diff options
Diffstat (limited to '')
4 files changed, 51 insertions, 120 deletions
diff --git a/manifests/wg_exit_node.pp b/manifests/wg_exit_node.pp
new file mode 100644
index 0000000..c3dca74
--- /dev/null
+++ b/manifests/wg_exit_node.pp
@@ -0,0 +1,51 @@
+class profiles::wg_exit_node (
+ String $iface_name = 'wg0',
+ Array[Hash] $peers = [],
+) {
+ $base = "/etc/systemd/network/20-${iface_name}"
+ file { "${base}.netdev":
+ content => @("EOF")
+ # File managed by Puppet
+ [NetDev]
+ Name=${iface_name}
+ Kind=wireguard
+ Description=Wireguard tunnel ${iface_name}
+ [WireGuard]
+ PrivateKeyFile=/etc/wireguard/
+ | EOF
+ }
+ file { "${base}.network":
+ content => @("EOF")
+ # File managed by Puppet
+ [Match]
+ Name=${iface_name}
+ | EOF
+ }
+ file { [
+ "${base}.netdev.d",
+ "${base}.network.d",
+ ]:
+ ensure => directory,
+ }
+ $peers.each |$peer| {
+ file { "${base}.netdev.d/${peer['name']}.conf":
+ content => @("EOF")
+ [Route]
+ Destination=${peer['peer_address']}
+ | EOF
+ }
+ file { "${base}.network.d/${peer['name']}.conf":
+ content => @("EOF")
+ [WireGuardPeer]
+ PublicKey=${peer['public_key']}
+ AllowedIPs=${peer['peer_address']}
+ | EOF
+ }
+ }
diff --git a/manifests/wireguard.pp b/manifests/wireguard.pp
deleted file mode 100644
index 3baa5ec..0000000
--- a/manifests/wireguard.pp
+++ /dev/null
@@ -1,16 +0,0 @@
-# qrencode -t ansiutf8 < tunnel.conf
-class profiles::wireguard (
- $port = 51871,
-) {
- ensure_packages ([
- 'wireguard-tools', # userspace utilities
- ])
- # TODO Where are these currently set in puppet?
- # sysctl -w net.ipv4.ip_forward=1
- # sysctl -w net.ipv6.conf.all.forwarding=1
diff --git a/manifests/wireguard_peer.pp b/manifests/wireguard_peer.pp
deleted file mode 100644
index 63272bf..0000000
--- a/manifests/wireguard_peer.pp
+++ /dev/null
@@ -1,36 +0,0 @@
-class profiles::wireguard_peer (
- Variant[String,Sensitive[String]] $private_key,
- Array[Hash] $peers,
- Stdlib::IP::Address $network_address,
- String $ifname = 'wg0',
-) {
- include ::profiles::wireguard
- networking::networkd_instance { $ifname:
- type => 'netdev',
- mode => '0600',
- content => {
- 'NetDev' => {
- 'Name' => $ifname,
- 'Kind' => 'wireguard',
- 'Description' => "WireGuard tunnel ${ifname}"
- },
- 'WireGuard' => {
- 'PrivateKey' => $private_key,
- },
- 'WireGuardPeer' => $peers,
- }
- }
- networking::networkd_instance { "${ifname}-network":
- type => 'network',
- content => {
- 'Match' => {
- 'Name' => $ifname,
- },
- 'Network' => {
- 'Address' => $network_address,
- },
- }
- }
diff --git a/manifests/wireguard_server.pp b/manifests/wireguard_server.pp
deleted file mode 100644
index 8eb3e25..0000000
--- a/manifests/wireguard_server.pp
+++ /dev/null
@@ -1,68 +0,0 @@
-class profiles::wireguard_server (
- Variant[String,Sensitive[String]] $private_key,
- Array[Hash] $peers,
- String $ifname = 'wg0',
-) {
- include ::profiles::wireguard
- networking::networkd_instance { $ifname:
- type => 'netdev',
- mode => '0600',
- content => {
- 'NetDev' => {
- 'Name' => $ifname,
- 'Kind' => 'wireguard',
- 'Description' => "Wireguard tunnel ${ifname}",
- },
- 'WireGuard' => {
- 'ListenPort' => $profiles::wireguard::port,
- 'PrivateKey' => $private_key,
- },
- 'WireGuardPeer' => $peers,
- }
- }
- networking::networkd_instance { "${ifname}-network":
- type => 'network',
- content => {
- 'Match' => {
- 'Name' => $ifname,
- },
- 'Route' => {
- 'Destination' => $ |$p| { $p['AllowedIPs'] }.flatten,
- }
- }
- }
- ['ip', 'ip6'].each |$provider| {
- firewall { "100 Forward ${provider} wireguard to network":
- table => 'nat',
- chain => 'POSTROUTING',
- jump => 'MASQUERADE',
- outiface => 'br0',
- proto => 'all',
- provider => "${provider}tables",
- }
- }
- # -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short AAAA)
- @@firewall { '100 Allow IPv6 traffic to wiregaurd':
- provider => 'ip6tables',
- proto => 'udp',
- dport => $profiles::wireguard::port,
- destination => $facts['ipaddress6'],
- tag => [ 'router', ],
- }
- # -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination
- @@firewall { '100 PortForward to wiregaurd server':
- provider => 'iptables',
- proto => 'udp',
- chain => 'VSERVER',
- dport => $profiles::wireguard::port,
- goto => 'DNAT',
- destination => $facts['ipaddress'],
- tag => [ 'router', ],
- }