kedge/scripts/generate-wireguard-keys.sh

#!/usr/bin/env bash
set -euo pipefail

# Generate WireGuard keypair for a new site.
# Usage: ./generate-wireguard-keys.sh [output-dir]

OUTPUT_DIR="${1:-/etc/kedge}"

echo "Generating WireGuard keypair in ${OUTPUT_DIR}..."

mkdir -p "${OUTPUT_DIR}"

wg genkey | tee "${OUTPUT_DIR}/wg-private.key" | wg pubkey > "${OUTPUT_DIR}/wg-public.key"

chmod 600 "${OUTPUT_DIR}/wg-private.key"
chmod 644 "${OUTPUT_DIR}/wg-public.key"

echo "Private key: ${OUTPUT_DIR}/wg-private.key"
echo "Public key:  $(cat "${OUTPUT_DIR}/wg-public.key")"