From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Fri, 21 Nov 2025 00:04:39 +0000 (-0700)
Subject: Re-generate WireGuard™ configs in ./inst old as well as client.
X-Git-Url: https://birchwood-abbey.net/git?a=commitdiff_plain;h=d71e501c3de51317214628da900d5f0d785d7396;p=Institute

Re-generate WireGuard™ configs in ./inst old as well as client.

Added a write_wireguard subroutine to be called by the old as well as
client subcommands.  Re-compute the list of clients again from the
YAML that was saved to disk, but ignoring the clients of former
members.
---

diff --git a/README.org b/README.org
index 1d507e4..c5c596f 100644
--- a/README.org
+++ b/README.org
@@ -6420,6 +6420,7 @@ the administrator to update =private/members.yml= before running
 #+BEGIN_SRC perl :tangle inst
 
 use MIME::Base64;
+sub write_wireguard ($);
 
 if (defined $ARGV[0] && $ARGV[0] eq "pass") {
   my $I = new IO::File;
@@ -6572,7 +6573,9 @@ if (defined $ARGV[0] && $ARGV[0] eq "old") {
 	    "playbooks/nextcloud-old.yml -e user=$user",
 	    ">/dev/null");
   $member->{"status"} = "former";
+  umask 077;
   write_members_yaml $yaml;
+  write_wireguard $yaml;
   mysystem ("ansible-playbook -e \@Secret/become.yml",
 	    "-t accounts playbooks/site.yml",
 	    ">/dev/null");
@@ -6699,14 +6702,47 @@ if (defined $ARGV[0] && $ARGV[0] eq "client") {
 
   umask 077;
   write_members_yaml $yaml;
+  write_wireguard $yaml;
 
-  if ($type eq "campus") {
-    push @all_peers, [ $name, $hostnum, $type, $pubkey, "" ];
-  } else {
-    push @member_peers, [ $name, $hostnum, $type, $pubkey, $user ];
-    push @all_peers, [ $name, $hostnum, $type, $pubkey, $user ];
+  umask 033;
+  write_wg_client ("public.conf",
+		   hostnum_to_ipaddr ($hostnum, $public_wg_net_cidr),
+		   $type,
+		   $front_wg_pubkey,
+		   "$front_addr:$public_wg_port",
+		   hostnum_to_ipaddr (1, $public_wg_net_cidr))
+    if $type ne "campus";
+  write_wg_client ("campus.conf",
+		   hostnum_to_ipaddr ($hostnum, $campus_wg_net_cidr),
+		   $type,
+		   $gate_wg_pubkey,
+		   "$gate_wild_addr:$campus_wg_port",
+		   hostnum_to_ipaddr (1, $campus_wg_net_cidr));
+
+  mysystem ("ansible-playbook -e \@Secret/become.yml",
+	    "-l gate,front",
+	    "-t accounts playbooks/site.yml",
+	    ">/dev/null");
+  exit;
+}
+
+sub write_wireguard ($) {
+  my ($yaml) = @_;
+
+  my @campus_peers # [ name, hostnum, type, pubkey, user|"" ]
+     = map { [ (split / /), "" ] } @{$yaml->{"clients"}};
+
+  my $members = $yaml->{"members"};
+  my @member_peers = ();
+  for my $u (sort keys %$members) {
+    next if $members->{$u}->{"status"} ne "current";
+    push @member_peers,
+	 map { [ (split / /), $u ] } @{$members->{$u}->{"clients"}};
   }
 
+  my @all_peers = sort { $a->[1] <=> $b->[1] }
+		       (@campus_peers, @member_peers);
+
   my $core_wg_addr = hostnum_to_ipaddr (2, $public_wg_net_cidr);
   my $extra_front_config = "
 PostUp = resolvectl dns %i $core_addr
@@ -6722,28 +6758,10 @@ AllowedIPs = $campus_wg_net_cidr\n";
 
   write_wg_server ("private/front-wg0.conf", \@member_peers,
 		   hostnum_to_ipaddr_cidr (1, $public_wg_net_cidr),
-		   $public_wg_port, $extra_front_config)
-    if $type ne "campus";
+		   $public_wg_port, $extra_front_config);
   write_wg_server ("private/gate-wg0.conf", \@all_peers,
 		   hostnum_to_ipaddr_cidr (1, $campus_wg_net_cidr),
 		   $campus_wg_port, "\n");
-
-  umask 033;
-  write_wg_client ("public.conf",
-		   hostnum_to_ipaddr ($hostnum, $public_wg_net_cidr),
-		   $type,
-		   $front_wg_pubkey,
-		   "$front_addr:$public_wg_port",
-		   hostnum_to_ipaddr (1, $public_wg_net_cidr))
-    if $type ne "campus";
-  write_wg_client ("campus.conf",
-		   hostnum_to_ipaddr ($hostnum, $campus_wg_net_cidr),
-		   $type,
-		   $gate_wg_pubkey,
-		   "$gate_wild_addr:$campus_wg_port",
-		   hostnum_to_ipaddr (1, $campus_wg_net_cidr));
-
-  exit;
 }
 
 sub write_wg_server ($$$$$) {
diff --git a/inst b/inst
index b407c13..d6e8ebd 100755
--- a/inst
+++ b/inst
@@ -291,6 +291,7 @@ sub strip_vault ($) {
 }
 
 use MIME::Base64;
+sub write_wireguard ($);
 
 if (defined $ARGV[0] && $ARGV[0] eq "pass") {
   my $I = new IO::File;
@@ -353,7 +354,9 @@ if (defined $ARGV[0] && $ARGV[0] eq "old") {
 	    "playbooks/nextcloud-old.yml -e user=$user",
 	    ">/dev/null");
   $member->{"status"} = "former";
+  umask 077;
   write_members_yaml $yaml;
+  write_wireguard $yaml;
   mysystem ("ansible-playbook -e \@Secret/become.yml",
 	    "-t accounts playbooks/site.yml",
 	    ">/dev/null");
@@ -418,14 +421,47 @@ if (defined $ARGV[0] && $ARGV[0] eq "client") {
 
   umask 077;
   write_members_yaml $yaml;
+  write_wireguard $yaml;
 
-  if ($type eq "campus") {
-    push @all_peers, [ $name, $hostnum, $type, $pubkey, "" ];
-  } else {
-    push @member_peers, [ $name, $hostnum, $type, $pubkey, $user ];
-    push @all_peers, [ $name, $hostnum, $type, $pubkey, $user ];
+  umask 033;
+  write_wg_client ("public.conf",
+		   hostnum_to_ipaddr ($hostnum, $public_wg_net_cidr),
+		   $type,
+		   $front_wg_pubkey,
+		   "$front_addr:$public_wg_port",
+		   hostnum_to_ipaddr (1, $public_wg_net_cidr))
+    if $type ne "campus";
+  write_wg_client ("campus.conf",
+		   hostnum_to_ipaddr ($hostnum, $campus_wg_net_cidr),
+		   $type,
+		   $gate_wg_pubkey,
+		   "$gate_wild_addr:$campus_wg_port",
+		   hostnum_to_ipaddr (1, $campus_wg_net_cidr));
+
+  mysystem ("ansible-playbook -e \@Secret/become.yml",
+	    "-l gate,front",
+	    "-t accounts playbooks/site.yml",
+	    ">/dev/null");
+  exit;
+}
+
+sub write_wireguard ($) {
+  my ($yaml) = @_;
+
+  my @campus_peers # [ name, hostnum, type, pubkey, user|"" ]
+     = map { [ (split / /), "" ] } @{$yaml->{"clients"}};
+
+  my $members = $yaml->{"members"};
+  my @member_peers = ();
+  for my $u (sort keys %$members) {
+    next if $members->{$u}->{"status"} ne "current";
+    push @member_peers,
+	 map { [ (split / /), $u ] } @{$members->{$u}->{"clients"}};
   }
 
+  my @all_peers = sort { $a->[1] <=> $b->[1] }
+		       (@campus_peers, @member_peers);
+
   my $core_wg_addr = hostnum_to_ipaddr (2, $public_wg_net_cidr);
   my $extra_front_config = "
 PostUp = resolvectl dns %i $core_addr
@@ -441,28 +477,10 @@ AllowedIPs = $campus_wg_net_cidr\n";
 
   write_wg_server ("private/front-wg0.conf", \@member_peers,
 		   hostnum_to_ipaddr_cidr (1, $public_wg_net_cidr),
-		   $public_wg_port, $extra_front_config)
-    if $type ne "campus";
+		   $public_wg_port, $extra_front_config);
   write_wg_server ("private/gate-wg0.conf", \@all_peers,
 		   hostnum_to_ipaddr_cidr (1, $campus_wg_net_cidr),
 		   $campus_wg_port, "\n");
-
-  umask 033;
-  write_wg_client ("public.conf",
-		   hostnum_to_ipaddr ($hostnum, $public_wg_net_cidr),
-		   $type,
-		   $front_wg_pubkey,
-		   "$front_addr:$public_wg_port",
-		   hostnum_to_ipaddr (1, $public_wg_net_cidr))
-    if $type ne "campus";
-  write_wg_client ("campus.conf",
-		   hostnum_to_ipaddr ($hostnum, $campus_wg_net_cidr),
-		   $type,
-		   $gate_wg_pubkey,
-		   "$gate_wild_addr:$campus_wg_port",
-		   hostnum_to_ipaddr (1, $campus_wg_net_cidr));
-
-  exit;
 }
 
 sub write_wg_server ($$$$$) {