wireguard: T2743: move key migration from config script to migration script

Migration files on the storage should be done one time by a migration script
instead of every time the configuration changes. Moving this to an older
migration script is fine as this is around for a long time and all rolling
releases are already up2date. It only affects updates from VyOS 1.2 series.

1 files changed, 17 insertions, 0 deletions

diff --git a/src/migration-scripts/interfaces/7-to-8 b/src/migration-scripts/interfaces/7-to-8
index 8830ffdc7..a4051301f 100755
--- a/src/migration-scripts/interfaces/7-to-8
+++ b/src/migration-scripts/interfaces/7-to-8
@@ -17,8 +17,23 @@
 # Split WireGuard endpoint into address / port nodes to make use of common
 # validators
 
+import os
+
 from sys import exit, argv
 from vyos.configtree import ConfigTree
+from vyos.util import chown, chmod_750
+
+def migrate_default_keys():
+    kdir = r'/config/auth/wireguard'
+    if os.path.exists(f'{kdir}/private.key') and not os.path.exists(f'{kdir}/default/private.key'):
+        location = f'{kdir}/default'
+        if not os.path.exists(location):
+            os.makedirs(location)
+
+        chown(location, 'root', 'vyattacfg')
+        chmod_750(location)
+        os.rename(f'{kdir}/private.key', f'{location}/private.key')
+        os.rename(f'{kdir}/public.key', f'{location}/public.key')
 
 if __name__ == '__main__':
     if (len(argv) < 1):
@@ -32,6 +47,8 @@ if __name__ == '__main__':
     config = ConfigTree(config_file)
     base = ['interfaces', 'wireguard']
 
+    migrate_default_keys()
+
     if not config.exists(base):
         # Nothing to do
         exit(0)