aboutsummaryrefslogtreecommitdiff
path: root/scripts/import-wireguard-configs.sh
diff options
context:
space:
mode:
authorCraig Jennings <c@cjennings.net>2026-07-02 21:57:39 -0400
committerCraig Jennings <c@cjennings.net>2026-07-02 21:57:39 -0400
commit2e40781ebf91fa0f9dc67f4381a8d3784cda8872 (patch)
treed84d14c48100de722b0da204305054a103d1c5f3 /scripts/import-wireguard-configs.sh
parent03897904c3270c07f2a5e8d3cf0457895dbe0e4f (diff)
downloadarchsetup-2e40781ebf91fa0f9dc67f4381a8d3784cda8872.tar.gz
archsetup-2e40781ebf91fa0f9dc67f4381a8d3784cda8872.zip
feat(vpn): wireguard config import for the NM migration
scripts/import-wireguard-configs.sh imports the seven Proton configs into NetworkManager with autoconnect forced off. Each config stages through a wgpvpn.conf temp copy (NM's import name must be a valid interface name; several config names exceed the 15-char limit) and is renamed by the UUID parsed from the import output, so a stray same-named connection can't be hit. A leftover wgpvpn connection — a run that died between import and rename, autoconnect still armed — makes the script refuse to run. 10 tests over a fake nmcli; velox migration verified (all seven wireguard, autoconnect no). The tunnels spec is implemented: all six phases shipped.
Diffstat (limited to 'scripts/import-wireguard-configs.sh')
-rwxr-xr-xscripts/import-wireguard-configs.sh59
1 files changed, 59 insertions, 0 deletions
diff --git a/scripts/import-wireguard-configs.sh b/scripts/import-wireguard-configs.sh
new file mode 100755
index 0000000..ae6ca7e
--- /dev/null
+++ b/scripts/import-wireguard-configs.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+# Import the assets/wireguard-config Proton configs into NetworkManager as
+# wireguard connections with autoconnect off. Two NM quirks handled here:
+#
+# - The import filename must be a valid interface name (<= 15 chars), and
+# several config names are longer — so every file imports through a temp
+# copy named wgpvpn.conf and the connection is renamed to the real config
+# name right after (by the UUID parsed from the import output, so a stray
+# same-named connection can't be hit). All profiles share the wgpvpn
+# interface, which is fine (they're mutually exclusive full-tunnel
+# configs), and the wg prefix keeps the net doctor's tunnel-down repair
+# on the NM path.
+# - Imports default to autoconnect yes, and these are full-tunnel
+# (AllowedIPs 0.0.0.0/0) — a VPN that arms itself on boot is not a default
+# anyone chose, so the modify runs immediately after each import.
+#
+# A connection still literally named wgpvpn means an earlier run died
+# between import and rename — and it still has autoconnect on. The script
+# refuses to run until that's cleaned up rather than guessing.
+#
+# Idempotent: already-imported names skip.
+#
+# Usage: import-wireguard-configs.sh [config-dir]
+set -euo pipefail
+
+dir="${1:-$(cd "$(dirname "$0")/.." && pwd)/assets/wireguard-config}"
+[ -d "$dir" ] || { echo "no such config dir: $dir" >&2; exit 1; }
+
+if nmcli -t -f NAME connection show | grep -Fxq "wgpvpn"; then
+ echo "stale 'wgpvpn' connection found (an earlier run died mid-import; it has autoconnect ON)" >&2
+ echo "inspect and remove it first: nmcli connection delete wgpvpn" >&2
+ exit 1
+fi
+
+tmp="$(mktemp -d)"
+trap 'rm -rf "$tmp"' EXIT
+
+shopt -s nullglob
+found=0
+for conf in "$dir"/*.conf; do
+ found=1
+ name="$(basename "$conf" .conf)"
+ if nmcli -t -f NAME connection show | grep -Fxq "$name"; then
+ echo "skip: $name (already imported)"
+ continue
+ fi
+ cp "$conf" "$tmp/wgpvpn.conf"
+ out="$(nmcli connection import type wireguard file "$tmp/wgpvpn.conf")"
+ uuid="$(grep -oE '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' <<<"$out" | head -1 || true)"
+ if [ -z "$uuid" ]; then
+ echo "could not parse a UUID from the import output for $name:" >&2
+ echo " $out" >&2
+ exit 1
+ fi
+ nmcli connection modify "$uuid" connection.id "$name" \
+ connection.autoconnect no
+ echo "imported: $name (autoconnect off, iface wgpvpn)"
+done
+[ "$found" = 1 ] || { echo "no .conf files in $dir" >&2; exit 1; }