examples/overlay-network/setup_wg_mesh.sh

#!/bin/bash

# SPDX-License-Identifier: Apache-2.0

script_dir=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
cd $script_dir
set -e
export FORMAT=YAML
mkdir -p tmp/wg
mkdir -p tmp/logs
rm tmp/vms/*inspect.yaml || true
vms=()

# inspect VMs
for vm_config in $(grep -r uuid: tmp/vms/ | awk '{ print $2}'); do
  vm_id=$(echo $vm_config | cut -d '/' -f2 | cut -d '.' -f1)
  detee-cli vm inspect $vm_id > tmp/vms/${vm_id}_inspect.yaml
  vm_name=$(grep 'hostname: ' tmp/vms/${vm_id}_inspect.yaml |
    awk '{ print $2 }')
  mv tmp/vms/${vm_id}_inspect.yaml tmp/vms/${vm_name}_inspect.yaml
done

# define VM object
vm_count=0
new_vm() {
  (( vm_count++ )) || true
  local vm_name="$1"
  local vm_id="vm$vm_count"

  local vm_install_data="tmp/vms/${vm_name}_install.yaml"
  local vm_inspect_data="tmp/vms/${vm_name}_inspect.yaml"

  vm_node_ip=$(grep 'ip: ' $vm_install_data | awk '{ print $2 }')
  vm_port=$(grep exposed_ports -A 1 $vm_inspect_data | tail -1 | grep -oE "[0-9]*")
  wg_privkey=$(wg genkey)
  wg_pubkey=$(echo $wg_privkey | wg pubkey)

  declare -gA "$vm_id"
  eval "$vm_id[id]=$vm_count"
  eval "$vm_id[name]=$vm_name"
  eval "$vm_id[port]=$vm_port"
  eval "$vm_id[node_ip]=$vm_node_ip"
  eval "$vm_id[private_ip]=10.254.254.$vm_count"
  eval "$vm_id[wg_priv]=$wg_privkey"
  eval "$vm_id[wg_pub]=$wg_pubkey"

  vms+=("$vm_id")
}

# loops over all VMs
for vm_install_file in tmp/vms/*_install.yaml; do
  vm_name=$(echo $vm_install_file | cut -d '/' -f3 | cut -d '_' -f1)
  new_vm $vm_name
done

# loops over all VMs in array
for main_vm_loop in "${vms[@]}"; do
  declare -n main_vm_ref="$main_vm_loop"
  wg_file="tmp/wg/${main_vm_ref[name]}.ini"
  {
    echo "[Interface]"
    echo "Address = "${main_vm_ref[private_ip]}" "
    echo "PrivateKey = "${main_vm_ref[wg_priv]}" "
    echo "ListenPort = 22"
  } > ${wg_file}
  
  ssh="ssh -p ${main_vm_ref[port]} root@${main_vm_ref[node_ip]}"
  $ssh sed -i '/10.254.254./d' /etc/hosts
  echo ${main_vm_ref[private_ip]} ${main_vm_ref[name]} | $ssh tee -a /etc/hosts > /dev/null

  for inner_vm_loop in "${vms[@]}"; do
    declare -n inner_vm_ref="$inner_vm_loop"
    [[ "${inner_vm_ref[id]}" == "${main_vm_ref[id]}" ]] && continue
    echo ${inner_vm_ref[private_ip]} ${inner_vm_ref[name]} | $ssh tee -a /etc/hosts > /dev/null
    {
      echo
      echo "[Peer]"
      echo "PublicKey = ${inner_vm_ref[wg_pub]}"
      echo "Endpoint = ${inner_vm_ref[node_ip]}:${inner_vm_ref[port]}"
      echo "AllowedIPs = ${inner_vm_ref[private_ip]}"
      echo "PersistentKeepalive = 25"
    } >> ${wg_file}
  done
  echo WireGuard config written to ${wg_file}

  $ssh pacman -Syu --noconfirm > tmp/logs/${main_vm_ref[name]}.log 2>&1
  $ssh pacman -S wireguard-tools --needed --noconfirm >> tmp/logs/${main_vm_ref[name]}.log 2>&1
  echo Packages installed for ${main_vm_ref[name]}

  # TODO: enable this if needed, or delete from code
  # $ssh sysctl -w net.ipv4.conf.all.forwarding=1 > /dev/null
  cat ${wg_file} | $ssh tee /etc/wireguard/brain.conf > /dev/null
  {
    $ssh wg-quick down brain || true
    $ssh wg-quick up brain || true
    $ssh wg-quick up brain || true
    $ssh systemctl enable wg-quick@brain || true
  } >> tmp/logs/${main_vm_ref[name]}.log 2>&1

  echo WireGuard started on ${main_vm_ref[name]}
done