automated wireguard install and add peer

linux/ssh/ssh-persist.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# this file is meant to be sourced, not executed directly
+
+# if destination argument is not provided, fail
+if [[ $# -lt 1 ]]; then
+    echo "$(basename $BASH_SOURCE): error: no destination provided!" >&2
+    return 1
+elif [[ $# -gt 1 ]]; then
+    echo "$(basename $BASH_SOURCE): error: too many arguments!" >&2
+    return 1
+fi
+
+# provide sshp command for executing commands on remote computer
+sshp() {
+    echo "$@" >&$_sshp_in
+    echo "echo EOF" >&$_sshp_in
+    sed '/EOF/Q' <$_sshp_out
+}
+
+# assign dest to variable
+_sshp_dest=$1
+# create temporary directory
+_sshp_tmpdir=$(mktemp -d)
+mkfifo $tempdir/in $tempdir/out
+_sshp_out=$_sshp_tmpdir/out
+# assign input to a file descriptor so it doesn't get closed
+exec {_sshp_in}<>$tempdir/in
+# trap exit to do cleanup
+trap "{ exec {_sshp_in}>&-; ssh -O exit -S $_sshp_tmpdir/ssh $_sshp_dest &>/dev/null; rm -rf $tempdir; }" EXIT
+# login with master so ssh can ask password if necessary
+ssh -M -Nf -S $tempdir/ssh $_sshp_dest
+# login with redirection for the persistent connection
+ssh -S $tempdir/ssh medusa 0<&$_sshp_in 1>$_sshp_out 2>$_sshp_out &
+# clear output 
+sshp true &> /dev/null
+# ask for password and run sudo so password can be cached
+(printf "[sudo] password for $(remote echo \$USER)@$(remote hostname): "
+ read -s password; printf '\n'
+ echo "sudo -S true" >&3
+ echo $password >&3)
+# clear output
+sshp true &> /dev/null

linux/wireguard/install.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+set -euo pipefail
+
+if [[ $# -lt 1 || $# -gt 2 ]]; then
+    echo "Usage: $(basename $0) IP [Port]"
+    exit 1
+fi
+wireguard_ip="$1"
+if [[ -z $2 ]]; then
+    wireguard_port=9271
+else
+    wireguard_port="$2"
+fi
+
+sudo apt install -y wireguard
+
+cd /etc/wireguard/
+(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee wg0.conf > /dev/null)
+wg genkey | sudo tee -a wg0.conf | wg pubkey | sudo tee wg0.pubkey > /dev/null
+echo "ListenPort = ${wireguard_port:?}
+SaveConfig = true
+Address = ${wireguard_ip:?}/24" | sudo tee -a wg0.conf > /dev/null
+
+sudo systemctl start wg-quick@wg0
+#sudo systemctl enable wg-quick@wg0
+wg

linux/wireguard/wg-addpeer

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+
+# hardcoded constants
+wg_domain="wg.alemor.org"
+wg_dev="wg0"
+
+# check for arguments
+if [[ $# -lt 1 || $# -gt 1 ]]; then
+   echo "Usage: $(basename $0) ssh_destination"
+   exit 1
+fi
+dest="$1"
+
+. ../ssh/ssh-persist $dest
+
+# gather host info
+host_name=$(hostname)
+host_fqdn=$(hostname --fqdn)
+host_wgip=$(ip -4 addr show $wg_dev | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
+host_port=$(sudo wg show $wg_dev listen-port)
+host_key=$(sudo wg show $wg_dev public-key)
+
+# gather dest info
+sudo -v -p '[sudo] password for %u@%h'
+dest_name=$(sshp hostname)
+dest_fqdn=$(sshp hostname --fqdn)
+dest_wgip=$(sshp ip -4 addr show $wg_dev | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
+dest_port=$(sshp sudo wg show $wg_dev listen-port)
+dest_key=$(sshp sudo wg show $wg_dev public-key)
+
+# add peer on host
+sudo wg set $wg_dev peer "${dest_key}" endpoint $dest_fqdn:$dest_port allowed-ips $dest_wgip/32
+echo -e "$dest_wgip\t$dest_name.$wg_domain" | sudo tee -a /etc/hosts >/dev/null
+
+# add peer on dest
+sshp sudo wg set $wg_dev peer "'${host_key}'" endpoint $host_fqdn:$host_port allowed-ips $host_wgip/32
+sshp echo -e "$host_wgip\t$host_name.$wg_domain" | sudo tee -a /etc/hosts >/dev/null