'psk': rnode.metadata.get('wireguard/psk', metadata.get('wireguard/psk', None)),
            }

            if not rnode.metadata.get(f'wireguard/peers/{node.name}/do_not_initiate_a_connection_from_your_side', False):
                peers[rnode.name]['endpoint'] = f'{rnode.hostname}:51820'

            peers[rnode.name]['ips'] = rnode.metadata.get('wireguard/subnets', set())

            your_ip = rnode.metadata.get('wireguard/my_ip', None)
            if your_ip:
                peers[rnode.name]['ips'].add(your_ip)

    return {
        'wireguard': {
            'peers': peers,
        },
    }


@metadata_reactor.provides(
    'icinga2_api/wireguard/services',
)
def icinga2(metadata):
    services = {}

    for peer, config in metadata.get('wireguard/peers', {}).items():
        if config.get('exclude_from_monitoring', False):
            continue

        services[f'WIREGUARD CONNECTION {peer}'] = {
            'command_on_monitored_host': config['pubkey'].format_into('sudo /usr/local/share/icinga/plugins/check_wireguard_connected wg0 {}'),
        }

    return {
        'icinga2_api': {
            'wireguard': {
                'services': services,
            },
        },
    }