From 9600c746ffe1ef86870929c2fd1721ae2c1878d1 Mon Sep 17 00:00:00 2001 From: Sebastian Rakel Date: Mon, 6 Dec 2021 22:33:00 +0100 Subject: [PATCH] Add possibility to define routes --- manifests/interface.pp | 10 ++++- spec/defines/interface_spec.rb | 42 +++++++++++++++++++ spec/fixtures/test_files/peers_routes.network | 21 ++++++++++ templates/network.epp | 8 ++++ 4 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 spec/fixtures/test_files/peers_routes.network diff --git a/manifests/interface.pp b/manifests/interface.pp index c161566..8f13ed6 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -14,6 +14,7 @@ # @param description an optional string that will be added to the wireguard network interface # @param mtu configure the MTU (maximum transision unit) for the wireguard tunnel. By default linux will figure this out. You might need to lower it if you're connection through a DSL line. MTU needs to be equal on both tunnel endpoints # @param peers is an array of struct (Wireguard::Peers) for multiple peers +# @param routes different routes for the systemd-networkd configuration # # @author Tim Meusel # @author Sebastian Rakel @@ -87,6 +88,7 @@ Optional[String[1]] $description = undef, Optional[Integer[1280, 9000]] $mtu = undef, Optional[String[1]] $public_key = undef, + Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [], ) { require wireguard @@ -155,8 +157,14 @@ require => File["/etc/wireguard/${interface}"], } + $network_epp_params = { + 'interface' => $interface, + 'addresses' => $addresses, + 'routes' => $routes, + } + systemd::network { "${interface}.network": - content => epp("${module_name}/network.epp", { 'interface' => $interface, 'addresses' => $addresses }), + content => epp("${module_name}/network.epp", $network_epp_params), restart_service => true, owner => 'root', group => 'systemd-network', diff --git a/spec/defines/interface_spec.rb b/spec/defines/interface_spec.rb index 79fe81a..cab4d07 100644 --- a/spec/defines/interface_spec.rb +++ b/spec/defines/interface_spec.rb @@ -233,6 +233,48 @@ class {"systemd": it { is_expected.not_to compile.with_all_deps } end + + context 'with required params (peers), routes and without firewall rules' do + let :params do + { + peers: [ + { + public_key: 'blabla==', + endpoint: 'wireguard.example.com:1234', + }, + { + public_key: 'foo==', + allowed_ips: ['192.0.2.3'], + } + ], + manage_firewall: false, + # we need to set destination_addresses to overwrite the default + # that would configure IPv4+IPv6, but GHA doesn't provide IPv6 for us + destination_addresses: [facts[:networking]['ip'],], + addresses: [{ 'Address' => '192.0.2.1/24' }], + routes: [{ 'Gateway' => '192.0.2.2', 'GatewayOnLink' => true, 'Destination' => '192.0.3.0/24' }], + } + end + + let(:expected_netdev_content) do + File.read('spec/fixtures/test_files/peers.netdev') + end + + let(:expected_network_content) do + File.read('spec/fixtures/test_files/peers_routes.network') + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('wireguard') } + it { is_expected.to contain_exec("generate #{title} keys") } + it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") } + it { is_expected.to contain_file("/etc/wireguard/#{title}") } + it { is_expected.to contain_systemd__network("#{title}.netdev") } + it { is_expected.to contain_systemd__network("#{title}.network") } + it { is_expected.to contain_file("/etc/systemd/network/#{title}.netdev").with_content(expected_netdev_content) } + it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(expected_network_content) } + it { is_expected.not_to contain_ferm__rule("allow_wg_#{title}") } + end end end end diff --git a/spec/fixtures/test_files/peers_routes.network b/spec/fixtures/test_files/peers_routes.network new file mode 100644 index 0000000..e1a5486 --- /dev/null +++ b/spec/fixtures/test_files/peers_routes.network @@ -0,0 +1,21 @@ +# THIS FILE IS MANAGED BY PUPPET +# based on https://dn42.dev/howto/wireguard +[Match] +Name=as1234 + +[Network] +DHCP=no +IPv6AcceptRA=false +IPForward=yes + +# for networkd >= 244 KeepConfiguration stops networkd from +# removing routes on this interface when restarting +KeepConfiguration=yes + +[Address] +Address=192.0.2.1/24 + +[Routes] +Gateway=192.0.2.2 +GatewayOnLink=true +Destination=192.0.3.0/24 \ No newline at end of file diff --git a/templates/network.epp b/templates/network.epp index d6d7b29..8b89d28 100644 --- a/templates/network.epp +++ b/templates/network.epp @@ -1,6 +1,7 @@ <%- | Array[Hash] $addresses, String[1] $interface, + Array[Hash[String[1], Variant[String[1], Boolean]]] $routes, | -%> # THIS FILE IS MANAGED BY PUPPET # based on https://dn42.dev/howto/wireguard @@ -22,4 +23,11 @@ KeepConfiguration=yes <%= $key %>=<%= $value %> <% } -%> <% } -%> +<% $routes.each |$route| { -%> + +[Route] +<% $route.each |$key, $value| { -%> +<%= $key %>=<%= $value %> +<% } -%> +<% } -%>