#!/bin/bash set -e export FORMAT=YAML echo GETTING UUIDs cali_bastion_uuid=$(grep uuid tmp/cali-bastion-install.yaml) cali_bastion_uuid=${cali_bastion_uuid#uuid: } vanc_bastion_uuid=$(grep uuid tmp/vanc-bastion-install.yaml) vanc_bastion_uuid=${vanc_bastion_uuid#uuid: } cali_protected_uuid=$(grep uuid tmp/cali-protected-install.yaml) cali_protected_uuid=${cali_protected_uuid#uuid: } vanc_protected_uuid=$(grep uuid tmp/vanc-protected-install.yaml) vanc_protected_uuid=${vanc_protected_uuid#uuid: } echo BUILDING SSH COMMANDS key_path=$(grep 'key_path:' tmp/cali-bastion-install.yaml | awk '{ print $2 }') ssh_cali_bastion="ssh -i ${key_path} \ -p $(grep port tmp/cali-bastion-install.yaml | cut -d "'" -f2) \ root@$(grep ip tmp/cali-bastion-install.yaml | awk '{ print $2 }')" ssh_vanc_bastion="ssh -i ${key_path} \ -p $(grep port tmp/vanc-bastion-install.yaml | cut -d "'" -f2) \ root@$(grep ip tmp/vanc-bastion-install.yaml | awk '{ print $2 }')" ssh_cali_protected="ssh -i ${key_path} \ -p $(grep port tmp/cali-protected-install.yaml | cut -d "'" -f2) \ root@$(grep ip tmp/cali-protected-install.yaml | awk '{ print $2 }')" ssh_vanc_protected="ssh -i ${key_path} \ -p $(grep port tmp/vanc-protected-install.yaml | cut -d "'" -f2) \ root@$(grep ip tmp/vanc-protected-install.yaml | awk '{ print $2 }')" echo INSPECTING VMs detee-cli vm inspect $cali_bastion_uuid > tmp/cali-bastion-inspect.yaml detee-cli vm inspect $vanc_bastion_uuid > tmp/vanc-bastion-inspect.yaml detee-cli vm inspect $cali_protected_uuid > tmp/cali-protected-inspect.yaml detee-cli vm inspect $vanc_protected_uuid > tmp/vanc-protected-inspect.yaml echo GETTING WIREGUARD IP AND PORTS cali_wg_ip=$(grep 'ip: ' tmp/cali-bastion-install.yaml) cali_wg_ip=${cali_wg_ip#ip: } vanc_wg_ip=$(grep 'ip: ' tmp/vanc-bastion-install.yaml) vanc_wg_ip=${vanc_wg_ip#ip: } cali_wg_port=$(grep exposed_ports -A 2 tmp/cali-bastion-inspect.yaml | tail -1) cali_wg_port=${cali_wg_port#- } vanc_wg_port=$(grep exposed_ports -A 2 tmp/vanc-bastion-inspect.yaml | tail -1) vanc_wg_port=${vanc_wg_port#- } echo GENERATING WIREGUARD KEYS wg genkey > tmp/cali_bastion_private.key cat tmp/cali_bastion_private.key | wg pubkey > tmp/cali_bastion_public.key wg genkey > tmp/vanc_bastion_private.key cat tmp/vanc_bastion_private.key | wg pubkey > tmp/vanc_bastion_public.key wg genkey > tmp/cali_protected_private.key cat tmp/cali_protected_private.key | wg pubkey > tmp/cali_protected_public.key wg genkey > tmp/vanc_protected_private.key cat tmp/vanc_protected_private.key | wg pubkey > tmp/vanc_protected_public.key wg genkey > tmp/local_private.key cat tmp/local_private.key | wg pubkey > tmp/local_public.key echo PREPARING WIREGUARD CONFIGS cp -r wg_configs tmp/ sed -i "s,CALI_BASTION_PRIVATE,$(cat tmp/cali_bastion_private.key)," tmp/wg_configs/* sed -i "s,CALI_BASTION_PUBLIC,$(cat tmp/cali_bastion_public.key)," tmp/wg_configs/* sed -i "s,VANC_BASTION_PRIVATE,$(cat tmp/vanc_bastion_private.key)," tmp/wg_configs/* sed -i "s,VANC_BASTION_PUBLIC,$(cat tmp/vanc_bastion_public.key)," tmp/wg_configs/* sed -i "s,CALI_PROTECTED_PRIVATE,$(cat tmp/cali_protected_private.key)," tmp/wg_configs/* sed -i "s,CALI_PROTECTED_PUBLIC,$(cat tmp/cali_protected_public.key)," tmp/wg_configs/* sed -i "s,VANC_PROTECTED_PRIVATE,$(cat tmp/vanc_protected_private.key)," tmp/wg_configs/* sed -i "s,VANC_PROTECTED_PUBLIC,$(cat tmp/vanc_protected_public.key)," tmp/wg_configs/* sed -i "s,LOCAL_PRIVATE,$(cat tmp/local_private.key)," tmp/wg_configs/* sed -i "s,LOCAL_PUBLIC,$(cat tmp/local_public.key)," tmp/wg_configs/* sed -i "s,VANC_BASTION_IP,${vanc_wg_ip}," tmp/wg_configs/* sed -i "s,CALI_BASTION_IP,${cali_wg_ip}," tmp/wg_configs/* sed -i "s,VANC_BASTION_PORT,${vanc_wg_port}," tmp/wg_configs/* sed -i "s,CALI_BASTION_PORT,${cali_wg_port}," tmp/wg_configs/* echo INSTALLING SOFTWARE $ssh_cali_bastion pacman -Syu --noconfirm > tmp/cali_bastion.log 2>&1 $ssh_vanc_bastion pacman -Syu --noconfirm > tmp/vanc_bastion.log 2>&1 $ssh_cali_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1 $ssh_vanc_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1 $ssh_cali_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/cali_bastion.log 2>&1 $ssh_vanc_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/vanc_bastion.log 2>&1 $ssh_cali_protected pacman -S wireguard-tools nginx \ --needed --noconfirm > tmp/vanc_protected.log 2>&1 $ssh_vanc_protected pacman -S wireguard-tools nginx \ --needed --noconfirm > tmp/vanc_protected.log 2>&1 $ssh_cali_protected systemctl start nginx $ssh_vanc_protected systemctl start nginx echo UPLOADING WIREGUARD CONFIG { cat tmp/wg_configs/cali-bastion-server.conf | $ssh_cali_bastion tee /etc/wireguard/server.conf cat tmp/wg_configs/cali-bastion-client.conf | $ssh_cali_bastion tee /etc/wireguard/vanc.conf cat tmp/wg_configs/vanc-bastion-server.conf | $ssh_vanc_bastion tee /etc/wireguard/server.conf cat tmp/wg_configs/vanc-bastion-client.conf | $ssh_vanc_bastion tee /etc/wireguard/cali.conf cat tmp/wg_configs/cali-protected-cali.conf | $ssh_cali_protected tee /etc/wireguard/cali.conf cat tmp/wg_configs/cali-protected-vanc.conf | $ssh_cali_protected tee /etc/wireguard/vanc.conf cat tmp/wg_configs/vanc-protected-cali.conf | $ssh_vanc_protected tee /etc/wireguard/cali.conf cat tmp/wg_configs/vanc-protected-vanc.conf | $ssh_vanc_protected tee /etc/wireguard/vanc.conf } > /dev/null echo STARTING WIREGUARD $ssh_cali_bastion wg-quick up server $ssh_vanc_bastion wg-quick up server $ssh_vanc_bastion wg-quick up cali $ssh_cali_protected wg-quick up cali $ssh_vanc_protected wg-quick up cali $ssh_cali_bastion wg-quick up vanc $ssh_cali_protected wg-quick up vanc $ssh_vanc_protected wg-quick up vanc # SETTING UP LOCAL CLIENT if [[ $(whoami) == "root" ]]; then sudo="" else sudo="sudo" fi $sudo cp tmp/wg_configs/local-cali.conf /etc/wireguard/ $sudo cp tmp/wg_configs/local-vanc.conf /etc/wireguard/ $sudo wg-quick up local-cali $sudo wg-quick up local-vanc echo To check if VPN works to the protected nodes, try to access a protected service: echo curl http://10.200.20.101 echo curl http://10.100.10.101 echo curl http://10.100.10.201 echo curl http://10.200.20.201