133 lines
6.2 KiB
Bash
Executable File
133 lines
6.2 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
export FORMAT=YAML
|
|
|
|
echo GETTING UUIDs
|
|
cali_bastion_uuid=$(grep uuid tmp/cali-bastion-install.yaml)
|
|
cali_bastion_uuid=${cali_bastion_uuid#uuid: }
|
|
vanc_bastion_uuid=$(grep uuid tmp/vanc-bastion-install.yaml)
|
|
vanc_bastion_uuid=${vanc_bastion_uuid#uuid: }
|
|
cali_protected_uuid=$(grep uuid tmp/cali-protected-install.yaml)
|
|
cali_protected_uuid=${cali_protected_uuid#uuid: }
|
|
vanc_protected_uuid=$(grep uuid tmp/vanc-protected-install.yaml)
|
|
vanc_protected_uuid=${vanc_protected_uuid#uuid: }
|
|
|
|
echo BUILDING SSH COMMANDS
|
|
key_path=$(grep 'key_path:' tmp/cali-bastion-install.yaml | awk '{ print $2 }')
|
|
ssh_cali_bastion="ssh -i ${key_path} \
|
|
-p $(grep port tmp/cali-bastion-install.yaml | cut -d "'" -f2) \
|
|
root@$(grep ip tmp/cali-bastion-install.yaml | awk '{ print $2 }')"
|
|
ssh_vanc_bastion="ssh -i ${key_path} \
|
|
-p $(grep port tmp/vanc-bastion-install.yaml | cut -d "'" -f2) \
|
|
root@$(grep ip tmp/vanc-bastion-install.yaml | awk '{ print $2 }')"
|
|
ssh_cali_protected="ssh -i ${key_path} \
|
|
-p $(grep port tmp/cali-protected-install.yaml | cut -d "'" -f2) \
|
|
root@$(grep ip tmp/cali-protected-install.yaml | awk '{ print $2 }')"
|
|
ssh_vanc_protected="ssh -i ${key_path} \
|
|
-p $(grep port tmp/vanc-protected-install.yaml | cut -d "'" -f2) \
|
|
root@$(grep ip tmp/vanc-protected-install.yaml | awk '{ print $2 }')"
|
|
|
|
echo INSPECTING VMs
|
|
detee-cli vm inspect $cali_bastion_uuid > tmp/cali-bastion-inspect.yaml
|
|
detee-cli vm inspect $vanc_bastion_uuid > tmp/vanc-bastion-inspect.yaml
|
|
detee-cli vm inspect $cali_protected_uuid > tmp/cali-protected-inspect.yaml
|
|
detee-cli vm inspect $vanc_protected_uuid > tmp/vanc-protected-inspect.yaml
|
|
|
|
echo GETTING WIREGUARD IP AND PORTS
|
|
cali_wg_ip=$(grep 'ip: ' tmp/cali-bastion-install.yaml)
|
|
cali_wg_ip=${cali_wg_ip#ip: }
|
|
vanc_wg_ip=$(grep 'ip: ' tmp/vanc-bastion-install.yaml)
|
|
vanc_wg_ip=${vanc_wg_ip#ip: }
|
|
cali_wg_port=$(grep exposed_ports -A 2 tmp/cali-bastion-inspect.yaml | tail -1)
|
|
cali_wg_port=${cali_wg_port#- }
|
|
vanc_wg_port=$(grep exposed_ports -A 2 tmp/vanc-bastion-inspect.yaml | tail -1)
|
|
vanc_wg_port=${vanc_wg_port#- }
|
|
|
|
echo GENERATING WIREGUARD KEYS
|
|
wg genkey > tmp/cali_bastion_private.key
|
|
cat tmp/cali_bastion_private.key | wg pubkey > tmp/cali_bastion_public.key
|
|
wg genkey > tmp/vanc_bastion_private.key
|
|
cat tmp/vanc_bastion_private.key | wg pubkey > tmp/vanc_bastion_public.key
|
|
wg genkey > tmp/cali_protected_private.key
|
|
cat tmp/cali_protected_private.key | wg pubkey > tmp/cali_protected_public.key
|
|
wg genkey > tmp/vanc_protected_private.key
|
|
cat tmp/vanc_protected_private.key | wg pubkey > tmp/vanc_protected_public.key
|
|
wg genkey > tmp/local_private.key
|
|
cat tmp/local_private.key | wg pubkey > tmp/local_public.key
|
|
|
|
echo PREPARING WIREGUARD CONFIGS
|
|
cp -r wg_configs tmp/
|
|
sed -i "s,CALI_BASTION_PRIVATE,$(cat tmp/cali_bastion_private.key)," tmp/wg_configs/*
|
|
sed -i "s,CALI_BASTION_PUBLIC,$(cat tmp/cali_bastion_public.key)," tmp/wg_configs/*
|
|
sed -i "s,VANC_BASTION_PRIVATE,$(cat tmp/vanc_bastion_private.key)," tmp/wg_configs/*
|
|
sed -i "s,VANC_BASTION_PUBLIC,$(cat tmp/vanc_bastion_public.key)," tmp/wg_configs/*
|
|
sed -i "s,CALI_PROTECTED_PRIVATE,$(cat tmp/cali_protected_private.key)," tmp/wg_configs/*
|
|
sed -i "s,CALI_PROTECTED_PUBLIC,$(cat tmp/cali_protected_public.key)," tmp/wg_configs/*
|
|
sed -i "s,VANC_PROTECTED_PRIVATE,$(cat tmp/vanc_protected_private.key)," tmp/wg_configs/*
|
|
sed -i "s,VANC_PROTECTED_PUBLIC,$(cat tmp/vanc_protected_public.key)," tmp/wg_configs/*
|
|
|
|
sed -i "s,LOCAL_PRIVATE,$(cat tmp/local_private.key)," tmp/wg_configs/*
|
|
sed -i "s,LOCAL_PUBLIC,$(cat tmp/local_public.key)," tmp/wg_configs/*
|
|
|
|
sed -i "s,VANC_BASTION_IP,${vanc_wg_ip}," tmp/wg_configs/*
|
|
sed -i "s,CALI_BASTION_IP,${cali_wg_ip}," tmp/wg_configs/*
|
|
sed -i "s,VANC_BASTION_PORT,${vanc_wg_port}," tmp/wg_configs/*
|
|
sed -i "s,CALI_BASTION_PORT,${cali_wg_port}," tmp/wg_configs/*
|
|
|
|
echo INSTALLING SOFTWARE
|
|
$ssh_cali_bastion pacman -Syu --noconfirm > tmp/cali_bastion.log 2>&1
|
|
$ssh_vanc_bastion pacman -Syu --noconfirm > tmp/vanc_bastion.log 2>&1
|
|
$ssh_cali_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/cali_bastion.log 2>&1
|
|
$ssh_vanc_bastion pacman -S wireguard-tools --needed --noconfirm > tmp/vanc_bastion.log 2>&1
|
|
$ssh_cali_bastion sysctl -w net.ipv4.conf.all.forwarding=1
|
|
$ssh_vanc_bastion sysctl -w net.ipv4.conf.all.forwarding=1
|
|
|
|
$ssh_cali_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1
|
|
$ssh_vanc_protected pacman -Syu --noconfirm > tmp/vanc_protected.log 2>&1
|
|
$ssh_cali_protected pacman -S wireguard-tools nginx \
|
|
--needed --noconfirm > tmp/vanc_protected.log 2>&1
|
|
$ssh_vanc_protected pacman -S wireguard-tools nginx \
|
|
--needed --noconfirm > tmp/vanc_protected.log 2>&1
|
|
$ssh_cali_protected systemctl start nginx
|
|
$ssh_vanc_protected systemctl start nginx
|
|
|
|
echo UPLOADING WIREGUARD CONFIG
|
|
{
|
|
cat tmp/wg_configs/cali-bastion-server.conf | $ssh_cali_bastion tee /etc/wireguard/server.conf
|
|
cat tmp/wg_configs/cali-bastion-client.conf | $ssh_cali_bastion tee /etc/wireguard/vanc.conf
|
|
cat tmp/wg_configs/vanc-bastion-server.conf | $ssh_vanc_bastion tee /etc/wireguard/server.conf
|
|
cat tmp/wg_configs/vanc-bastion-client.conf | $ssh_vanc_bastion tee /etc/wireguard/cali.conf
|
|
cat tmp/wg_configs/cali-protected-cali.conf | $ssh_cali_protected tee /etc/wireguard/cali.conf
|
|
cat tmp/wg_configs/cali-protected-vanc.conf | $ssh_cali_protected tee /etc/wireguard/vanc.conf
|
|
cat tmp/wg_configs/vanc-protected-cali.conf | $ssh_vanc_protected tee /etc/wireguard/cali.conf
|
|
cat tmp/wg_configs/vanc-protected-vanc.conf | $ssh_vanc_protected tee /etc/wireguard/vanc.conf
|
|
} > /dev/null
|
|
|
|
echo STARTING WIREGUARD
|
|
$ssh_cali_bastion wg-quick up server
|
|
$ssh_vanc_bastion wg-quick up server
|
|
$ssh_vanc_bastion wg-quick up cali
|
|
$ssh_cali_protected wg-quick up cali
|
|
$ssh_vanc_protected wg-quick up cali
|
|
$ssh_cali_bastion wg-quick up vanc
|
|
$ssh_cali_protected wg-quick up vanc
|
|
$ssh_vanc_protected wg-quick up vanc
|
|
|
|
# SETTING UP LOCAL CLIENT
|
|
if [[ $(whoami) == "root" ]]; then
|
|
sudo=""
|
|
else
|
|
sudo="sudo"
|
|
fi
|
|
$sudo cp tmp/wg_configs/local-cali.conf /etc/wireguard/
|
|
$sudo cp tmp/wg_configs/local-vanc.conf /etc/wireguard/
|
|
$sudo wg-quick up local-cali
|
|
$sudo wg-quick up local-vanc
|
|
|
|
|
|
echo To check if VPN works to the protected nodes, try to access a protected service:
|
|
echo curl http://10.200.20.101
|
|
echo curl http://10.100.10.101
|
|
echo curl http://10.100.10.201
|
|
echo curl http://10.200.20.201
|