fix: setup accepts WG_PRIVATE_KEY/WG_PUBLIC_KEY env vars

Allows running make setup on hosts without wg binary or Python cryptography
library by passing pre-generated keys from another machine.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Makefile

@@ -44,6 +44,8 @@ setup:
 	CELL_DOMAIN=$(or $(CELL_DOMAIN),cell) \
 	VPN_ADDRESS=$(or $(VPN_ADDRESS),10.0.0.1/24) \
 	WG_PORT=$(or $(WG_PORT),51820) \
+	WG_PRIVATE_KEY="$(WG_PRIVATE_KEY)" \
+	WG_PUBLIC_KEY="$(WG_PUBLIC_KEY)" \
 	python3 scripts/setup_cell.py
 
 init-peers:

scripts/setup_cell.py

@@ -115,13 +115,22 @@ def generate_wg_keys():
         return open(priv_path).read().strip(), open(pub_path).read().strip()
     print('[INFO]    Generating WireGuard server keys...')
     os.makedirs(keys_dir, exist_ok=True)
-    # Try wg binary first; fall back to Python cryptography library
+
+    # Allow caller to inject pre-generated keys (useful when wg and cryptography are absent)
+    env_priv = os.environ.get('WG_PRIVATE_KEY', '').strip()
+    env_pub = os.environ.get('WG_PUBLIC_KEY', '').strip()
+    if env_priv and env_pub:
+        print('[INFO]    Using WG_PRIVATE_KEY / WG_PUBLIC_KEY from environment')
+        priv, pub = env_priv, env_pub
+    else:
+        # Try wg binary, then Python cryptography library
         try:
             priv = subprocess.check_output(['wg', 'genkey']).decode().strip()
             pub = subprocess.check_output(['wg', 'pubkey'], input=priv.encode()).decode().strip()
         except FileNotFoundError:
             print('[INFO]    wg not found — using Python cryptography library')
             priv, pub = _gen_keys_python()
+
     with open(priv_path, 'w') as f:
         f.write(priv + '\n')
     os.chmod(priv_path, 0o600)