implement wireguard tunnel

.gitignore

@@ -1,6 +1,7 @@
 /cache
 /workdir
 /aes-key
+/wireguardkeys.json
 /config.yaml
 __pycache__
 .*.swp

README.md

@@ -63,6 +63,8 @@ v | discovery message |
  | kexec to received kernel
  | and network-root compatible initramfs
  serve root block device |
+ | connect wireguard |
+ |<---------------------<---------------------+
  | map/mount root fs |
  |<---------------------<---------------------+
  | |

config-example.yaml

@@ -6,6 +6,8 @@ modules:
  # never disable those core components:
  - base
  - nbd
+ # disabling this forces force plain text communication (DON'T DO IT)
+ - wireguard
  ###########################################################################
  # select one of the following systems:
  # support for arch linux payload systems (mkinitcpio)

config.py

@@ -108,7 +108,6 @@ def __init__(self, raw):
  self.macs = []
 
 
-
 class ServerSetupConfig:
  """
  server system setup information
@@ -171,6 +170,7 @@ def register_module(module_class):
  return module_class
  return register_module
 
+
 # see module_config().
 MODULE_CONFIG_CLASSES = {}
 
@@ -205,5 +205,6 @@ def __init__(self, raw):
  def apply(self, cfg):
  pass
 
+
 # load the config on module initialization
 CONFIG = Config('config.yaml')

create-initrd

@@ -1,5 +1,6 @@
 #!/usr/bin/env python3
 import argparse
+import json
 import os
 
 from config import CONFIG as cfg
@@ -65,6 +66,7 @@ if not args.skip_setup:
  'python3-aiohttp',
  'systemd-container', # to allow launching inside nspawn during this script
  'systemd-sysv', # to provide symlinks in /sbin: init, poweroff, ...
+ 'wireguard-tools',
  ]
 
  if 'nbd' in cfg.modules:
@@ -93,7 +95,6 @@ if not args.skip_setup:
  '--components=main,contrib,non-free',
  '--merged-usr',
  '--verbose',
- '--merged-usr',
  'stable',
  cfg.path.initrd,
  args.debian_mirror
@@ -109,6 +110,25 @@ if not os.path.exists('aes-key'):
  fileobj.write(os.urandom(16))
 command('cp', 'aes-key', cfg.path.initrd)
 
+# generate the wireguard keys
+if 'wireguard' in cfg.modules and not os.path.exists('wireguardkeys.json'):
+ print('generating wireguard keys')
+ server_privkey = command('wg', 'genkey', capture_stdout=True).decode('utf-8')[:-1]
+ server_pubkey = command('wg', 'pubkey', stdin=server_privkey, capture_stdout=True).decode('utf-8')[:-1]
+ client_privkey = command('wg', 'genkey', capture_stdout=True).decode('utf-8')[:-1]
+ client_pubkey = command('wg', 'pubkey', stdin=client_privkey, capture_stdout=True).decode('utf-8')[:-1]
+
+ with open("wireguardkeys.json", "w") as f:
+ f.write(json.dumps(
+ {
+ "wg_client": client_pubkey,
+ "wg_clientkey": client_privkey,
+ "wg_server": server_pubkey,
+ "wg_serverkey": server_privkey,
+ }
+ ))
+
+
 if not args.skip_setup:
  # set root password
  command(
@@ -206,6 +226,7 @@ if not args.skip_setup:
  'git',
  'linux-headers-amd64',
  'kmod',
+ 'wireguard-tools',
  nspawn=cfg.path.initrd_devel
  )
 
@@ -296,6 +317,7 @@ os.chdir(cfg.path.initrd)
 
 target_files = []
 
+
 def scan_path(path):
  for name in os.listdir(path):
  full = os.path.normpath(os.path.join(path, name))
@@ -310,6 +332,7 @@ def scan_path(path):
  if os.path.isdir(full) and not os.path.islink(full):
  yield from scan_path(full)
 
+
 print(f'packing {cfg.path.initrd}')
 
 archive = command(

doc/arch.md

@@ -3,7 +3,7 @@
 ## Dependencies
 
 ```
-pacman -S debootstrap kexec-tools dosfstools nbd pigz pv python-pyudev python-yaml syslinux wireless_tools mtools gdisk
+pacman -S debootstrap kexec-tools dosfstools nbd pigz pv python-pyudev python-yaml syslinux wireless_tools mtools gdisk wireguard-tools
 ```
 
 Only required for debugging with `test-qemu`:

overlays/initrd/usr/local/bin/stiefel-client

@@ -7,9 +7,7 @@ import io
 import json
 import os
 import socket
-import struct
 import subprocess
-import sys
 import tarfile
 import time
 import urllib.request
@@ -180,6 +178,7 @@ stiefelmodules = []
 # these are supplied by stiefel-server.
 inner_cmdline = ''
 
+serverkey = clientprivkey = None
 with io.BytesIO(tar_blob) as tarfileobj:
  with tarfile.open(fileobj=tarfileobj, mode='r') as tar:
  # validate challenge response
@@ -203,6 +202,10 @@ with io.BytesIO(tar_blob) as tarfileobj:
  elif member.name == 'stiefelmodules':
  # cmdline for the kexec'd real kernel
  stiefelmodules = data.decode().split(" ")
+ elif member.name == 'wg_server':
+ serverkey = data.decode('utf-8')
+ elif member.name == 'wg_clientkey':
+ clientprivkey = data.decode('utf-8')
  else:
  with open(f'/{member.name}', 'wb') as fileobj:
  fileobj.write(data)
@@ -213,25 +216,29 @@ print('server cmdline: %s' % "\n".join(inner_cmdline.split()))
 # additional inner cmdline arguments given to the stiefel-client-kernel-cmdline
 inner_cmdline += ' ' + base64.b64decode(cmdlineargs.get("stiefel_innercmdline", "")).decode()
 
+if serverkey:
+ inner_cmdline += f' wg.privkey={clientprivkey} wg.pubkey={serverkey} wg.endpoint=[{SERVER.replace(SERVER_INTERFACE, "stiefellink")}]:51820 '
 
-if any(mod in stiefelmodules for mod in ('system-debian', 'system-arch')):
- CMDLINE = (
- inner_cmdline +
- " stiefel_nbdhost=" + SERVER.replace(SERVER_INTERFACE, "stiefellink") +
- " stiefel_nbdname=stiefelblock" + # name is hardcoded in stiefel-server
- " stiefel_link=" + CLIENT_INTERFACE_MAC
- )
-
-elif any(mod in stiefelmodules for mod in ('system-gentoo', 'system-arch-dracut')):
+if any(mod in stiefelmodules for mod in (
+ 'system-gentoo',
+ 'system-arch-dracut',
+ 'system-arch',
+ 'system-debian',
+)):
  # dracut nbd & network invocation from man dracut.cmdline:
  # netroot=nbd:srv:export[:fstype[:rootflags(fsflags)[:nbdopts]]]
  # pls sync with test-qemu
  CMDLINE = (
  inner_cmdline +
+ " stiefel" +
  " ifname=stiefellink:" + CLIENT_INTERFACE_MAC +
- " ip=stiefellink:link6" +
- " netroot=nbd:[" + SERVER.replace(SERVER_INTERFACE, "stiefellink") + "]:stiefelblock:::-persist"
+ " ip=stiefellink:link6"
  )
+ if serverkey:
+ CMDLINE += " netroot=nbd:[fe80::1%wgstiefel]:stiefelblock:::-persist"
+ else:
+ CMDLINE += f" netroot=nbd:[{SERVER.replace(SERVER_INTERFACE, 'stiefellink')}]:stiefelblock:::-persist"
+
 else:
  raise Exception("with the given stiefelsystem modules, "
  "couldn't construct kexec cmdline")