Bring the remaining deferred subsystems under the scoped sudoers, and drop
the one that's redundant.
Backup engines + app configs -> root-owned helpers (same pattern as
ownership/dns/ssh/socket/svc):
- scripts/system/libreportal-bininstall: install <restic|kopia> — does the
whole pkg-manager/signed-download install itself for a fixed, validated
engine name (no blanket sudo apt-get/install). restic_install/kopia_install
call it.
- scripts/system/libreportal-appcfg: {adguard-auth <user> <bcrypt>|
crowdsec-priority|owncloud-config <public> <host> <ip> <public_ip>} —
faithful ports of the AdGuard yaml / CrowdSec bouncer / ownCloud config.php
rewrites, fixed paths + validated args. adguard_auth/crowdsec_fix_priority/
owncloud_setup_config call it.
- run_privileged: runBinInstall / runAppCfg; init.sh installs + allowlists both.
Retire standalone (host-level) WireGuard — it's a duplicate of the
containerized containers/wireguard app (+ headscale mesh), its slirp4netns
speed rationale is largely moot with a better rootless net backend / typical
WAN-bound throughput, and it was the heaviest host-root subsystem (apt +
sysctl + iptables + /etc/wireguard), the worst fit for the rootless/
least-privilege direction:
- moved scripts/wireguard/ + manage_wireguard.sh + check_wireguard.sh to
scripts/unused/; dropped the install-path call, the Tools menu 'w' entry,
and the requirement check; removed the half-built libreportal-wg helper.
- generate_arrays.sh now also skips system/ (root-owned helpers, never
sourced); arrays regenerated (files_wireguard.sh pruned).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
256 lines
11 KiB
Bash
Executable File
256 lines
11 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Secure WireGuard server installer
|
|
# Adapted from : https://github.com/angristan/wireguard-install
|
|
|
|
installStandaloneWireGuard()
|
|
{
|
|
if [[ $CFG_REQUIREMENT_WIREGUARD == "true" ]]; then
|
|
# Check if WireGuard is already installed and load params
|
|
if [[ ! -e /etc/wireguard/params ]]; then
|
|
isHeader "Wireguard Installer"
|
|
echo "Based on : https://github.com/angristan/wireguard-install"
|
|
echo ""
|
|
|
|
local WG_CAN_INSTALL="true"
|
|
local WG_CHECK_VIRTUALIZATION=$(systemd-detect-virt)
|
|
|
|
if [ "$WG_CHECK_VIRTUALIZATION" == "openvz" ]; then
|
|
echo "OpenVZ is not supported"
|
|
local WG_CAN_INSTALL="false"
|
|
fi
|
|
|
|
if [ "$WG_CHECK_VIRTUALIZATION" == "lxc" ]; then
|
|
echo "LXC is not supported (yet)."
|
|
echo "WireGuard can technically run in an LXC container,"
|
|
echo "but the kernel module has to be installed on the host,"
|
|
echo "the container has to be run with some specific parameters"
|
|
echo "and only the tools need to be installed in the container."
|
|
local WG_CAN_INSTALL="false"
|
|
fi
|
|
|
|
if [[ $WG_CAN_INSTALL == 'true' ]]; then
|
|
|
|
# Install WireGuard tools and module
|
|
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
|
# All the privileged work (apt, /etc/wireguard keys + server
|
|
# config, sysctl ip_forward, wg-quick service) runs in the
|
|
# root-owned libreportal-wg helper, which reads + validates the
|
|
# CFG_WG_* settings itself.
|
|
runWg install "$server_nic" "$public_ip_v4" >/dev/null
|
|
checkSuccess "Installed standalone WireGuard server (/etc/wireguard/${CFG_WG_SERVER_NIC}.conf)"
|
|
|
|
# Update DNS after the helper apt-installed resolvconf
|
|
updateDNS "" standalonewireguard;
|
|
|
|
portUse wireguardstandalone $CFG_WG_SERVER_PORT install;
|
|
portOpenwireguardstandalone $CFG_WG_SERVER_PORT/udp install;
|
|
|
|
wireguardNewClient install;
|
|
|
|
# Check if WireGuard is running
|
|
systemctl is-active --quiet "wg-quick@${CFG_WG_SERVER_NIC}"
|
|
WIREGUARD_RUNNING=$?
|
|
|
|
# WireGuard might not work if we updated the kernel. Tell the user to reboot
|
|
if [[ ${WIREGUARD_RUNNING} -ne 0 ]]; then
|
|
isNotice "***WARNING*** WireGuard does not seem to be running."
|
|
isNotice "You can check if WireGuard is running with: systemctl status wg-quick@${CFG_WG_SERVER_NIC}${NC}"
|
|
isNotice "If you get something like 'Cannot find device ${CFG_WG_SERVER_NIC}', please reboot!"
|
|
else # WireGuard is running
|
|
isSuccessful "WireGuard is running."
|
|
isSuccessful "You can check the status of WireGuard with: systemctl status wg-quick@${CFG_WG_SERVER_NIC}"
|
|
isNotice "If you don't have internet connectivity from your client, try to reboot the server."
|
|
fi
|
|
fi
|
|
fi
|
|
#else
|
|
#isNotice "Wireguard is already installed, no need to install."
|
|
fi
|
|
fi
|
|
}
|
|
|
|
wireguardNewClient()
|
|
{
|
|
local type="$1"
|
|
|
|
isHeader "Wireguard Client Creation"
|
|
isNotice "The client name must consist of alphanumeric character(s)."
|
|
isNotice "It may also include underscores or dashes and can't exceed 15 chars."
|
|
echo ""
|
|
|
|
until [[ ${WIREGUARD_CLIENT_NAME} =~ ^[a-zA-Z0-9_-]+$ && ${WIREGUARD_CLIENT_EXISTS} == '0' && ${#WIREGUARD_CLIENT_NAME} -lt 16 ]]; do
|
|
if [[ $type == "install" ]]; then
|
|
WIREGUARD_CLIENT_NAME="$CFG_WG_DEFAULT_CLIENT"
|
|
else
|
|
read -rp "Client name: " -e WIREGUARD_CLIENT_NAME
|
|
fi
|
|
local WIREGUARD_CLIENT_EXISTS=$(runSystem grep -c -E "^### Client ${WIREGUARD_CLIENT_NAME}\$" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf")
|
|
|
|
if [[ ${WIREGUARD_CLIENT_EXISTS} != 0 ]]; then
|
|
echo ""
|
|
isNotice "A client with the specified name was already created, please choose another name."
|
|
echo ""
|
|
fi
|
|
done
|
|
|
|
for WIREGUARD_DOT_IP in {2..254}; do
|
|
local WIREGUARD_DOT_EXISTS=$(runSystem grep -c "${CFG_WG_SERVER_IPV4::-1}${WIREGUARD_DOT_IP}" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf")
|
|
if [[ ${WIREGUARD_DOT_EXISTS} == '0' ]]; then
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [[ ${WIREGUARD_DOT_EXISTS} == '1' ]]; then
|
|
echo ""
|
|
isNotice "The subnet configured supports only 253 clients."
|
|
echo ""
|
|
fi
|
|
|
|
# Generate key pair for the client
|
|
local WIREGUARD_CLIENT_PRIV_KEY=$(runSystem wg genkey)
|
|
local WIREGUARD_CLIENT_PUB_KEY=$(echo "${WIREGUARD_CLIENT_PRIV_KEY}" | runSystem wg pubkey)
|
|
local WIREGUARD_CLIENT_PRE_SHARED_KEY=$(runSystem wg genpsk)
|
|
local WIREGUARD_ENDPOINT="${public_ip_v4}:${CFG_WG_SERVER_PORT}"
|
|
|
|
# Create client file
|
|
createTouch "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf" $sudo_user_name
|
|
|
|
# Create client file and add the server as a peer
|
|
echo "[Interface]
|
|
PrivateKey = ${WIREGUARD_CLIENT_PRIV_KEY}
|
|
Address = ${CFG_WG_SERVER_IPV4}/32
|
|
DNS = ${CFG_DNS_SERVER_1},${CFG_DNS_SERVER_2}
|
|
|
|
[Peer]
|
|
PublicKey = ${SERVER_PUB_KEY}
|
|
PresharedKey = ${WIREGUARD_CLIENT_PRE_SHARED_KEY}
|
|
Endpoint = ${WIREGUARD_ENDPOINT}
|
|
AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | runSystem tee "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf" >/dev/null
|
|
|
|
# Add the client as a peer to the server
|
|
echo -e "\n### Client ${WIREGUARD_CLIENT_NAME}
|
|
[Peer]
|
|
PublicKey = ${WIREGUARD_CLIENT_PUB_KEY}
|
|
PresharedKey = ${WIREGUARD_CLIENT_PRE_SHARED_KEY}
|
|
AllowedIPs = ${CFG_WG_ALLOWED_IPS}" | runSystem tee -a "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" >/dev/null
|
|
|
|
#result=$(runSystem wg syncconf ${CFG_WG_SERVER_NIC} /etc/wireguard/${CFG_WG_SERVER_NIC}.conf)
|
|
#checkSuccess "Syncing config file for $CFG_WG_SERVER_NIC"
|
|
|
|
#result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
|
#checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
|
|
#result=$(runSystem systemctl start "wg-quick@${CFG_WG_SERVER_NIC}")
|
|
#checkSuccess "Started wg-quick@${CFG_WG_SERVER_NIC} service."
|
|
|
|
# Generate QR code if qrencode is installed
|
|
if command -v qrencode &>/dev/null; then
|
|
isNotice "Here is your client config file as a QR Code:"
|
|
runSystem qrencode -t ansiutf8 -l L <"${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf"
|
|
echo ""
|
|
fi
|
|
|
|
isSuccessful "Your client config file is in ${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf"
|
|
}
|
|
|
|
wireguardListClients()
|
|
{
|
|
isHeader "Wireguard Client List"
|
|
|
|
wireguardCheckClients;
|
|
|
|
runSystem grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') '
|
|
}
|
|
|
|
wireguardRevokeClient()
|
|
{
|
|
isHeader "Wireguard Client Removal"
|
|
|
|
wireguardCheckClients;
|
|
|
|
echo ""
|
|
echo "Select the existing client you want to revoke"
|
|
runSystem grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | nl -s ') '
|
|
until [[ ${WIREGUARD_CLIENT_NUMBER} -ge 1 && ${WIREGUARD_CLIENT_NUMBER} -le ${WIREGUARD_NUMBER_OF_CLIENTS} ]]; do
|
|
if [[ ${WIREGUARD_CLIENT_NUMBER} == '1' ]]; then
|
|
read -rp "Select one client [1]: " WIREGUARD_CLIENT_NUMBER
|
|
else
|
|
read -rp "Select one client [1-${WIREGUARD_NUMBER_OF_CLIENTS}]: " WIREGUARD_CLIENT_NUMBER
|
|
fi
|
|
done
|
|
|
|
# match the selected number to a client name
|
|
local WIREGUARD_CLIENT_NAME=$(runSystem grep -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf" | cut -d ' ' -f 3 | sed -n "${WIREGUARD_CLIENT_NUMBER}"p)
|
|
|
|
result=$(runSystem sed -i "/^### Client ${WIREGUARD_CLIENT_NAME}\$/,/^$/d" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf")
|
|
checkSuccess "Removed [Peer] block matching $WIREGUARD_CLIENT_NAME"
|
|
|
|
result=$(runSystem rm -f "${CFG_WG_HOME_DIR}/${CFG_WG_SERVER_NIC}-client-${WIREGUARD_CLIENT_NAME}.conf")
|
|
checkSuccess "Removed generated client file for $WIREGUARD_CLIENT_NAME"
|
|
|
|
result=$(runSystem wg syncconf "${CFG_WG_SERVER_NIC}" <(runSystem wg-quick strip "${CFG_WG_SERVER_NIC}"))
|
|
checkSuccess "Restart wireguard to apply changes"
|
|
}
|
|
|
|
wireguardCheckClients()
|
|
{
|
|
local WIREGUARD_NUMBER_OF_CLIENTS=$(grep -c -E "^### Client" "/etc/wireguard/${CFG_WG_SERVER_NIC}.conf")
|
|
if [[ ${WIREGUARD_NUMBER_OF_CLIENTS} == '0' ]]; then
|
|
echo ""
|
|
isError "You have no existing clients!"
|
|
echo ""
|
|
wireguardManageMenu;
|
|
fi
|
|
}
|
|
|
|
wireguardUninstall()
|
|
{
|
|
isHeader "Wireguard Uninstaller"
|
|
isNotice "***WARNING*** This will uninstall WireGuard and remove all the configuration files!"
|
|
isNotice "Please backup the /etc/wireguard directory if you want to keep your configuration files."
|
|
echo ""
|
|
isQuestion "Do you really want to remove WireGuard? (y/n): "
|
|
read -p "" WIREGUARD_REMOVE
|
|
|
|
if [[ $WIREGUARD_REMOVE == [yY] ]]; then
|
|
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
|
result=$(runSystem systemctl stop "wg-quick@${CFG_WG_SERVER_NIC}")
|
|
checkSuccess "Stopped wg-quick@${CFG_WG_SERVER_NIC} service."
|
|
|
|
result=$(runSystem systemctl disable "wg-quick@${CFG_WG_SERVER_NIC}")
|
|
checkSuccess "Disabled wg-quick@${CFG_WG_SERVER_NIC} service."
|
|
|
|
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
|
|
result=$(runSystem apt-get remove -y wireguard wireguard-tools qrencode)
|
|
checkSuccess "Removed wireguard wireguard-tools qrencode"
|
|
fi
|
|
|
|
result=$(runSystem rm -rf /etc/wireguard)
|
|
checkSuccess "Deleted /etc/wireguard folder."
|
|
result=$(runSystem rm -f /etc/sysctl.d/wg.conf)
|
|
checkSuccess "Delete /etc/sysctl.d/wg.conf file."
|
|
|
|
result=$(runSystem sysctl --system)
|
|
checkSuccess "Reloaded sysctl"
|
|
|
|
portUnuse wireguardstandalone $CFG_WG_SERVER_PORT install;
|
|
portClose wireguardstandalone $CFG_WG_SERVER_PORT/udp install;
|
|
|
|
# Check if WireGuard is running
|
|
systemctl is-active --quiet "wg-quick@${CFG_WG_SERVER_NIC}"
|
|
WIREGUARD_RUNNING=$?
|
|
|
|
if [[ ${WIREGUARD_RUNNING} -eq 0 ]]; then
|
|
isError "WireGuard failed to uninstall properly."
|
|
wireguardManageMenu;
|
|
else
|
|
isSuccessful "WireGuard uninstalled successfully."
|
|
wireguardManageMenu;
|
|
fi
|
|
fi
|
|
else
|
|
echo ""
|
|
isNotice "Removal aborted!"
|
|
fi
|
|
}
|