From e374ceee53e6e601be3b5b6c8abcc3181eab3d70 Mon Sep 17 00:00:00 2001 From: Sebastian Rakel Date: Wed, 9 Mar 2022 09:24:19 +0100 Subject: [PATCH] Create private_key from parameter if wanted --- manifests/interface.pp | 46 ++++++++++++++++++++++++++-------- spec/defines/interface_spec.rb | 43 +++++++++++++++++++++++++++---- 2 files changed, 74 insertions(+), 15 deletions(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index 8f13ed6..67de772 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -15,6 +15,7 @@ # @param mtu configure the MTU (maximum transision unit) for the wireguard tunnel. By default linux will figure this out. You might need to lower it if you're connection through a DSL line. MTU needs to be equal on both tunnel endpoints # @param peers is an array of struct (Wireguard::Peers) for multiple peers # @param routes different routes for the systemd-networkd configuration +# @param private_key Define private key which should be used for this interface, if not provided a private key will be generated # # @author Tim Meusel # @author Sebastian Rakel @@ -89,6 +90,7 @@ Optional[Integer[1280, 9000]] $mtu = undef, Optional[String[1]] $public_key = undef, Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [], + Optional[String[1]] $private_key = undef, ) { require wireguard @@ -112,25 +114,49 @@ notify => Service['systemd-networkd'], } } - exec { "generate ${interface} keys": - command => "wg genkey | tee ${interface} | wg pubkey > ${interface}.pub", + + $private_key_path = "${wireguard::config_directory}/${interface}" + + if $private_key { + file { $private_key_path: + ensure => 'file', + content => $private_key, + owner => 'root', + group => 'systemd-network', + mode => '0640', + notify => Exec["generate public key ${interface}"], + } + } else { + exec { "generate private key ${interface}": + command => "wg genkey > ${interface}", + cwd => $wireguard::config_directory, + creates => $private_key_path, + path => '/usr/bin', + before => File[$private_key_path], + notify => Exec["generate public key ${interface}"], + } + + file { $private_key_path: + ensure => 'file', + owner => 'root', + group => 'systemd-network', + mode => '0640', + } + } + + exec { "generate public key ${interface}": + command => "wg pubkey < ${interface} > ${interface}.pub", cwd => $wireguard::config_directory, creates => "${wireguard::config_directory}/${interface}.pub", path => '/usr/bin', } - file { "${wireguard::config_directory}/${interface}": - ensure => 'file', - owner => 'root', - group => 'systemd-network', - mode => '0640', - require => Exec["generate ${interface} keys"], - } + file { "${wireguard::config_directory}/${interface}.pub": ensure => 'file', owner => 'root', group => 'root', mode => '0600', - require => Exec["generate ${interface} keys"], + require => Exec["generate public key ${interface}"], } if $public_key { diff --git a/spec/defines/interface_spec.rb b/spec/defines/interface_spec.rb index 5c8b9b9..8da1eb4 100644 --- a/spec/defines/interface_spec.rb +++ b/spec/defines/interface_spec.rb @@ -29,7 +29,8 @@ it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('wireguard') } - it { is_expected.to contain_exec("generate #{title} keys") } + it { is_expected.to contain_exec("generate private key #{title}") } + it { is_expected.to contain_exec("generate public key #{title}") } it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") } it { is_expected.to contain_file("/etc/wireguard/#{title}") } it { is_expected.to contain_systemd__network("#{title}.netdev") } @@ -76,7 +77,8 @@ it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('wireguard') } - it { is_expected.to contain_exec("generate #{title} keys") } + it { is_expected.to contain_exec("generate private key #{title}") } + it { is_expected.to contain_exec("generate public key #{title}") } it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") } it { is_expected.to contain_file("/etc/wireguard/#{title}") } it { is_expected.to contain_systemd__network("#{title}.netdev") } @@ -110,7 +112,8 @@ class {"systemd": it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('wireguard') } - it { is_expected.to contain_exec("generate #{title} keys") } + it { is_expected.to contain_exec("generate private key #{title}") } + it { is_expected.to contain_exec("generate public key #{title}") } it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") } it { is_expected.to contain_file("/etc/wireguard/#{title}") } it { is_expected.to contain_systemd__network("#{title}.netdev") } @@ -134,7 +137,8 @@ class {"systemd": it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('wireguard') } - it { is_expected.to contain_exec("generate #{title} keys") } + it { is_expected.to contain_exec("generate private key #{title}") } + it { is_expected.to contain_exec("generate public key #{title}") } it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") } it { is_expected.to contain_file("/etc/wireguard/#{title}") } it { is_expected.to contain_systemd__network("#{title}.netdev") } @@ -268,7 +272,8 @@ class {"systemd": it { is_expected.to compile.with_all_deps } it { is_expected.to contain_class('wireguard') } - it { is_expected.to contain_exec("generate #{title} keys") } + it { is_expected.to contain_exec("generate private key #{title}") } + it { is_expected.to contain_exec("generate public key #{title}") } it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") } it { is_expected.to contain_file("/etc/wireguard/#{title}") } it { is_expected.to contain_systemd__network("#{title}.netdev") } @@ -277,6 +282,34 @@ class {"systemd": it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(expected_network_content) } it { is_expected.not_to contain_ferm__rule("allow_wg_#{title}") } end + + context 'with required params and defined private key and without firewall rules and with configured addresses' do + let :params do + { + public_key: 'blabla==', + private_key: 'gFYpkdIuGG3EhXKdGmuMJs/3rp/88wkFv2Go+shtu08=', + endpoint: 'wireguard.example.com:1234', + manage_firewall: false, + # we need to set destination_addresses to overwrite the default + # that would configure IPv4+IPv6, but GHA doesn't provide IPv6 for us + destination_addresses: [facts[:networking]['ip'],], + addresses: [{ 'Address' => '192.168.218.87/32', 'Peer' => '172.20.53.97/32' }, { 'Address' => 'fe80::ade1/64', },], + } + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('wireguard') } + it { is_expected.to contain_file("/etc/wireguard/#{title}").with_content('gFYpkdIuGG3EhXKdGmuMJs/3rp/88wkFv2Go+shtu08=') } + it { is_expected.to contain_exec("generate public key #{title}") } + it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") } + it { is_expected.to contain_systemd__network("#{title}.netdev") } + it { is_expected.to contain_systemd__network("#{title}.network") } + it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{[Address]}) } # rubocop:disable Lint/DuplicateRegexpCharacterClassElement + it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{Address=192.168.218.87/32}) } + it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{Peer=172.20.53.97/32}) } + it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(%r{Address=fe80::ade1/64}) } + it { is_expected.not_to contain_ferm__rule("allow_wg_#{title}") } + end end end end