diff options
| author | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-09-27 05:04:20 +0200 |
|---|---|---|
| committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-09-27 05:04:20 +0200 |
| commit | 534db28fdc4ceb449c338d707e55fe384dfaff52 (patch) | |
| tree | fb59bd8d4877bf68aa7ed042e43fdd6a7c868733 | |
| parent | fix (diff) | |
| download | profiles-534db28fdc4ceb449c338d707e55fe384dfaff52.tar.gz profiles-534db28fdc4ceb449c338d707e55fe384dfaff52.tar.xz | |
New wireguard rewrite.
| -rw-r--r-- | manifests/wg_exit_node.pp | 51 | ||||
| -rw-r--r-- | manifests/wireguard.pp | 16 | ||||
| -rw-r--r-- | manifests/wireguard_peer.pp | 36 | ||||
| -rw-r--r-- | manifests/wireguard_server.pp | 68 |
4 files changed, 51 insertions, 120 deletions
diff --git a/manifests/wg_exit_node.pp b/manifests/wg_exit_node.pp new file mode 100644 index 0000000..c3dca74 --- /dev/null +++ b/manifests/wg_exit_node.pp @@ -0,0 +1,51 @@ +class profiles::wg_exit_node ( + String $iface_name = 'wg0', + Array[Hash] $peers = [], +) { + $base = "/etc/systemd/network/20-${iface_name}" + + file { "${base}.netdev": + content => @("EOF") + # File managed by Puppet + [NetDev] + Name=${iface_name} + Kind=wireguard + Description=Wireguard tunnel ${iface_name} + + [WireGuard] + PrivateKeyFile=/etc/wireguard/gandalf.adrift.space.key + | EOF + } + + file { "${base}.network": + content => @("EOF") + # File managed by Puppet + [Match] + Name=${iface_name} + | EOF + } + + file { [ + "${base}.netdev.d", + "${base}.network.d", + ]: + ensure => directory, + } + + $peers.each |$peer| { + file { "${base}.netdev.d/${peer['name']}.conf": + content => @("EOF") + [Route] + Destination=${peer['peer_address']} + | EOF + } + + file { "${base}.network.d/${peer['name']}.conf": + content => @("EOF") + [WireGuardPeer] + PublicKey=${peer['public_key']} + AllowedIPs=${peer['peer_address']} + | EOF + } + } +} diff --git a/manifests/wireguard.pp b/manifests/wireguard.pp deleted file mode 100644 index 3baa5ec..0000000 --- a/manifests/wireguard.pp +++ /dev/null @@ -1,16 +0,0 @@ -# qrencode -t ansiutf8 < tunnel.conf -class profiles::wireguard ( - $port = 51871, -) { - ensure_packages ([ - 'wireguard-tools', # userspace utilities - ]) - - # TODO Where are these currently set in puppet? - # sysctl -w net.ipv4.ip_forward=1 - # sysctl -w net.ipv6.conf.all.forwarding=1 - - - - -} diff --git a/manifests/wireguard_peer.pp b/manifests/wireguard_peer.pp deleted file mode 100644 index 63272bf..0000000 --- a/manifests/wireguard_peer.pp +++ /dev/null @@ -1,36 +0,0 @@ -class profiles::wireguard_peer ( - Variant[String,Sensitive[String]] $private_key, - Array[Hash] $peers, - Stdlib::IP::Address $network_address, - String $ifname = 'wg0', -) { - include ::profiles::wireguard - - networking::networkd_instance { $ifname: - type => 'netdev', - mode => '0600', - content => { - 'NetDev' => { - 'Name' => $ifname, - 'Kind' => 'wireguard', - 'Description' => "WireGuard tunnel ${ifname}" - }, - 'WireGuard' => { - 'PrivateKey' => $private_key, - }, - 'WireGuardPeer' => $peers, - } - } - - networking::networkd_instance { "${ifname}-network": - type => 'network', - content => { - 'Match' => { - 'Name' => $ifname, - }, - 'Network' => { - 'Address' => $network_address, - }, - } - } -} diff --git a/manifests/wireguard_server.pp b/manifests/wireguard_server.pp deleted file mode 100644 index 8eb3e25..0000000 --- a/manifests/wireguard_server.pp +++ /dev/null @@ -1,68 +0,0 @@ -class profiles::wireguard_server ( - Variant[String,Sensitive[String]] $private_key, - Array[Hash] $peers, - - String $ifname = 'wg0', -) { - include ::profiles::wireguard - - networking::networkd_instance { $ifname: - type => 'netdev', - mode => '0600', - content => { - 'NetDev' => { - 'Name' => $ifname, - 'Kind' => 'wireguard', - 'Description' => "Wireguard tunnel ${ifname}", - }, - 'WireGuard' => { - 'ListenPort' => $profiles::wireguard::port, - 'PrivateKey' => $private_key, - }, - 'WireGuardPeer' => $peers, - } - } - - networking::networkd_instance { "${ifname}-network": - type => 'network', - content => { - 'Match' => { - 'Name' => $ifname, - }, - 'Route' => { - 'Destination' => $peers.map |$p| { $p['AllowedIPs'] }.flatten, - } - } - } - - ['ip', 'ip6'].each |$provider| { - firewall { "100 Forward ${provider} wireguard to network": - table => 'nat', - chain => 'POSTROUTING', - jump => 'MASQUERADE', - outiface => 'br0', - proto => 'all', - provider => "${provider}tables", - } - } - - # -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA) - @@firewall { '100 Allow IPv6 traffic to wiregaurd': - provider => 'ip6tables', - proto => 'udp', - dport => $profiles::wireguard::port, - destination => $facts['ipaddress6'], - tag => [ 'router', ], - } - - # -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination 10.0.0.40 - @@firewall { '100 PortForward to wiregaurd server': - provider => 'iptables', - proto => 'udp', - chain => 'VSERVER', - dport => $profiles::wireguard::port, - goto => 'DNAT', - destination => $facts['ipaddress'], - tag => [ 'router', ], - } -} |