chore: update scripts

scripts/local/setup-wireguard.sh

@@ -1,9 +1,9 @@
 #!/bin/sh
-# Configure local WireGuard interface to peer with the VMs.  Requires root.
+# Configure local WireGuard interface to peer with the VMs.
 #
 # Expects /etc/wireguard/private.key and /etc/wireguard/public.key to exist.
 # Generate with:
-#   wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
+#   sudo sh -c 'wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key'
 set -eu
 
 SSH_USER=debian
@@ -15,8 +15,10 @@ WG_IFACE=wg-dev
 LOCAL_WG_IP=10.0.0.3/24
 WG_PORT=51820
 
-# Get the VM public keys
+# Get the VM public keys (runs as calling user, not root)
+# shellcheck disable=SC2086
 PROXY_PUBKEY=$(ssh $SSH_OPTS "${SSH_USER}@${PROXY_HOST}" 'sudo cat /etc/wireguard/public.key' 2>/dev/null)
+# shellcheck disable=SC2086
 IDP_PUBKEY=$(ssh $SSH_OPTS "${SSH_USER}@${IDP_HOST}" 'sudo cat /etc/wireguard/public.key' 2>/dev/null)
 
 if [ -z "$PROXY_PUBKEY" ] || [ -z "$IDP_PUBKEY" ]; then
@@ -25,10 +27,10 @@ if [ -z "$PROXY_PUBKEY" ] || [ -z "$IDP_PUBKEY" ]; then
     exit 1
 fi
 
-cat > /etc/wireguard/${WG_IFACE}.conf <<EOF
+sudo tee /etc/wireguard/${WG_IFACE}.conf > /dev/null <<EOF
 [Interface]
 Address = ${LOCAL_WG_IP}
-PrivateKey = $(cat /etc/wireguard/private.key)
+PrivateKey = $(sudo cat /etc/wireguard/private.key)
 
 [Peer]
 # vm-proxy
@@ -43,7 +45,7 @@ Endpoint = ${IDP_HOST}:${WG_PORT}
 AllowedIPs = 10.0.0.2/32
 EOF
 
-wg-quick down ${WG_IFACE} 2>/dev/null || true
-wg-quick up ${WG_IFACE}
+sudo wg-quick down ${WG_IFACE} 2>/dev/null || true
+sudo wg-quick up ${WG_IFACE}
 
 echo "==> WireGuard ${WG_IFACE} up (${LOCAL_WG_IP})"