voxpupuli · bastelfreak · Aug 19, 2024 · Jul 12, 2024 · Jul 22, 2024 · Jul 22, 2024
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -187,6 +187,26 @@ wireguard::interface { 'wg0':
 }
 ```
 
+##### Peer with one node, setup dualstack firewall rules and RoutingPolicyRule
+
+```puppet
+wireguard::interface {'as2273':
+  source_addresses        => ['2003:4f8:c17:4cf::1', '149.9.255.4'],
+  public_key              => 'BcxLll1BVxGQ5DeijroesjroiesjrjvX+EBhS4vcDn0R0=',
+  endpoint                => 'wg.example.com:53668',
+  addresses               => [{'Address' => '192.168.123.6/30',},{'Address' => 'fe80::beef:1/64'},],
+  extra_networkd_sections => {
+    'RoutingPolicyRule' => [
+      {
+        'From'              => '10.0.0.0/24',
+        'Table'             => '1010',
+        'IncomingInterface' => 'as2273',
+      },
+    ],
+  },
+}
+```
+
 #### Parameters
 
 The following parameters are available in the `wireguard::interface` defined type:
@@ -208,6 +228,7 @@ The following parameters are available in the `wireguard::interface` defined typ
 * [`mtu`](#-wireguard--interface--mtu)
 * [`peers`](#-wireguard--interface--peers)
 * [`routes`](#-wireguard--interface--routes)
+* [`extra_networkd_sections`](#-wireguard--interface--extra_networkd_sections)
 * [`private_key`](#-wireguard--interface--private_key)
 * [`preshared_key`](#-wireguard--interface--preshared_key)
 * [`provider`](#-wireguard--interface--provider)
@@ -353,6 +374,14 @@ different routes for the systemd-networkd configuration
 
 Default value: `[]`
 
+##### <a name="-wireguard--interface--extra_networkd_sections"></a>`extra_networkd_sections`
+
+Data type: `Hash[String, Array[Hash[String, Any]]]`
+
+additional sections for the systemd-networkd configuration
+
+Default value: `{}`
+
 ##### <a name="-wireguard--interface--private_key"></a>`private_key`
 
 Data type: `Optional[String[1]]`

diff --git a/manifests/interface.pp b/manifests/interface.pp
@@ -18,6 +18,7 @@
 # @param mtu configure the MTU (maximum transision unit) for the wireguard tunnel. By default linux will figure this out. You might need to lower it if you're connection through a DSL line. MTU needs to be equal on both tunnel endpoints
 # @param peers is an array of struct (Wireguard::Peers) for multiple peers
 # @param routes different routes for the systemd-networkd configuration
+# @param extra_networkd_sections additional sections for the systemd-networkd configuration
 # @param private_key Define private key which should be used for this interface, if not provided a private key will be generated
 # @param preshared_key Define preshared key for the remote peer
 # @param provider The specific backend to use for this `wireguard::interface` resource
@@ -94,6 +95,23 @@
 #    addresses        => [{'Address' => '192.168.123.6/30',},{'Address' => 'fe80::beef:1/64'},],
 #  }
 #
+# @example Peer with one node, setup dualstack firewall rules and RoutingPolicyRule
+#  wireguard::interface {'as2273':
+#    source_addresses        => ['2003:4f8:c17:4cf::1', '149.9.255.4'],
+#    public_key              => 'BcxLll1BVxGQ5DeijroesjroiesjrjvX+EBhS4vcDn0R0=',
+#    endpoint                => 'wg.example.com:53668',
+#    addresses               => [{'Address' => '192.168.123.6/30',},{'Address' => 'fe80::beef:1/64'},],
+#    extra_networkd_sections => {
+#      'RoutingPolicyRule' => [
+#        {
+#          'From'              => '10.0.0.0/24',
+#          'Table'             => '1010',
+#          'IncomingInterface' => 'as2273',
+#        },
+#      ],
+#    },
+#  }
+#
 define wireguard::interface (
   Enum['present', 'absent'] $ensure = 'present',
   Wireguard::Peers $peers = [],
@@ -112,6 +130,7 @@
   Optional[Integer[1200, 9000]] $mtu = undef,
   Optional[String[1]] $public_key = undef,
   Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [],
+  Hash[String, Array[Hash[String, Any]]] $extra_networkd_sections = {},
   Optional[String[1]] $private_key = undef,
   Optional[String[1]] $preshared_key = undef,
   Enum['systemd', 'wgquick'] $provider = 'systemd',
@@ -318,19 +337,24 @@
       }
 
       wireguard::provider::systemd { $interface :
-        ensure            => $ensure,
-        interface         => $interface,
-        peers             => $peers + $peer,
-        dport             => $dport,
-        firewall_mark     => $firewall_mark,
-        addresses         => $addresses,
-        description       => $description,
-        mtu               => $mtu,
-        routes            => $routes,
-        default_allowlist => $wireguard::default_allowlist,
+        ensure                  => $ensure,
+        interface               => $interface,
+        peers                   => $peers + $peer,
+        dport                   => $dport,
+        firewall_mark           => $firewall_mark,
+        addresses               => $addresses,
+        description             => $description,
+        mtu                     => $mtu,
+        routes                  => $routes,
+        extra_networkd_sections => $extra_networkd_sections,
+        default_allowlist       => $wireguard::default_allowlist,
       }
     }
     'wgquick': {
+      if !empty($extra_networkd_sections) {
+        warning('Systemd sections are not supported by wgquick')
+      }
+
       wireguard::provider::wgquick { $interface :
         ensure            => $ensure,
         interface         => $interface,

diff --git a/manifests/provider/systemd.pp b/manifests/provider/systemd.pp
@@ -12,6 +12,7 @@
   Optional[String[1]] $description = undef,
   Optional[Integer[1200, 9000]] $mtu = undef,
   Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [],
+  Hash[String, Array[Hash[String, Any]]] $extra_networkd_sections = {},
   Array[Stdlib::IP::Address] $default_allowlist = [],
 ) {
   assert_private()
@@ -41,9 +42,10 @@
   }
 
   $network_epp_params = {
-    'interface'       => $interface,
-    'addresses'       => $addresses,
-    'routes'          => $routes,
+    'interface'               => $interface,
+    'addresses'               => $addresses,
+    'routes'                  => $routes,
+    'extra_networkd_sections' => $extra_networkd_sections,
   }
 
   systemd::network { "${interface}.network":

diff --git a/spec/defines/interface_spec.rb b/spec/defines/interface_spec.rb
@@ -255,7 +255,7 @@
         it { is_expected.not_to compile.with_all_deps }
       end
 
-      context 'with required params (peers), routes and without firewall rules' do
+      context 'with required params (peers), routes, extra network sections and without firewall rules' do
         let :params do
           {
             peers: [
@@ -276,6 +276,7 @@
             destination_addresses: [facts[:networking]['ip'],],
             addresses: [{ 'Address' => '192.0.2.1/24' }],
             routes: [{ 'Gateway' => '192.0.2.2', 'GatewayOnLink' => true, 'Destination' => '192.0.3.0/24' }],
+            extra_networkd_sections: { 'RoutingPolicyRule' => [{ 'From' => '10.0.0.0/24', 'Table' => '1010', 'IncomingInterface' => 'as1234' }] },
           }
         end
 

diff --git a/spec/fixtures/test_files/peers_routes.network b/spec/fixtures/test_files/peers_routes.network
@@ -20,3 +20,8 @@ Gateway=192.0.2.2
 GatewayOnLink=true
 Destination=192.0.3.0/24
 
+[RoutingPolicyRule]
+From=10.0.0.0/24
+Table=1010
+IncomingInterface=as1234
+
diff --git a/templates/network.epp b/templates/network.epp
@@ -2,6 +2,7 @@
     Array[Hash] $addresses,
     String[1] $interface,
     Array[Hash[String[1], Variant[String[1], Boolean]]] $routes,
+    Hash[String, Array[Hash[String, Any]]] $extra_networkd_sections,
 | -%>
 # THIS FILE IS MANAGED BY PUPPET
 # based on https://dn42.dev/howto/wireguard
@@ -31,3 +32,12 @@ KeepConfiguration=yes
 <% } -%>
 <% } -%>
 
+<% $extra_networkd_sections.each |$section_key, $section_value| { -%>
+<% $section_value.each |$section| { -%>
+[<%= $section_key %>]
+<% $section.each |$key, $value| { -%>
+<%= $key %>=<%= $value %>
+<% } -%>
+<% } -%>
+
+<% } -%>