diff options
author | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-11-06 16:28:05 +0100 |
---|---|---|
committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-11-06 16:28:05 +0100 |
commit | ce58be29befe0697cbae824c12f09064670c4560 (patch) | |
tree | a3ec579c7de7580f710160e0e21821f4ac879afe /manifests | |
parent | Add initial wireguard profiles. (diff) | |
download | profiles-ce58be29befe0697cbae824c12f09064670c4560.tar.gz profiles-ce58be29befe0697cbae824c12f09064670c4560.tar.xz |
Move more wireguard config to hiera.
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/wireguard_peer.pp | 14 | ||||
-rw-r--r-- | manifests/wireguard_server.pp | 15 |
2 files changed, 10 insertions, 19 deletions
diff --git a/manifests/wireguard_peer.pp b/manifests/wireguard_peer.pp index 0f02e39..6eaeef1 100644 --- a/manifests/wireguard_peer.pp +++ b/manifests/wireguard_peer.pp @@ -32,19 +32,7 @@ class profiles::wireguard_peer ( 'ListenPort' => $profiles::wireguard::port, 'PrivateKey' => $private_key, }, - 'WireGuardPeer' => { - 'PublicKey' => $peer_key, - # IP addresses which the kernel will accept sending over this - # interface. Set it to 0.0.0.0/0 to allow anything to traverse - # the tunnel - 'AllowedIPs' => [ - '10.0.0.0/23', # adrift.space localnet - '10.0.10.2/32', # Wireguard return - ], - # TODO is IP addresses allowed here? - # Where the peer we want to connect to resides - 'Endpoint' => "gandalf.adrift.space:${profiles::wireguard::port}", - } + 'WireGuardPeer' => $peers, } } diff --git a/manifests/wireguard_server.pp b/manifests/wireguard_server.pp index 03c4cda..9eee2d2 100644 --- a/manifests/wireguard_server.pp +++ b/manifests/wireguard_server.pp @@ -1,6 +1,13 @@ +# TODO +# - Allow access over IPv4 +# - Allow forwarding IPv6 addresses +# +# - Possibly merge this and wireguard_peer +# - manage keys +# - allow accesss for phones class profiles::wireguard_server ( Sensitive[String] $private_key, - String $peer_key, + Array[Hash] $peers, ) { include ::profiles::wireguard @@ -30,11 +37,7 @@ class profiles::wireguard_server ( 'ListenPort' => $profiles::wireguard::port, 'PrivateKey' => $private_key, }, - # TODO multiple public peers - 'WireGuardPeer' => { - 'PublicKey' => $peer_key, - 'AllowedIPs' => '10.0.10.2/32', - } + 'WireGuardPeer' => $peers, } } |