diff --git a/linux/ssh/ssh-persist.sh b/linux/ssh/ssh-persist.sh new file mode 100644 index 0000000..92856a5 --- /dev/null +++ b/linux/ssh/ssh-persist.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# this file is meant to be sourced, not executed directly + +# if destination argument is not provided, fail +if [[ $# -lt 1 ]]; then + echo "$(basename $BASH_SOURCE): error: no destination provided!" >&2 + return 1 +elif [[ $# -gt 1 ]]; then + echo "$(basename $BASH_SOURCE): error: too many arguments!" >&2 + return 1 +fi + +# provide sshp command for executing commands on remote computer +sshp() { + echo "$@" >&$_sshp_in + echo "echo EOF" >&$_sshp_in + sed '/EOF/Q' <$_sshp_out +} + +# assign dest to variable +_sshp_dest=$1 +# create temporary directory +_sshp_tmpdir=$(mktemp -d) +mkfifo $tempdir/in $tempdir/out +_sshp_out=$_sshp_tmpdir/out +# assign input to a file descriptor so it doesn't get closed +exec {_sshp_in}<>$tempdir/in +# trap exit to do cleanup +trap "{ exec {_sshp_in}>&-; ssh -O exit -S $_sshp_tmpdir/ssh $_sshp_dest &>/dev/null; rm -rf $tempdir; }" EXIT +# login with master so ssh can ask password if necessary +ssh -M -Nf -S $tempdir/ssh $_sshp_dest +# login with redirection for the persistent connection +ssh -S $tempdir/ssh medusa 0<&$_sshp_in 1>$_sshp_out 2>$_sshp_out & +# clear output +sshp true &> /dev/null +# ask for password and run sudo so password can be cached +(printf "[sudo] password for $(remote echo \$USER)@$(remote hostname): " + read -s password; printf '\n' + echo "sudo -S true" >&3 + echo $password >&3) +# clear output +sshp true &> /dev/null diff --git a/linux/wireguard/install.sh b/linux/wireguard/install.sh new file mode 100755 index 0000000..6997996 --- /dev/null +++ b/linux/wireguard/install.sh @@ -0,0 +1,26 @@ +#!/bin/bash +set -euo pipefail + +if [[ $# -lt 1 || $# -gt 2 ]]; then + echo "Usage: $(basename $0) IP [Port]" + exit 1 +fi +wireguard_ip="$1" +if [[ -z $2 ]]; then + wireguard_port=9271 +else + wireguard_port="$2" +fi + +sudo apt install -y wireguard + +cd /etc/wireguard/ +(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee wg0.conf > /dev/null) +wg genkey | sudo tee -a wg0.conf | wg pubkey | sudo tee wg0.pubkey > /dev/null +echo "ListenPort = ${wireguard_port:?} +SaveConfig = true +Address = ${wireguard_ip:?}/24" | sudo tee -a wg0.conf > /dev/null + +sudo systemctl start wg-quick@wg0 +#sudo systemctl enable wg-quick@wg0 +wg diff --git a/linux/wireguard/wg-addpeer b/linux/wireguard/wg-addpeer new file mode 100755 index 0000000..015f014 --- /dev/null +++ b/linux/wireguard/wg-addpeer @@ -0,0 +1,38 @@ +#!/bin/bash +set -euo pipefail + +# hardcoded constants +wg_domain="wg.alemor.org" +wg_dev="wg0" + +# check for arguments +if [[ $# -lt 1 || $# -gt 1 ]]; then + echo "Usage: $(basename $0) ssh_destination" + exit 1 +fi +dest="$1" + +. ../ssh/ssh-persist $dest + +# gather host info +host_name=$(hostname) +host_fqdn=$(hostname --fqdn) +host_wgip=$(ip -4 addr show $wg_dev | grep -oP '(?<=inet\s)\d+(\.\d+){3}') +host_port=$(sudo wg show $wg_dev listen-port) +host_key=$(sudo wg show $wg_dev public-key) + +# gather dest info +sudo -v -p '[sudo] password for %u@%h' +dest_name=$(sshp hostname) +dest_fqdn=$(sshp hostname --fqdn) +dest_wgip=$(sshp ip -4 addr show $wg_dev | grep -oP '(?<=inet\s)\d+(\.\d+){3}') +dest_port=$(sshp sudo wg show $wg_dev listen-port) +dest_key=$(sshp sudo wg show $wg_dev public-key) + +# add peer on host +sudo wg set $wg_dev peer "${dest_key}" endpoint $dest_fqdn:$dest_port allowed-ips $dest_wgip/32 +echo -e "$dest_wgip\t$dest_name.$wg_domain" | sudo tee -a /etc/hosts >/dev/null + +# add peer on dest +sshp sudo wg set $wg_dev peer "'${host_key}'" endpoint $host_fqdn:$host_port allowed-ips $host_wgip/32 +sshp echo -e "$host_wgip\t$host_name.$wg_domain" | sudo tee -a /etc/hosts >/dev/null