3 files changed, 164 insertions, 0 deletions

diff --git a/manifests/wireguard.pp b/manifests/wireguard.pp
new file mode 100644
index 0000000..3baa5ec
--- /dev/null
+++ b/manifests/wireguard.pp
@@ -0,0 +1,16 @@
+# qrencode -t ansiutf8 < tunnel.conf
+class profiles::wireguard (
+  $port = 51871,
+) {
+  ensure_packages ([
+    'wireguard-tools', # userspace utilities
+  ])
+
+  # TODO Where are these currently set in puppet?
+  # sysctl -w net.ipv4.ip_forward=1
+  # sysctl -w net.ipv6.conf.all.forwarding=1
+
+
+
+
+}
diff --git a/manifests/wireguard_peer.pp b/manifests/wireguard_peer.pp
new file mode 100644
index 0000000..0f02e39
--- /dev/null
+++ b/manifests/wireguard_peer.pp
@@ -0,0 +1,67 @@
+class profiles::wireguard_peer (
+  Sensitive[String] $private_key,
+  String $peer_key,
+) {
+  include ::profiles::wireguard
+
+
+  # ithryn $
+  # [root@ithryn hugo]# ip link add dev wg0 type wireguard
+  # [root@ithryn hugo]# ip addr add 10.0.10.2/24 dev wg0
+  # [root@ithryn hugo]# ip addr add fdc9:281f:04d7:9ee9::2/64 dev wg0
+  # [root@ithryn hugo]# wg set wg0 listen-port 51902 private-key peer_B.key
+  # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ=
+  # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= allowed-ips 10.0.10.0/24,[THAT IPV6 ADDRESS]/64
+  # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= endpoint gandalf.adrift.space:51781
+  # [root@ithryn hugo]# ip link set wg0 up
+  #
+
+  # ip addr add 10.0.0.45/23 dev wg0
+  # ip addr add 10.0.0.0/23 via 10.0.0.45 dev wg0
+  # [root@gandalf manifests]# iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o br0 -j MASQUERADE
+
+  networking::networkd_instance { 'wg0':
+    type              => 'netdev',
+    content           => {
+      'NetDev'        => {
+        'Name'        => 'wg0',
+        'Kind'        => 'wireguard',
+        'Description' => 'WireGuard tunnal wg0'
+      },
+      'WireGuard'    => {
+        'ListenPort' => $profiles::wireguard::port,
+        'PrivateKey' => $private_key,
+      },
+      'WireGuardPeer' => {
+        'PublicKey'   => $peer_key,
+        # IP addresses which the kernel will accept sending over this
+        # interface. Set it to 0.0.0.0/0 to allow anything to traverse
+        # the tunnel
+        'AllowedIPs'  => [
+          '10.0.0.0/23',  # adrift.space localnet
+          '10.0.10.2/32', # Wireguard return
+        ],
+        # TODO is IP addresses allowed here?
+        # Where the peer we want to connect to resides
+        'Endpoint' => "gandalf.adrift.space:${profiles::wireguard::port}",
+      }
+    }
+  }
+
+  networking::networkd_instance { 'wg0-network':
+    type      => 'network',
+    content   => {
+      'Match' => {
+        'Name' => 'wg0',
+      },
+      'Network'   => {
+        'Address' => '10.0.10.2/24',
+      },
+      'Route'         => {
+        'Destination' => '10.0.0.0/23',
+        'Source'      => '10.0.10.2',
+        'Gateway'     => '10.0.10.1',
+      }
+    }
+  }
+}
diff --git a/manifests/wireguard_server.pp b/manifests/wireguard_server.pp
new file mode 100644
index 0000000..03c4cda
--- /dev/null
+++ b/manifests/wireguard_server.pp
@@ -0,0 +1,81 @@
+class profiles::wireguard_server (
+  Sensitive[String] $private_key,
+  String $peer_key,
+) {
+  include ::profiles::wireguard
+
+  # gandalf $
+  # ip link add dev wg0 type wireguard
+  # ip addr add 10.0.10.1/24 dev wg0
+  # [root@gandalf profiles]# ip addr add fdc9:281f:04df:9ee9::1/64 dev wg0
+  # wg set wg0 listen-port 51871 private-key ~/peer_A.key
+  # ## wg set wg0 peer CONTENTS_OF<peer_B.pub>
+  # ip link set wg0 up
+  # wg set wg0 peer 87Erkb8rXeSd162eBEXuuKUft/frF2iqdPdrMTStNVM= \
+  #   allowed-ips 10.0.10.0/24,fdc9:281f:4d7:9ee9::/64
+
+  # på B
+  # wg set wg0 peer <> endpoint gandalf.adrift.space:51871
+
+
+  networking::networkd_instance { 'wg0':
+    type            => 'netdev',
+    content         => {
+      'NetDev'      => {
+        'Name'        => 'wg0',
+        'Kind'        => 'wireguard',
+        'Description' => 'Wireguard tunnel wg0',
+      },
+      'WireGuard'    => {
+        'ListenPort' => $profiles::wireguard::port,
+        'PrivateKey' => $private_key,
+      },
+      # TODO multiple public peers
+      'WireGuardPeer' => {
+        'PublicKey'   => $peer_key,
+        'AllowedIPs'  => '10.0.10.2/32',
+      }
+    }
+  }
+
+  networking::networkd_instance { 'wg0-network':
+    type       => 'network',
+    content    => {
+      'Match'  => {
+        'Name' => 'wg0',
+      },
+      'Network'   => {
+        'Address' => '10.0.10.1/24',
+      }
+    }
+  }
+
+  firewall { '100 Forward wireguard to network':
+    table    => 'nat',
+    chain    => 'POSTROUTING',
+    jump     => 'MASQUERADE',
+    outiface => 'br0',
+    #iniface  => 'wg0',
+    #source   => '10.0.10.0/24',
+  }
+
+  # -A FORWARD -p udp -m udp --dport 51871 --destination $(dig +short gandalf.adrift.space AAAA)
+  @@firewall { '100 Allow IPv6 traffic to wiregaurd':
+    provider    => 'ip6tables',
+    proto       => 'udp',
+    dport       => $profiles::wireguard::port,
+    destination => $facts['ipaddress6'],
+    tag         => [ 'router', ],
+  }
+
+  # -A VSERVER -p udp -m udp --dport 51871 -j DNAT --to-destination 10.0.0.40
+  @@firewall { '100 PortForward to wiregaurd server':
+    provider    => 'iptables',
+    proto       => 'udp',
+    chain       => 'VSERVER',
+    dport       => $profiles::wireguard::port,
+    goto        => 'DNAT',
+    destination => $facts['ipaddress'],
+    tag         => [ 'router', ],
+  }
+}