lfg2025/archy
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases 33 Wiki Activity
Files
84c2c2880ac9796712c9ae87a9306364bbae1bb3
archy/scripts/archipelago-wg
Dorian 7741dc8652
Some checks failed
Build Archipelago ISO (dev) / build-iso (push) Failing after 12m6s
Details
feat: ISO networking stack — relay + nvpn v0.3.7 + WireGuard 
Add nostr-rs-relay as native system service (port 7777) for VPN
signaling. Every node runs its own private relay from first boot.
Update nvpn binary from v0.3.4 to v0.3.7 (fixes mesh event
processing). Add WireGuard helper and address service for peer VPN.
First-boot script configures relay, nvpn identity, relay URLs
(direct + Tor onion), and syncs daemon config.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-08 15:06:27 +02:00

59 lines
2.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# archipelago-wg — Privileged WireGuard helper for the Archipelago backend.
# Installed to /usr/local/bin/archipelago-wg with a sudoers rule so the
# unprivileged archipelago/debian service user can manage wg0 without
# full root or disabling NoNewPrivileges.
#
# Usage:
# archipelago-wg setup <privkey-file> — Create wg0 interface
# archipelago-wg add-peer <pubkey> <ip> — Add peer to wg0
# archipelago-wg remove-peer <pubkey> — Remove peer from wg0
set -euo pipefail
case "${1:-}" in
setup)
KEY_FILE="${2:?Usage: archipelago-wg setup <privkey-file>}"
[ -f "$KEY_FILE" ] || { echo "Key file not found: $KEY_FILE" >&2; exit 1; }
# Ensure kernel module is loaded
modprobe wireguard 2>/dev/null || true
# Create interface
ip link add dev wg0 type wireguard 2>/dev/null || true
wg set wg0 listen-port 51820 private-key "$KEY_FILE"
# Assign server address if not already set
ip address show dev wg0 | grep -q "10.44.0.1" || ip address add 10.44.0.1/16 dev wg0
ip link set up dev wg0
# NAT masquerade for VPN clients
iptables -t nat -C POSTROUTING -s 10.44.0.0/16 ! -o wg0 -j MASQUERADE 2>/dev/null ||
iptables -t nat -A POSTROUTING -s 10.44.0.0/16 ! -o wg0 -j MASQUERADE
# Open firewall port
if command -v ufw >/dev/null 2>&1 && ufw status | grep -q "Status: active"; then
ufw allow 51820/udp >/dev/null 2>&1 || true
fi
echo "wg0 configured"
;;
add-peer)
PUBKEY="${2:?Usage: archipelago-wg add-peer <pubkey> <allowed-ip>}"
ALLOWED_IP="${3:?Usage: archipelago-wg add-peer <pubkey> <allowed-ip>}"
wg set wg0 peer "$PUBKEY" allowed-ips "$ALLOWED_IP"
echo "peer added"
;;
remove-peer)
PUBKEY="${2:?Usage: archipelago-wg remove-peer <pubkey>}"
wg set wg0 peer "$PUBKEY" remove
echo "peer removed"
;;
*)
echo "Usage: archipelago-wg {setup|add-peer|remove-peer}" >&2
exit 1
;;
esac
Reference in New Issue View Git Blame Copy Permalink