package cluster import ( "bytes" "errors" "fmt" "os" "darvaza.org/core" "git.jpi.io/amery/jpictl/pkg/rings" "git.jpi.io/amery/jpictl/pkg/wireguard" ) // GetWireguardKeys reads a wgN.key/wgN.pub files func (m *Machine) GetWireguardKeys(ringID rings.RingID) (wireguard.KeyPair, error) { var ( data []byte out wireguard.KeyPair ) ring, err := AsWireguardInterfaceID(ringID) if err != nil { // invalid ring return out, err } keyFile, pubFile, _ := ring.Files() data, err = m.ReadFile(keyFile) if err != nil { // failed to read return out, err } out.PrivateKey, err = wireguard.PrivateKeyFromBase64(string(data)) if err != nil { // bad key err = core.Wrap(err, keyFile) return out, err } data, err = m.ReadFile(pubFile) switch { case os.IsNotExist(err): // no wgN.pub is fine case err != nil: // failed to read return out, err default: // good read out.PublicKey, err = wireguard.PublicKeyFromBase64(string(data)) if err != nil { // bad key err = core.Wrap(err, pubFile) return out, err } } err = out.Validate() return out, err } func (m *Machine) tryReadWireguardKeys(ringID rings.RingID) error { kp, err := m.GetWireguardKeys(ringID) switch { case os.IsNotExist(err): // ignore return nil case err != nil: // something went wrong return err default: // import keys ri := &RingInfo{ Ring: MustWireguardInterfaceID(ringID), Keys: kp, } return m.applyRingInfo(ringID, ri) } } // RemoveWireguardKeys deletes wgN.key and wgN.pub from // the machine's config directory func (m *Machine) RemoveWireguardKeys(ringID rings.RingID) error { ring, err := AsWireguardInterfaceID(ringID) if err != nil { return err } keyFile, pubFile, _ := ring.Files() err = m.RemoveFile(pubFile) switch { case os.IsNotExist(err): // ignore case err != nil: return err } err = m.RemoveFile(keyFile) if os.IsNotExist(err) { // ignore err = nil } return err } // GetWireguardConfig reads a wgN.conf file func (m *Machine) GetWireguardConfig(ringID rings.RingID) (*wireguard.Config, error) { ring, err := AsWireguardInterfaceID(ringID) if err != nil { return nil, err } data, err := m.ReadFile(ring.ConfFile()) if err != nil { return nil, err } r := bytes.NewReader(data) return wireguard.NewConfigFromReader(r) } func (m *Machine) tryApplyWireguardConfig(ring rings.RingID) error { wg, err := m.GetWireguardConfig(ring) switch { case os.IsNotExist(err): return nil case err != nil: return err default: return m.applyWireguardConfig(ring, wg) } } func (m *Machine) applyWireguardConfigNode(ring rings.RingID, wg *wireguard.Config) error { addr := wg.GetAddress() if !core.IsZero(addr) { regionID, zoneID, nodeID, ok := Rings[ring].Decode(addr) if !ok { return fmt.Errorf("%s: invalid address", addr) } if err := m.applyZoneNodeID(regionID, zoneID, nodeID); err != nil { return core.Wrap(err, "%s: invalid address", addr) } } if err := m.applyWireguardInterfaceConfig(ring, wg.Interface); err != nil { return core.Wrap(err, "interface") } return nil } func (m *Machine) applyWireguardConfig(ring rings.RingID, wg *wireguard.Config) error { if err := m.applyWireguardConfigNode(ring, wg); err != nil { return err } for _, peer := range wg.Peer { err := m.applyWireguardPeerConfig(ring, peer) switch { case errors.Is(err, ErrUnknownNode): // ignore unknown peers m.warn(nil). WithField("subsystem", "wireguard"). WithField("node", m.Name). WithField("peer", peer.Endpoint.Host). WithField("ring", MustWireguardInterfaceID(ring)). Print("ignoring unknown endpoint") case err != nil: return core.Wrap(err, "peer") } } return nil } func (m *Machine) getRingInfo(ring rings.RingID) (*RingInfo, bool) { for _, ri := range m.Rings { if ri.RingID() == ring { return ri, ri.Enabled } } return nil, false } func (m *Machine) applyRingInfo(ring rings.RingID, new *RingInfo) error { cur, _ := m.getRingInfo(ring) if cur == nil { // first, append m.debug(). WithField("node", m.Name). WithField("ring", MustWireguardInterfaceID(ring)). Print("found") m.Rings = append(m.Rings, new) return nil } // extra, merge return cur.Merge(new) } func (m *Machine) applyWireguardInterfaceConfig(ring rings.RingID, data wireguard.InterfaceConfig) error { // ri := &RingInfo{ Ring: MustWireguardInterfaceID(ring), Enabled: true, Keys: wireguard.KeyPair{ PrivateKey: data.PrivateKey, }, } return m.applyRingInfo(ring, ri) } func (m *Machine) applyWireguardPeerConfig(ring rings.RingID, pc wireguard.PeerConfig) error { // peer, found := m.getPeerByName(pc.Endpoint.Name()) switch { case !found: // unknown return core.Wrap(ErrUnknownNode, pc.Endpoint.Host) case ring == 1 && m.zone != peer.zone: // invalid zone return core.Wrap(ErrInvalidNode, peer.Name) default: // apply RingInfo ri := &RingInfo{ Ring: MustWireguardInterfaceID(ring), Enabled: true, Keys: wireguard.KeyPair{ PublicKey: pc.PublicKey, }, } return peer.applyRingInfo(ring, ri) } } func (m *Machine) applyZoneNodeID(regionID rings.RegionID, zoneID rings.ZoneID, nodeID rings.NodeID) error { // switch { case !regionID.Valid(): return fmt.Errorf("invalid %s", "regionID") case !zoneID.Valid(): return fmt.Errorf("invalid %s", "zoneID") case !nodeID.Valid(): return fmt.Errorf("invalid %s", "nodeID") case m.ID != nodeID: return fmt.Errorf("invalid %s: %v ≠ %v", "nodeID", m.ID, nodeID) case m.zone.ID != 0 && m.zone.ID != zoneID: return fmt.Errorf("invalid %s: %v ≠ %v", "zoneID", m.zone.ID, zoneID) case m.Region() != regionID: return fmt.Errorf("invalid %s: %v ≠ %v", "regionID", m.Region(), regionID) default: if m.zone.ID == 0 { m.zone.ID = zoneID } return nil } } func (m *Machine) setRingDefaults(ri *RingInfo) error { if ri.Keys.PrivateKey.IsZero() { m.info(). WithField("subsystem", "wireguard"). WithField("node", m.Name). WithField("ring", ri.Ring). Print("generating key pair") kp, err := wireguard.NewKeyPair() if err != nil { return err } ri.Keys = kp } return nil } // RemoveWireguardConfig deletes wgN.conf from the machine's // config directory. func (m *Machine) RemoveWireguardConfig(ringID rings.RingID) error { ring, err := AsWireguardInterfaceID(ringID) if err != nil { return err } err = m.RemoveFile(ring.ConfFile()) if os.IsNotExist(err) { err = nil } return err } func (m *Machine) createRingInfo(ringID rings.RingID, enabled bool) (*RingInfo, error) { ring, err := AsWireguardInterfaceID(ringID) if err != nil { return nil, err } keys, err := wireguard.NewKeyPair() if err != nil { return nil, err } ri := &RingInfo{ Ring: ring, Enabled: enabled, Keys: keys, } err = m.applyRingInfo(ringID, ri) if err != nil { return nil, err } return ri, nil }