refactor(wireguard): use raw static config

khuedoan · khuedoan · commit de1f7176dd94 · 2024-11-25T01:26:13.000+07:00
I want to set up a mesh with multiple sites, so I need static peer
configurations instead of those generated by the WireGuard container.
diff --git a/Makefile b/Makefile
@@ -29,12 +29,10 @@ post-install:
 # TODO maybe there's a better way to manage backup with GitOps?
 backup:
 	./scripts/backup --action setup --namespace=actualbudget --pvc=actualbudget-data
-	./scripts/backup --action setup --namespace=wireguard --pvc=wireguard-data
 	./scripts/backup --action setup --namespace=jellyfin --pvc=jellyfin-data
 
 restore:
 	./scripts/backup --action restore --namespace=actualbudget --pvc=actualbudget-data
-	./scripts/backup --action restore --namespace=wireguard --pvc=wireguard-data
 	./scripts/backup --action restore --namespace=jellyfin --pvc=jellyfin-data
 
 test:
diff --git a/apps/wireguard/Chart.yaml b/apps/wireguard/Chart.yaml
@@ -3,5 +3,5 @@ name: wireguard
 version: 0.0.0
 dependencies:
   - name: app-template
-    version: 3.1.0
+    version: 3.5.0
     repository: https://bjw-s.github.io/helm-charts
diff --git a/apps/wireguard/values.yaml b/apps/wireguard/values.yaml
@@ -8,10 +8,7 @@ app-template:
             tag: latest
           env:
             LOG_CONFS: false
-            PEERS: |
-              KDDesktop
-              KDLaptop
-              KDPhone
+            USE_COREDNS: true
           securityContext:
             capabilities:
               add:
@@ -25,8 +22,57 @@ app-template:
           port: 51820
           protocol: UDP
   persistence:
-    data:
-      accessMode: ReadWriteOnce
-      size: 10Mi
+    config:
+      type: secret
+      name: "{{ .Release.Name }}-secret"
       globalMounts:
-        - path: /config
+        - path: /config/wg_confs
+  rawResources:
+    secret:
+      apiVersion: external-secrets.io/v1beta1
+      kind: ExternalSecret
+      spec:
+        spec:
+          secretStoreRef:
+            kind: ClusterSecretStore
+            name: global-secrets
+          data:
+            - secretKey: WIREGUARD_PRIVATE_KEY
+              remoteRef:
+                key: external
+                property: wireguard-private-key
+          target:
+            template:
+              data:
+                wg0.conf: |
+                  [Interface]
+                  Address = 172.16.0.1/32
+                  ListenPort = 51820
+                  PrivateKey = {{ `{{ .WIREGUARD_PRIVATE_KEY }}` }}
+                  PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
+                  PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
+
+                  # Note that WireGuard will ignore a peer whose public key matches
+                  # the interface's private key. So you can distribute a single
+                  # list of peers everywhere.
+                  # https://lists.zx2c4.com/pipermail/wireguard/2018-December/003703.html
+
+                  [Peer]
+                  # homelab
+                  PublicKey = sSAZS1Z3vB7Wx8e2yVqXfeHjgWTa80wnSYoma3mZkiU=
+                  AllowedIPs = 172.16.0.1/32, 192.168.1.224/27
+
+                  [Peer]
+                  # khuedoan-ryzentower
+                  PublicKey = 2poJnXVSbbaqY90B6ruupKEO4OrDFCur2s2pqTk1HWE=
+                  AllowedIPs = 172.16.0.10/32
+
+                  [Peer]
+                  # khuedoan-thinkpadz13
+                  PublicKey = kgQbzrz+/P3Xd+L2hseKDYUjhwgfuQOro6tNz11ePH4=
+                  AllowedIPs = 172.16.0.11/32
+
+                  [Peer]
+                  # khuedoan-phone
+                  PublicKey = nITHFdgTkNZOTWeSWqnGXjgwlCJMKRCnnUsjMx2yp2U=
+                  AllowedIPs = 172.16.0.12/32
diff --git a/external/terraform.tfvars.example b/external/terraform.tfvars.example
@@ -18,6 +18,7 @@ extra_secrets = {
   # ../platform/global-secrets/files/secret-generator/config.yaml
   # Here's some examples of what you might want to add:
   #
+  # wireguard-private-key = "wg genkey output here"
   # tailscale-auth-key = "tskey-auth-xxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
   # restic-password = "xxxxxxxxxxxxxxxxxxxxxxxx"
   # restic-s3-bucket = "https://s3.amazonaws.com/my-homelab-backup-xxxxxxxxxx"
diff --git a/flake.nix b/flake.nix
@@ -39,7 +39,9 @@
             opentofu # Drop-in replacement for Terraform
             p7zip
             pre-commit
+            qrencode
             shellcheck
+            wireguard-tools
             yamllint
 
             (python3.withPackages (p: with p; [

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ extra_secrets = {`
`18`	`18`	`# ../platform/global-secrets/files/secret-generator/config.yaml`
`19`	`19`	`# Here's some examples of what you might want to add:`
`20`	`20`	`#`
	`21`	`+ # wireguard-private-key = "wg genkey output here"`
`21`	`22`	`# tailscale-auth-key = "tskey-auth-xxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"`
`22`	`23`	`# restic-password = "xxxxxxxxxxxxxxxxxxxxxxxx"`
`23`	`24`	`# restic-s3-bucket = "https://s3.amazonaws.com/my-homelab-backup-xxxxxxxxxx"`