qusal/salt/sys-wireguard/files/admin/bin/qvm-wireguard

#!/bin/sh

# SPDX-FileCopyrightText: 2022 unman <unman@thirdeyesecurity.org>
# SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

set -eu

uid="$(id -u)"
test "${uid}" = "0" || exec sudo "$0" "${@}"

usage(){
  printf '%s\n' "Usage: ${0##*/} [QUBE]"
  exit "${1:-1}"
}

case "${1-}" in
  -h|--help) usage 0;;
  -*) usage 1;;
  "") qube="sys-wireguard";;
  *) qube="${1}";;
esac

if ! qvm-check -q -- "${qube}" >/dev/null 2>&1; then
  printf '%s\n' "Qube '${qube}' doesn't exist" >&2
  usage 1
fi

user_conf="/home/user/wireguard.conf"
system_conf="/etc/wireguard/wireguard.conf"

qvm-run --no-gui -- "${qube}" test -f "${user_conf}" || {
  printf '%s\n' "File '${user_conf}' was not found" >&2
  if qvm-check -q --running -- "${qube}" >/dev/null 2>&1; then
    qvm-pause --verbose -- "${qube}"
  fi
  printf '%s\n' "Firewalling ${qube} to drop all connections"
  qvm-firewall --verbose -- "${qube}" reset
  qvm-firewall --verbose -- "${qube}" del --rule-no 0
  qvm-firewall --verbose -- "${qube}" add drop
  if qvm-check -q --paused -- "${qube}" >/dev/null 2>&1; then
    qvm-unpause --verbose -- "${qube}"
  fi
  exit 1
}

qvm-run --no-gui -u root -- "${qube}" cp -- "${user_conf}" "${system_conf}"

## TOFU
# shellcheck disable=SC2016
endpoint="$(qvm-run --no-gui -p -u root -- "${qube}" \
  awk -- '/Endpoint/{print $3}' "${system_conf}")"
if printf '%s\n' "${endpoint}" | grep -qF -e "["; then
  ip="${ip##[\[]}"
  ip="${ip%%\]*}"
  port="${endpoint##*:}"
else
  ip="${endpoint%%:*}"
  port="${endpoint##*:}"
fi

if test -z "${ip}" || test -z "${port}";then
  printf '%s\n' "Endpoint (IP:Port) not found: ${system_conf}" >&2
  exit 1
fi

if qvm-check -q --running -- "${qube}" >/dev/null 2>&1; then
  qvm-pause --verbose -- "${qube}"
fi

printf '%s\n' "Firewalling ${qube} to reach only '${ip}:${port}'"
qvm-firewall --verbose -- "${qube}" reset
qvm-firewall --verbose -- "${qube}" del --rule-no 0
qvm-firewall --verbose -- "${qube}" add accept dsthost="${ip}" \
  dstports="${port}" proto=udp
qvm-firewall --verbose -- "${qube}" add accept dsthost="${ip}" \
  dstports="${port}" proto=tcp
qvm-firewall --verbose -- "${qube}" add drop

if qvm-check -q --paused -- "${qube}" >/dev/null 2>&1; then
  qvm-unpause --verbose -- "${qube}"
fi

qvm-run --no-gui -u root -- "${qube}" \
  "systemctl restart wg-quick@wireguard
  /rw/config/network-hooks.d/50-sys-wireguard"