From 93e5d39c7b4efe5480f58295868c390a3dd0de40 Mon Sep 17 00:00:00 2001
From: Nico Schottelius <nico@nico-notebook.schottelius.org>
Date: Sat, 26 Dec 2020 14:42:53 +0100
Subject: [PATCH] moving vpn to direct configuration

---
 doc/uncloud-manual-2020-08-01.org | 22 ++++++++++++++++++++--
 uncloud/models.py                 |  8 ++++++++
 uncloud_net/models.py             |  3 +++
 uncloud_net/services.py           |  8 ++++++--
 uncloud_net/tasks.py              | 28 ++++++++++++++++++++++++++--
 uncloud_pay/tasks.py              |  2 +-
 6 files changed, 64 insertions(+), 7 deletions(-)

diff --git a/doc/uncloud-manual-2020-08-01.org b/doc/uncloud-manual-2020-08-01.org
index 2fefca6..21126bd 100644
--- a/doc/uncloud-manual-2020-08-01.org
+++ b/doc/uncloud-manual-2020-08-01.org
@@ -120,8 +120,7 @@ ALTER ROLE
     #+BEGIN_SRC sh
 psql postgresql://uncloud@2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/uncloud?sslmode
 =require
-    #+END_SRC
-
+g    #+END_SRC
 
 ** Bootstrap
    - Login via a user so that the user object gets created
@@ -145,6 +144,25 @@ psql postgresql://uncloud@2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/unc
    python manage.py import-vat-rates
    #+END_SRC
 
+** Worker nodes
+   Nodes that realise services (VMHosts, VPNHosts, etc.) need to be
+   accessible from the main node and also need access to the database.
+
+   Workers usually should have an "uncloud" user account, even though
+   strictly speaking the username can be any.
+
+*** WireGuardVPN Server
+    - Allow write access to /etc/wireguard for uncloud user
+    - Allow sudo access to "ip" and "wg"
+
+   #+BEGIN_SRC sh
+   chown uncloud /etc/wireguard/
+   [14:30] vpn-2a0ae5c1200:/etc/sudoers.d# cat uncloud
+   app ALL=(ALL) NOPASSWD:/sbin/ip
+   app ALL=(ALL) NOPASSWD:/usr/bin/wg
+   #+END_SRC
+
+
 * Testing / CLI Access
   Access via the commandline (CLI) can be done using curl or
   httpie. In our examples we will use httpie.
diff --git a/uncloud/models.py b/uncloud/models.py
index 5545303..535d920 100644
--- a/uncloud/models.py
+++ b/uncloud/models.py
@@ -170,3 +170,11 @@ class UncloudTask(models.Model):
     """
 
     task_id = models.UUIDField(primary_key=True)
+
+# class UncloudRequestLog(models.Model):
+#     """
+#     Class to store requests and logs
+#     """
+
+
+#     log = models.CharField(max_length=256)
diff --git a/uncloud_net/models.py b/uncloud_net/models.py
index 0c8b02a..c768c17 100644
--- a/uncloud_net/models.py
+++ b/uncloud_net/models.py
@@ -48,6 +48,9 @@ class WireGuardVPNPool(models.Model):
 
     @property
     def ip_network(self):
+        """
+        Return the IP network based on our address and mask
+        """
         return ipaddress.ip_network(f"{self.network}/{self.network_mask}")
 
     def __str__(self):
diff --git a/uncloud_net/services.py b/uncloud_net/services.py
index 4f80c44..437601d 100644
--- a/uncloud_net/services.py
+++ b/uncloud_net/services.py
@@ -22,7 +22,6 @@ def create_wireguard_vpn(owner, public_key, network_mask):
         free_lease.delete()
 
     except WireGuardVPNFreeLeases.DoesNotExist:
-
         # First object
         if count == 0:
             vpn = WireGuardVPN.objects.create(owner=owner,
@@ -42,6 +41,11 @@ def create_wireguard_vpn(owner, public_key, network_mask):
                                                    wireguard_public_key=public_key)
 
 
+    config = pool.wireguard_config
+    server = pool.vpn_server_hostname
+    wg_name = pool.wg_name
+
+    configure_wireguard_server_on_host.apply_async((wg_name, config),
+                                                   queue=server)
 
-    configure_wireguard_server(pool)
     return vpn
diff --git a/uncloud_net/tasks.py b/uncloud_net/tasks.py
index 78ae80c..f6b8038 100644
--- a/uncloud_net/tasks.py
+++ b/uncloud_net/tasks.py
@@ -8,6 +8,7 @@ import subprocess
 import logging
 import uuid
 
+
 log = logging.getLogger(__name__)
 
 @shared_task
@@ -15,7 +16,30 @@ def whereami():
     print(os.uname())
     return os.uname()
 
-def configure_wireguard_server(wireguardvpnpool):
+@shared_task
+def configure_wireguard_server_on_host(wg_name, config):
+    """
+    - Create wireguard config (DB query -> string)
+    - Submit config to cdist worker
+    - Change config locally on worker / commit / shared
+    """
+
+    # Write config
+    fname = f"/etc/wireguard/{{wg_name}}.conf"
+    with open(fname, "w") as fd:
+        fd.write(config)
+
+    # Ensure the device exists
+    subprocess.run(f"ip link show {{wg_name}} || sudo ip link add {{wg_name}} type wireguard",
+                   shell=True, check=True)
+
+    # Ensure the config is correct
+    subprocess.run(f"sudo wg setconf {{wg_name}} {{fname}}",
+                   shell=True, check=True)
+
+
+
+def configure_wireguard_server_via_cdist(wireguardvpnpool):
     """
     - Create wireguard config (DB query -> string)
     - Submit config to cdist worker
@@ -37,7 +61,7 @@ def cdist_configure_wireguard_server(config, server):
     """
     Create config and configure server.
 
-    To be executed on the cdist workers.
+    To be executed on the cdist worker.
     """
 
     dirname= "/home/app/.cdist/type/__ungleich_wireguard/files/"
diff --git a/uncloud_pay/tasks.py b/uncloud_pay/tasks.py
index b88f494..c372366 100644
--- a/uncloud_pay/tasks.py
+++ b/uncloud_pay/tasks.py
@@ -6,6 +6,6 @@ from uncloud.models import UncloudTask
 
 @shared_task(bind=True)
 def check_balance(self):
-    UncloudTask.objects.create(task_id=self.id)
+    UncloudTask.objects.create(task_id=self.request.id)
     print("for each user res is 50")
     return 50