Skip to content

Commit

Permalink
Add different providers for wireguard
Browse files Browse the repository at this point in the history
  • Loading branch information
sebastianrakel committed Aug 7, 2022
1 parent 9191b76 commit 52eeb0c
Show file tree
Hide file tree
Showing 5 changed files with 147 additions and 28 deletions.
55 changes: 27 additions & 28 deletions manifests/interface.pp
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
# @param routes different routes for the systemd-networkd configuration
# @param private_key Define private key which should be used for this interface, if not provided a private key will be generated
# @param preshared_key Define preshared key which should be used for this interface
# @param provider Set provider for interface config. Allowed values: systemd, wgquick (default: systemd)
#
# @author Tim Meusel <[email protected]>
# @author Sebastian Rakel <[email protected]>
Expand Down Expand Up @@ -94,6 +95,7 @@
Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [],
Optional[String[1]] $private_key = undef,
Optional[String[1]] $preshared_key = undef,
Enum['systemd', 'wgquick'] $provider = 'systemd',
) {
require wireguard
Expand Down Expand Up @@ -171,33 +173,30 @@
$peer = []
}
systemd::network { "${interface}.netdev":
content => epp("${module_name}/netdev.epp", {
'interface' => $interface,
'dport' => $dport,
'description' => $description,
'preshared_key' => $preshared_key,
'mtu' => $mtu,
'peers' => $peers + $peer,
}),
restart_service => true,
owner => 'root',
group => 'systemd-network',
mode => '0440',
require => File["/etc/wireguard/${interface}"],
}
$network_epp_params = {
'interface' => $interface,
'addresses' => $addresses,
'routes' => $routes,
}
systemd::network { "${interface}.network":
content => epp("${module_name}/network.epp", $network_epp_params),
restart_service => true,
owner => 'root',
group => 'systemd-network',
mode => '0440',
case $provider {
'systemd': {
class { 'wireguard::provider::systemd':
interface => $interface,
peers => $peers + $peer,
dport => $dport,
addresses => $addresses,
description => $description,
mtu => $mtu,
routes => $routes,
preshared_key => $preshared_key,
}
}
'wgquick': {
class { 'wireguard::provider::wgquick':
interface => $interface,
peers => $peers + $peer,
dport => $dport,
addresses => $addresses,
preshared_key => $preshared_key,
}
}
default: {
fail("provider ${provider} not supported")
}
}
}
43 changes: 43 additions & 0 deletions manifests/provider/systemd.pp
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
#
# @summary manages a systemd wireguard file
#
class wireguard::provider::systemd (
String[1] $interface,
Wireguard::Peers $peers = [],
Integer[1024, 65000] $dport = Integer(regsubst($title, '^\D+(\d+)$', '\1')),
Array[Hash[String,Variant[Stdlib::IP::Address::V4::CIDR,Stdlib::IP::Address::V6::CIDR]]] $addresses = [],
Optional[String[1]] $description = undef,
Optional[Integer[1280, 9000]] $mtu = undef,
Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [],
Optional[String[1]] $preshared_key = undef,
){
systemd::network { "${interface}.netdev":
content => epp("${module_name}/netdev.epp", {
'interface' => $interface,
'dport' => $dport,
'description' => $description,
'mtu' => $mtu,
'peers' => $peers,
'preshared_key' => $preshared_key,
}),
restart_service => true,
owner => 'root',
group => 'systemd-network',
mode => '0440',
require => File["/etc/wireguard/${interface}"],
}

$network_epp_params = {
'interface' => $interface,
'addresses' => $addresses,
'routes' => $routes,
}

systemd::network { "${interface}.network":
content => epp("${module_name}/network.epp", $network_epp_params),
restart_service => true,
owner => 'root',
group => 'systemd-network',
mode => '0440',
}
}
26 changes: 26 additions & 0 deletions manifests/provider/wgquick.pp
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#
# @summary manages a wireguard config file for wg-quick
#
class wireguard::provider::wgquick (
String[1] $interface,
Wireguard::Peers $peers = [],
Integer[1024, 65000] $dport = Integer(regsubst($title, '^\D+(\d+)$', '\1')),
Array[Hash[String,Variant[Stdlib::IP::Address::V4::CIDR,Stdlib::IP::Address::V6::CIDR]]] $addresses = [],
Optional[String[1]] $description = undef,
Optional[Integer[1280, 9000]] $mtu = undef,
Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [],
){
$params = {
'interface' => $interface,
'dport' => $dport,
'peers' => $peers,
'addresses' => $addresses,
'preshared_key' => $preshared_key,
}

file { "/etc/wireguard/${interface}.conf":
content => epp("${module_name}/wireguard_conf.epp", $params),
owner => 'root',
mode => '0600',
}
}
24 changes: 24 additions & 0 deletions spec/acceptance/init_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,28 @@
end
end
end

context 'with wg-quick' do
it 'work with no errors' do
pp = <<-EOS
include wireguard
wireguard::interface { 'tun0':
manage_firewall => false,
dport => 51820,
addresses => [{'Address' => '192.0.2.1/24'}],
provider => 'wgquick',
peers => [
{
public_key => 'hZC2VwCilfF9k9nQC6a86xOBFKaqdAgy123dkA6Z008=',
allowed_ips => ['192.0.2.3'],
}
]
}
EOS

apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: true)
end
end
end
27 changes: 27 additions & 0 deletions templates/wireguard_conf.epp
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
<%- |
String[1] $interface,
Stdlib::Port $dport,
Wireguard::Peers $peers,
Array[Hash] $addresses,
| -%>
[Interface]
<% $addresses.each |$address| { -%>
Address = <%= $address['Address'] %>
<% } -%>
ListenPort = <%= $dport %>
PostUp = wg set %i private-key /etc/wireguard/<%= $interface %>
<% $peers.each |$peer| { -%>

[Peer]
PublicKey=<%= $peer['public_key'] %>
<% if $peer['endpoint'] { -%>
Endpoint=<%= $peer['endpoint'] %>
<% } -%>
<% if $preshared_key { -%>
PresharedKey=<%= $preshared_key %>
<% } -%>
PersistentKeepalive=<%= pick($peer['persistent_keepalive'], 0) %>
<% pick($peer['allowed_ips'], ['fe80::/64', 'fd00::/8', '0.0.0.0/0']).each |$allowed_ip| { -%>
AllowedIPs=<%= $allowed_ip %>
<% } -%>
<% } -%>

0 comments on commit 52eeb0c

Please sign in to comment.