51 lines
1.4 KiB
Bash
51 lines
1.4 KiB
Bash
#!/bin/sh
|
|
# Configure local WireGuard interface to peer with the VMs.
|
|
#
|
|
# Expects /etc/wireguard/private.key and /etc/wireguard/public.key to exist.
|
|
# Generate with:
|
|
# sudo sh -c 'wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key'
|
|
set -eu
|
|
|
|
SSH_USER=debian
|
|
SSH_OPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR"
|
|
PROXY_HOST=10.10.0.2
|
|
IDP_HOST=10.10.0.3
|
|
|
|
WG_IFACE=wg-dev
|
|
LOCAL_WG_IP=10.0.0.3/24
|
|
WG_PORT=51820
|
|
|
|
# Get the VM public keys (runs as calling user, not root)
|
|
# shellcheck disable=SC2086
|
|
PROXY_PUBKEY=$(ssh $SSH_OPTS "${SSH_USER}@${PROXY_HOST}" 'sudo cat /etc/wireguard/public.key' 2>/dev/null)
|
|
# shellcheck disable=SC2086
|
|
IDP_PUBKEY=$(ssh $SSH_OPTS "${SSH_USER}@${IDP_HOST}" 'sudo cat /etc/wireguard/public.key' 2>/dev/null)
|
|
|
|
if [ -z "$PROXY_PUBKEY" ] || [ -z "$IDP_PUBKEY" ]; then
|
|
echo "Failed to retrieve VM WireGuard public keys." >&2
|
|
echo "Has the wireguard role been deployed?" >&2
|
|
exit 1
|
|
fi
|
|
|
|
sudo tee /etc/wireguard/${WG_IFACE}.conf > /dev/null <<EOF
|
|
[Interface]
|
|
Address = ${LOCAL_WG_IP}
|
|
PrivateKey = $(sudo cat /etc/wireguard/private.key)
|
|
|
|
[Peer]
|
|
# vm-proxy
|
|
PublicKey = ${PROXY_PUBKEY}
|
|
Endpoint = ${PROXY_HOST}:${WG_PORT}
|
|
AllowedIPs = 10.0.0.1/32
|
|
|
|
[Peer]
|
|
# vm-idp
|
|
PublicKey = ${IDP_PUBKEY}
|
|
Endpoint = ${IDP_HOST}:${WG_PORT}
|
|
AllowedIPs = 10.0.0.2/32
|
|
EOF
|
|
|
|
sudo wg-quick down ${WG_IFACE} 2>/dev/null || true
|
|
sudo wg-quick up ${WG_IFACE}
|
|
|
|
echo "==> WireGuard ${WG_IFACE} up (${LOCAL_WG_IP})"
|