Skip to content

Commit

Permalink
Create private_key from parameter if wanted
Browse files Browse the repository at this point in the history
  • Loading branch information
sebastianrakel committed Mar 9, 2022
1 parent dad2c2b commit 13e1cd7
Show file tree
Hide file tree
Showing 2 changed files with 74 additions and 15 deletions.
46 changes: 36 additions & 10 deletions manifests/interface.pp
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
# @param mtu configure the MTU (maximum transision unit) for the wireguard tunnel. By default linux will figure this out. You might need to lower it if you're connection through a DSL line. MTU needs to be equal on both tunnel endpoints
# @param peers is an array of struct (Wireguard::Peers) for multiple peers
# @param routes different routes for the systemd-networkd configuration
# @param private_key Define private key which should be used for this interface, if not provided a private key will be generated
#
# @author Tim Meusel <[email protected]>
# @author Sebastian Rakel <[email protected]>
Expand Down Expand Up @@ -89,6 +90,7 @@
Optional[Integer[1280, 9000]] $mtu = undef,
Optional[String[1]] $public_key = undef,
Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [],
Optional[String[1]] $private_key = undef,
) {
require wireguard
Expand All @@ -112,25 +114,49 @@
notify => Service['systemd-networkd'],
}
}
exec { "generate ${interface} keys":
command => "wg genkey | tee ${interface} | wg pubkey > ${interface}.pub",
$private_key_path = "${wireguard::config_directory}/${interface}"
if $private_key {
file { $private_key_path:
ensure => 'file',
content => $private_key,
owner => 'root',
group => 'systemd-network',
mode => '0640',
notify => Exec["generate public key ${interface}"],
}
} else {
exec { "generate private key ${interface}":
command => "wg genkey > ${interface}",
cwd => $wireguard::config_directory,
creates => $private_key_path,
path => '/usr/bin',
before => File[$private_key_path],
notify => Exec["generate public key ${interface}"],
}
file { $private_key_path:
ensure => 'file',
owner => 'root',
group => 'systemd-network',
mode => '0640',
}
}
exec { "generate public key ${interface}":
command => "wg pubkey < ${interface} > ${interface}.pub",
cwd => $wireguard::config_directory,
creates => "${wireguard::config_directory}/${interface}.pub",
path => '/usr/bin',
}
file { "${wireguard::config_directory}/${interface}":
ensure => 'file',
owner => 'root',
group => 'systemd-network',
mode => '0640',
require => Exec["generate ${interface} keys"],
}
file { "${wireguard::config_directory}/${interface}.pub":
ensure => 'file',
owner => 'root',
group => 'root',
mode => '0600',
require => Exec["generate ${interface} keys"],
require => Exec["generate public key ${interface}"],
}
if $public_key {
Expand Down
43 changes: 38 additions & 5 deletions spec/defines/interface_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@

it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_class('wireguard') }
it { is_expected.to contain_exec("generate #{title} keys") }
it { is_expected.to contain_exec("generate private key #{title}") }
it { is_expected.to contain_exec("generate public key #{title}") }
it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") }
it { is_expected.to contain_file("/etc/wireguard/#{title}") }
it { is_expected.to contain_systemd__network("#{title}.netdev") }
Expand Down Expand Up @@ -76,7 +77,8 @@

it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_class('wireguard') }
it { is_expected.to contain_exec("generate #{title} keys") }
it { is_expected.to contain_exec("generate private key #{title}") }
it { is_expected.to contain_exec("generate public key #{title}") }
it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") }
it { is_expected.to contain_file("/etc/wireguard/#{title}") }
it { is_expected.to contain_systemd__network("#{title}.netdev") }
Expand Down Expand Up @@ -110,7 +112,8 @@ class {"systemd":

it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_class('wireguard') }
it { is_expected.to contain_exec("generate #{title} keys") }
it { is_expected.to contain_exec("generate private key #{title}") }
it { is_expected.to contain_exec("generate public key #{title}") }
it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") }
it { is_expected.to contain_file("/etc/wireguard/#{title}") }
it { is_expected.to contain_systemd__network("#{title}.netdev") }
Expand All @@ -134,7 +137,8 @@ class {"systemd":

it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_class('wireguard') }
it { is_expected.to contain_exec("generate #{title} keys") }
it { is_expected.to contain_exec("generate private key #{title}") }
it { is_expected.to contain_exec("generate public key #{title}") }
it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") }
it { is_expected.to contain_file("/etc/wireguard/#{title}") }
it { is_expected.to contain_systemd__network("#{title}.netdev") }
Expand Down Expand Up @@ -268,7 +272,8 @@ class {"systemd":

it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_class('wireguard') }
it { is_expected.to contain_exec("generate #{title} keys") }
it { is_expected.to contain_exec("generate private key #{title}") }
it { is_expected.to contain_exec("generate public key #{title}") }
it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") }
it { is_expected.to contain_file("/etc/wireguard/#{title}") }
it { is_expected.to contain_systemd__network("#{title}.netdev") }
Expand All @@ -277,6 +282,34 @@ class {"systemd":
it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(expected_network_content) }
it { is_expected.not_to contain_ferm__rule("allow_wg_#{title}") }
end

context 'with required params and defined private key and without firewall rules and with configured addresses' do
let :params do
{
public_key: 'blabla==',
private_key: 'gFYpkdIuGG3EhXKdGmuMJs/3rp/88wkFv2Go+shtu08=',
endpoint: 'wireguard.example.com:1234',
manage_firewall: false,
# we need to set destination_addresses to overwrite the default
# that would configure IPv4+IPv6, but GHA doesn't provide IPv6 for us
destination_addresses: [facts[:networking]['ip'],],
addresses: [{ 'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32' }, { 'Address' => 'fe80::ade1/64', },],
}
end

it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_class('wireguard') }
it { is_expected.to contain_file("/etc/wireguard/#{title}").with_content('gFYpkdIuGG3EhXKdGmuMJs/3rp/88wkFv2Go+shtu08=') }
it { is_expected.to contain_exec("generate public key #{title}") }
it { is_expected.to contain_file("/etc/wireguard/#{title}.pub").with_content('+9tf+vUKDE94hnrwfG9y42xaZR81uFnWKJ+8rOw+KTo=') }
it { is_expected.to contain_systemd__network("#{title}.netdev") }
it { is_expected.to contain_systemd__network("#{title}.network") }
it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{[Address]}) } # rubocop:disable Lint/DuplicateRegexpCharacterClassElement
it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{Address=192.168.218.87/32}) }
it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{Peer=172.20.53.97/32}) }
it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{Address=fe80::ade1/64}) }
it { is_expected.not_to contain_ferm__rule("allow_wg_#{title}") }
end
end
end
end

0 comments on commit 13e1cd7

Please sign in to comment.