fix: setup accepts WG_PRIVATE_KEY/WG_PUBLIC_KEY env vars

Allows running make setup on hosts without wg binary or Python cryptography
library by passing pre-generated keys from another machine.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

scripts/setup_cell.py

@@ -115,13 +115,22 @@ def generate_wg_keys():
         return open(priv_path).read().strip(), open(pub_path).read().strip()
     print('[INFO]    Generating WireGuard server keys...')
     os.makedirs(keys_dir, exist_ok=True)
-    # Try wg binary first; fall back to Python cryptography library
-    try:
-        priv = subprocess.check_output(['wg', 'genkey']).decode().strip()
-        pub = subprocess.check_output(['wg', 'pubkey'], input=priv.encode()).decode().strip()
-    except FileNotFoundError:
-        print('[INFO]    wg not found — using Python cryptography library')
-        priv, pub = _gen_keys_python()
+
+    # Allow caller to inject pre-generated keys (useful when wg and cryptography are absent)
+    env_priv = os.environ.get('WG_PRIVATE_KEY', '').strip()
+    env_pub = os.environ.get('WG_PUBLIC_KEY', '').strip()
+    if env_priv and env_pub:
+        print('[INFO]    Using WG_PRIVATE_KEY / WG_PUBLIC_KEY from environment')
+        priv, pub = env_priv, env_pub
+    else:
+        # Try wg binary, then Python cryptography library
+        try:
+            priv = subprocess.check_output(['wg', 'genkey']).decode().strip()
+            pub = subprocess.check_output(['wg', 'pubkey'], input=priv.encode()).decode().strip()
+        except FileNotFoundError:
+            print('[INFO]    wg not found — using Python cryptography library')
+            priv, pub = _gen_keys_python()
+
     with open(priv_path, 'w') as f:
         f.write(priv + '\n')
     os.chmod(priv_path, 0o600)