bundlewrap/bundles/wireguard/items.py

from ipaddress import ip_network

repo.libs.tools.require_bundle(node, 'systemd-networkd')

files = {
    '/usr/local/share/icinga/plugins/check_wireguard_connected': {
        'mode': '0755',
    },
}

deps = set()

if node.has_bundle('apt'):
    deps.add('pkg_apt:wireguard')

health_checks = {}
for number, (peer, config) in enumerate(sorted(node.metadata.get('wireguard/peers', {}).items())):
    files[f'/etc/systemd/network/wg{number}.netdev'] = {
        'content_type': 'mako',
        'source': 'wg.netdev',
        'owner': 'systemd-network',
        'mode': '0600',
        'context': {
            'endpoint': config.get('endpoint'),
            'number': number,
            'peer': peer,
            'port': config['my_port'],
            'privatekey': node.metadata.get('wireguard/privatekey'),
            'psk': config['psk'],
            'pubkey': config['pubkey'],
        },
        'needs': deps,
        'triggers': {
            'svc_systemd:systemd-networkd:restart',
        },
    }

    if config.get('health_check', False):
        health_checks[peer] = config['their_ip']

if health_checks:
    files['/usr/local/bin/wg_health_check'] = {
        'content_type': 'mako',
        'context': {
            'peers': health_checks,
        },
        'mode': '0755',
    }
    files['/etc/cron.d/wg_health_check'] = {
        'content': '* * * * *    root    /usr/local/bin/wg_health_check | logger -t wg_health_check\n',
    }

if node.has_bundle('pppd'):
    files['/etc/ppp/ip-up.d/reconnect-wireguard'] = {
        'source': 'pppd-ip-up',
        'content_type': 'mako',
        'mode': '0755',
    }