2026-06-16 02:27:29 +01:00
---
apiVersion : v1
kind : ConfigMap
metadata :
name : amneziawg-scripts
data :
firewall-up.sh : |
#!/usr/bin/env bash
set -euo pipefail
PORT="${1:-5847}"
2026-06-16 03:48:41 +01:00
VPN_CIDR="${2:-10.8.0.0/16}"
2026-06-16 02:27:29 +01:00
external_interface() {
ip route get 1.1.1.1 | awk '{for (i=1;i<=NF;i++) if ($i=="dev") {print $(i+1); exit}}'
}
ensure_insert_rule() {
local table_args=()
if [ "${1:-}" = "-t" ]; then
table_args=("$1" "$2")
shift 2
fi
local chain="$1"
shift
if ! iptables "${table_args[@]}" -C "${chain}" "$@" >/dev/null 2>&1; then
iptables "${table_args[@]}" -I "${chain}" 1 "$@"
fi
}
2026-06-18 00:06:14 +01:00
delete_rule() {
local table_args=()
if [ "${1:-}" = "-t" ]; then
table_args=("$1" "$2")
shift 2
fi
local chain="$1"
shift
while iptables "${table_args[@]}" -D "${chain}" "$@" >/dev/null 2>&1; do
true
done
}
2026-06-16 02:27:29 +01:00
ensure_append_rule() {
local table_args=()
if [ "${1:-}" = "-t" ]; then
table_args=("$1" "$2")
shift 2
fi
local chain="$1"
shift
if ! iptables "${table_args[@]}" -C "${chain}" "$@" >/dev/null 2>&1; then
iptables "${table_args[@]}" -A "${chain}" "$@"
fi
}
EXT_IF="$(external_interface || true)"
if [ -z "${EXT_IF}" ]; then
EXT_IF="$(ip route show default | awk '{print $5; exit}')"
fi
if [ -z "${EXT_IF}" ]; then
echo "Unable to detect external interface"
exit 1
fi
sysctl -w net.ipv4.ip_forward=1
2026-06-18 00:06:14 +01:00
delete_rule INPUT -i tailscale0 -p udp -m comment --comment amneziawg-block-tailscale -j DROP
2026-06-16 02:27:29 +01:00
ensure_insert_rule INPUT -i "${EXT_IF}" -p udp --dport "${PORT}" -m comment --comment amneziawg-allow-external -j ACCEPT
ensure_insert_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
ensure_append_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
ensure_append_rule FORWARD -i awg0 -m comment --comment amneziawg-forward-in -j ACCEPT
ensure_append_rule FORWARD -o awg0 -m comment --comment amneziawg-forward-out -j ACCEPT
ensure_append_rule -t nat POSTROUTING -s "${VPN_CIDR}" -o "${EXT_IF}" -m comment --comment amneziawg-masquerade -j MASQUERADE
firewall-down.sh : |
#!/usr/bin/env bash
set -euo pipefail
PORT="${1:-5847}"
2026-06-16 03:48:41 +01:00
VPN_CIDR="${2:-10.8.0.0/16}"
2026-06-16 02:27:29 +01:00
external_interface() {
ip route get 1.1.1.1 | awk '{for (i=1;i<=NF;i++) if ($i=="dev") {print $(i+1); exit}}'
}
delete_rule() {
local table_args=()
if [ "${1:-}" = "-t" ]; then
table_args=("$1" "$2")
shift 2
fi
local chain="$1"
shift
while iptables "${table_args[@]}" -D "${chain}" "$@" >/dev/null 2>&1; do
true
done
}
EXT_IF="$(external_interface || true)"
if [ -z "${EXT_IF}" ]; then
EXT_IF="$(ip route show default | awk '{print $5; exit}')"
fi
if [ -n "${EXT_IF}" ]; then
delete_rule INPUT -i "${EXT_IF}" -p udp --dport "${PORT}" -m comment --comment amneziawg-allow-external -j ACCEPT
delete_rule -t nat POSTROUTING -s "${VPN_CIDR}" -o "${EXT_IF}" -m comment --comment amneziawg-masquerade -j MASQUERADE
fi
delete_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
2026-06-18 00:06:14 +01:00
delete_rule INPUT -i tailscale0 -p udp -m comment --comment amneziawg-block-tailscale -j DROP
2026-06-16 02:27:29 +01:00
delete_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
delete_rule FORWARD -i awg0 -m comment --comment amneziawg-forward-in -j ACCEPT
delete_rule FORWARD -o awg0 -m comment --comment amneziawg-forward-out -j ACCEPT
run.sh : |
#!/usr/bin/env bash
set -euo pipefail
SERVER_CONFIG="/etc/amnezia/server/awg0.conf"
2026-06-29 21:00:55 +03:00
CLIENTS_DIR="${AMNEZIAWG_CLIENTS_DIR:-/run/amnezia/clients}"
2026-06-16 02:27:29 +01:00
RUNTIME_CONFIG="/run/amnezia/awg0.conf"
2026-06-29 20:46:07 +03:00
SYNC_CONFIG="/run/amnezia/awg0.sync.conf"
STATUS_FILE="/run/amnezia/reload-status"
RELOAD_INTERVAL="${AMNEZIAWG_RELOAD_INTERVAL:-10}"
2026-06-16 02:27:29 +01:00
cleanup() {
if awg show awg0 >/dev/null 2>&1; then
awg-quick down "${RUNTIME_CONFIG}" || ip link delete awg0 || true
fi
}
render_config() {
mkdir -p "$(dirname "${RUNTIME_CONFIG}")"
2026-06-29 20:46:07 +03:00
local tmp_config="${RUNTIME_CONFIG}.tmp"
cp "${SERVER_CONFIG}" "${tmp_config}"
chmod 0600 "${tmp_config}"
2026-06-16 02:27:29 +01:00
local clients_found=0
for client_config in "${CLIENTS_DIR}"/*; do
[ -f "${client_config}" ] || continue
[ -s "${client_config}" ] || continue
2026-06-29 20:46:07 +03:00
printf '\n' >> "${tmp_config}"
cat "${client_config}" >> "${tmp_config}"
2026-06-16 02:27:29 +01:00
clients_found=1
done
if [ "${clients_found}" = "0" ]; then
echo "No client peer configs found in ${CLIENTS_DIR}; starting without peers"
fi
2026-06-29 20:46:07 +03:00
mv "${tmp_config}" "${RUNTIME_CONFIG}"
chmod 0600 "${RUNTIME_CONFIG}"
}
client_config_hash() {
{
for client_config in "${CLIENTS_DIR}"/*; do
[ -f "${client_config}" ] || continue
sha256sum "${client_config}"
done
} | sha256sum | awk '{print $1}'
}
write_reload_status() {
local state="${1}"
local hash="${2:-}"
local applied_at_ms=""
if [ "${state}" = "applied" ]; then
applied_at_ms="$(($(date +%s) * 1000))"
fi
mkdir -p "$(dirname "${STATUS_FILE}")"
{
printf 'state=%s\n' "${state}"
printf 'hash=%s\n' "${hash}"
printf 'applied_at_ms=%s\n' "${applied_at_ms}"
} > "${STATUS_FILE}.tmp"
mv "${STATUS_FILE}.tmp" "${STATUS_FILE}"
}
apply_live_config() {
render_config
awg-quick strip "${RUNTIME_CONFIG}" > "${SYNC_CONFIG}"
chmod 0600 "${SYNC_CONFIG}"
awg syncconf awg0 "${SYNC_CONFIG}"
}
watch_client_config() {
local last_hash="${1}"
while true; do
sleep "${RELOAD_INTERVAL}" &
wait "$!" || return 0
local current_hash
current_hash="$(client_config_hash)"
if [ "${current_hash}" = "${last_hash}" ]; then
continue
fi
echo "Detected AmneziaWG client peer config change; applying with awg syncconf"
if apply_live_config; then
last_hash="${current_hash}"
write_reload_status applied "${current_hash}"
awg show awg0 || true
else
echo "ERROR: failed to hot-reload AmneziaWG client peer config" >&2
write_reload_status error "${current_hash}"
fi
done
2026-06-16 02:27:29 +01:00
}
trap cleanup EXIT
trap 'exit 0' TERM INT
2026-06-29 20:46:07 +03:00
initial_hash="$(client_config_hash)"
2026-06-16 02:27:29 +01:00
render_config
cleanup
awg-quick up "${RUNTIME_CONFIG}"
awg show awg0 || true
2026-06-29 20:46:07 +03:00
write_reload_status applied "${initial_hash}"
watch_client_config "${initial_hash}"
2026-06-29 21:00:55 +03:00
client-secret-sync.sh : |
#!/usr/bin/env bash
set -euo pipefail
CLIENT_SECRET="${AMNEZIAWG_CLIENT_SECRET:-amneziawg-clients}"
CLIENT_SECRET_KEY="${AMNEZIAWG_CLIENT_SECRET_KEY:-peers.conf}"
CLIENTS_DIR="${AMNEZIAWG_CLIENTS_DIR:-/run/amnezia/clients}"
PEERS_FILE="${CLIENTS_DIR}/peers.conf"
SYNC_INTERVAL="${AMNEZIAWG_CLIENT_SECRET_SYNC_INTERVAL:-5}"
NAMESPACE="${POD_NAMESPACE:-$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)}"
write_empty_once() {
mkdir -p "${CLIENTS_DIR}"
if [ ! -f "${PEERS_FILE}" ]; then
: > "${PEERS_FILE}"
chmod 0600 "${PEERS_FILE}"
fi
}
sync_once() {
mkdir -p "${CLIENTS_DIR}"
local tmp_file="${PEERS_FILE}.tmp"
local encoded=""
if ! encoded="$(kubectl get secret "${CLIENT_SECRET}" -n "${NAMESPACE}" -o "go-template={{ index .data \"${CLIENT_SECRET_KEY}\" }}" 2>/dev/null)"; then
echo "WARN: failed to read Secret ${NAMESPACE}/${CLIENT_SECRET}; keeping current peers" >&2
write_empty_once
return 0
fi
if [ -n "${encoded}" ]; then
printf '%s' "${encoded}" | base64 -d > "${tmp_file}"
else
: > "${tmp_file}"
fi
chmod 0600 "${tmp_file}"
if [ -f "${PEERS_FILE}" ] && cmp -s "${tmp_file}" "${PEERS_FILE}"; then
rm -f "${tmp_file}"
return 0
fi
mv "${tmp_file}" "${PEERS_FILE}"
echo "Synced AmneziaWG client peers from Secret ${NAMESPACE}/${CLIENT_SECRET}:${CLIENT_SECRET_KEY}"
}
if [ "${1:-}" = "once" ]; then
sync_once
exit 0
fi
while true; do
sync_once || true
sleep "${SYNC_INTERVAL}"
done
2026-06-29 20:46:07 +03:00
status-patch.sh : |
#!/usr/bin/env bash
set -euo pipefail
STATUS_FILE="/run/amnezia/reload-status"
PATCH_INTERVAL="${AMNEZIAWG_STATUS_PATCH_INTERVAL:-5}"
NAMESPACE="${POD_NAMESPACE:-$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)}"
: "${POD_NAME:?POD_NAME is required}"
last_file_hash=""
patch_status() {
local state="unknown"
local hash=""
local applied_at_ms=""
# The file is generated by run.sh and contains only shell assignments.
# shellcheck disable=SC1090
source "${STATUS_FILE}"
kubectl patch pod "${POD_NAME}" -n "${NAMESPACE}" --type merge -p "{\"metadata\":{\"annotations\":{\"amnezia-fellow.hexor.cy/client-secret-reload-status\":\"${state}\",\"amnezia-fellow.hexor.cy/client-secret-applied-at-ms\":\"${applied_at_ms}\",\"amnezia-fellow.hexor.cy/client-secret-applied-hash\":\"${hash}\"}}}"
}
2026-06-16 02:27:29 +01:00
while true; do
2026-06-29 20:46:07 +03:00
if [ -f "${STATUS_FILE}" ]; then
file_hash="$(sha256sum "${STATUS_FILE}" | awk '{print $1}')"
if [ "${file_hash}" != "${last_file_hash}" ]; then
patch_status || true
last_file_hash="${file_hash}"
fi
fi
sleep "${PATCH_INTERVAL}"
2026-06-16 02:27:29 +01:00
done
