aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/action.yml
diff options
context:
space:
mode:
authorEgor Tensin <Egor.Tensin@gmail.com>2021-08-07 21:21:15 +0300
committerEgor Tensin <Egor.Tensin@gmail.com>2021-08-07 22:39:08 +0300
commit6d8ae087cf2317a696f8d5685de7dd68c389313e (patch)
tree1e4971ddc51eba176684cfb5a5d93de794250e8b /action.yml
parentinitial commit (diff)
downloadsetup-wireguard-6d8ae087cf2317a696f8d5685de7dd68c389313e.tar.gz
setup-wireguard-6d8ae087cf2317a696f8d5685de7dd68c389313e.zip
add the actual action code
Diffstat (limited to 'action.yml')
-rw-r--r--action.yml160
1 files changed, 160 insertions, 0 deletions
diff --git a/action.yml b/action.yml
new file mode 100644
index 0000000..77e4827
--- /dev/null
+++ b/action.yml
@@ -0,0 +1,160 @@
+name: Set up WireGuard
+description: Set up WireGuard connection
+
+inputs:
+ endpoint:
+ description: Endpoint in the HOST:PORT format
+ required: true
+ endpoint_public_key:
+ description: Public key of the endpoint
+ required: true
+ ips:
+ description: Comma-separated list of IP addresses
+ required: true
+ private_key:
+ description: Private key
+ required: true
+ preshared_key:
+ description: Preshared key
+ required: false
+ allowed_ips:
+ description: Comma-separated list of netmasks
+ required: true
+
+runs:
+ using: composite
+ steps:
+ - run: |
+ set -o errexit -o pipefail -o nounset
+
+ readonly endpoint='${{ inputs.endpoint }}'
+ readonly endpoint_public_key='${{ inputs.endpoint_public_key }}'
+ readonly ips='${{ inputs.ips }}'
+ readonly private_key='${{ inputs.private_key }}'
+ readonly preshared_key='${{ inputs.preshared_key }}'
+ readonly allowed_ips='${{ inputs.allowed_ips }}'
+
+ readonly minport=51000
+ readonly maxport=51999
+
+ ifname="wg$( openssl rand -hex 4 )"
+ readonly ifname
+ port="$( shuf "--input-range=$minport-$maxport" --head-count=1 )"
+ readonly port
+
+ via_systemd() {
+ local netdev_path
+ netdev_path="/etc/systemd/network/$ifname.netdev"
+ local network_path
+ network_path="/etc/systemd/network/$ifname.network"
+
+ local netdev_contents
+ netdev_contents="
+ [NetDev]
+ Name=$ifname
+ Kind=wireguard
+ Description=WireGuard tunnel $ifname
+
+ [WireGuard]
+ ListenPort=$port
+ PrivateKey=$private_key
+
+ [WireGuardPeer]
+ Endpoint=$endpoint
+ PublicKey=$endpoint_public_key
+ AllowedIPs = $allowed_ips"
+
+ if [ -n "$preshared_key" ]; then
+ netdev_contents="$netdev_contents
+ PresharedKey=$preshared_key"
+ fi
+
+ local network_contents
+ network_contents="
+ [Match]
+ Name=$ifname
+
+ [Network]"
+
+ local delim=,
+ local ip
+ while IFS= read -d "$delim" -r ip; do
+ network_contents="$network_contents
+ Address=$ip"
+ done < <( printf -- "%s$delim\\0" "$ips" )
+
+ sudo touch -- "$netdev_path"
+ sudo chown -- root:systemd-network "$netdev_path"
+ sudo chmod -- 0640 "$netdev_path"
+ sudo touch -- "$network_path"
+ echo "$netdev_contents" | sudo tee -- "$netdev_path" > /dev/null
+ echo "$network_contents" | sudo tee -- "$network_path" > /dev/null
+
+ sudo systemctl restart systemd-networkd
+ sudo systemctl status systemd-networkd
+ }
+
+ install_wg_tools() {
+ sudo apt-get update
+ sudo DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends wireguard-tools
+ }
+
+ readonly private_key_path=/tmp/private.key
+ readonly preshared_key_path=/tmp/preshared.key
+
+ wg_tools_cleanup() {
+ rm -f -- "$private_key_path"
+ rm -f -- "$preshared_key_path"
+ }
+
+ via_wg_tools() {
+ install_wg_tools
+ trap wg_tools_cleanup EXIT
+
+ (
+ set -o errexit -o nounset -o pipefail
+ umask 0077
+ echo "$private_key" > "$private_key_path"
+ if [ -n "$preshared_key" ]; then
+ echo "$preshared_key" > "$preshared_key_path"
+ fi
+ )
+
+ sudo ip link add dev "$ifname" type wireguard
+
+ local delim=,
+ local ip
+ while IFS= read -d "$delim" -r ip; do
+ sudo ip addr add "$ip" dev "$ifname"
+ done < <( printf -- "%s$delim\\0" "$ips" )
+
+ sudo wg set "$ifname" \
+ listen-port "$port" \
+ private-key "$private_key_path"
+
+ if [ -z "$preshared_key" ]; then
+ sudo wg set "$ifname" \
+ peer "$endpoint_public_key" \
+ endpoint "$endpoint" \
+ allowed-ips "$allowed_ips"
+ else
+ sudo wg set "$ifname" \
+ peer "$endpoint_public_key" \
+ preshared-key "$preshared_key_path" \
+ endpoint "$endpoint" \
+ allowed-ips "$allowed_ips"
+ fi
+
+ sudo ip link set "$ifname" up
+ }
+
+ # systemd-networkd greets me with 'Temporary failure in name
+ # resolution' on Bionic when using a hostname instead of an IP address
+ # for endpoint. God knows why!
+ #via_systemd
+ via_wg_tools
+ shell: bash
+
+branding:
+ icon: star
+ color: green