diff options
| author | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-09-27 05:04:20 +0200 |
|---|---|---|
| committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2023-09-27 05:04:20 +0200 |
| commit | 534db28fdc4ceb449c338d707e55fe384dfaff52 (patch) | |
| tree | fb59bd8d4877bf68aa7ed042e43fdd6a7c868733 /manifests/wireguard_server.pp | |
| parent | fix (diff) | |
| download | profiles-534db28fdc4ceb449c338d707e55fe384dfaff52.tar.gz profiles-534db28fdc4ceb449c338d707e55fe384dfaff52.tar.xz | |
New wireguard rewrite.
Diffstat (limited to '')
| -rw-r--r-- | manifests/wireguard_server.pp | 68 |
1 files changed, 0 insertions, 68 deletions
diff --git a/manifests/wireguard_server.pp b/manifests/wireguard_server.pp deleted file mode 100644 index 8eb3e25..0000000 --- a/manifests/wireguard_server.pp +++ /dev/null @@ -1,68 +0,0 @@ -class profiles::wireguard_server ( - Variant[String,Sensitive[String]] $private_key, - Array[Hash] $peers, - - String $ifname = 'wg0', -) { - include ::profiles::wireguard - - networking::networkd_instance { $ifname: - type => 'netdev', - mode => '0600', - content => { - 'NetDev' => { - 'Name' => $ifname, - 'Kind' => 'wireguard', - 'Description' => "Wireguard tunnel ${ifname}", - }, - 'WireGuard' => { - 'ListenPort' => $profiles::wireguard::port, - 'PrivateKey' => $private_key, - }, - 'WireGuardPeer' => $peers, - } - } - - networking::networkd_instance { "${ifname}-network": - type => 'network', - content => { - 'Match' => { - 'Name' => $ifname, - }, - 'Route' => { - 'Destination' => $peers.map |$p| { $p['AllowedIPs'] }.flatten, - } - } - } - - ['ip', 'ip6'].each |$provider| { - firewall { "100 Forward ${provider} wireguard to network": - table => 'nat', - chain => 'POSTROUTING', - jump => 'MASQUERADE', - outiface => 'br0', - proto => 'all', - provider => "${provider}tables", - } - } - - # -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA) - @@firewall { '100 Allow IPv6 traffic to wiregaurd': - provider => 'ip6tables', - proto => 'udp', - dport => $profiles::wireguard::port, - destination => $facts['ipaddress6'], - tag => [ 'router', ], - } - - # -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination 10.0.0.40 - @@firewall { '100 PortForward to wiregaurd server': - provider => 'iptables', - proto => 'udp', - chain => 'VSERVER', - dport => $profiles::wireguard::port, - goto => 'DNAT', - destination => $facts['ipaddress'], - tag => [ 'router', ], - } -} |