manifests/wireguard_peer.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

class profiles::wireguard_peer (
  Sensitive[String] $private_key,
  Array[Hash] $peers,
) {
  include ::profiles::wireguard


  # ithryn $
  # [root@ithryn hugo]# ip link add dev wg0 type wireguard
  # [root@ithryn hugo]# ip addr add 10.0.10.2/24 dev wg0
  # [root@ithryn hugo]# ip addr add fdc9:281f:04d7:9ee9::2/64 dev wg0
  # [root@ithryn hugo]# wg set wg0 listen-port 51902 private-key peer_B.key
  # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ=
  # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= allowed-ips 10.0.10.0/24,[THAT IPV6 ADDRESS]/64
  # [root@ithryn hugo]# wg set wg0 peer MSplIgjOqQoODOOWkkJd3x/FWuxTirTrsVwqJOJzAEQ= endpoint gandalf.adrift.space:51781
  # [root@ithryn hugo]# ip link set wg0 up
  #

  # ip addr add 10.0.0.45/23 dev wg0
  # ip addr add 10.0.0.0/23 via 10.0.0.45 dev wg0
  # [root@gandalf manifests]# iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o br0 -j MASQUERADE

  networking::networkd_instance { 'wg0':
    type              => 'netdev',
    content           => {
      'NetDev'        => {
        'Name'        => 'wg0',
        'Kind'        => 'wireguard',
        'Description' => 'WireGuard tunnal wg0'
      },
      'WireGuard'    => {
        'ListenPort' => $profiles::wireguard::port,
        'PrivateKey' => $private_key,
      },
      'WireGuardPeer' => $peers,
    }
  }

  networking::networkd_instance { 'wg0-network':
    type      => 'network',
    content   => {
      'Match' => {
        'Name' => 'wg0',
      },
      'Network'   => {
        'Address' => '10.0.10.2/24',
      },
      'Route'         => {
        'Destination' => '10.0.0.0/23',
        'Source'      => '10.0.10.2',
        'Gateway'     => '10.0.10.1',
      }
    }
  }
}