Add support for peers using exported ressources

Declaring everything in hiera is not always convenient.
This commit gives the choice to use exported resources
so that peers declare themselves on each other.

Author: brunoleon

manifests/interface.pp

@@ -105,6 +105,7 @@
   Boolean $manage_firewall = true,
   Array[Stdlib::IP::Address] $source_addresses = [],
   Array[Hash[String,Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $addresses = [],
+  Optional[Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $allowed_ips = [],
   Optional[String[1]] $description = undef,
   Optional[Integer[1200, 9000]] $mtu = undef,
   Optional[String[1]] $public_key = undef,
@@ -243,4 +244,20 @@
       fail("provider ${provider} not supported")
     }
   }
+  if $facts['wireguard_pubkeys'][$interface] {
+    $peer_params = {
+      'description'          => $description,
+      'public_key'           => $facts['wireguard_pubkeys'][$interface],
+      'endpoint'             => "${facts['fqdn']}:${dport}",
+      'allowed_ips'          => $allowed_ips,
+      'preshared_key'        => $preshared_key,
+      'persistent_keepalive' => $persistent_keepalive,
+      'interface'            => $interface,
+      'tag'                  => "wireguard-${interface}"
+    }
+    @@wireguard::peer { "${facts['fqdn']}-${interface}-peer":
+      * => $peer_params,
+    }
+  }
+  Wireguard::Peer <<| tag == "wireguard-${interface}" |>>
 }

manifests/peer.pp

@@ -0,0 +1,24 @@
+define wireguard::peer (
+  String $interface,
+  Optional[String] $description = undef,
+  String $public_key,
+  String $endpoint,
+  Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]] $allowed_ips,
+  Optional[String] $preshared_key = undef,
+  Integer[0,65535] $persistent_keepalive = 0,
+) {
+  $peer_params = {
+    'description'          => $description,
+    'public_key'           => $public_key,
+    'endpoint'             => $endpoint,
+    'allowed_ips'          => $allowed_ips,
+    'preshared_key'        => $preshared_key,
+    'persistent_keepalive' => $persistent_keepalive,
+  }
+
+  concat::fragment { $name:
+      order   => 20,
+      target  => "/etc/wireguard/${interface}.conf",
+      content => epp("${module_name}/wireguard_peer.epp", $peer_params),
+  }
+}

manifests/provider/wgquick.pp

@@ -20,18 +20,30 @@
     'dport'         => $dport,
     'firewall_mark' => $firewall_mark,
     'mtu'           => $mtu,
-    'peers'         => $peers,
     'addresses'     => $addresses,
     'preup_cmds'    => $preup_cmds,
     'postup_cmds'   => $postup_cmds,
     'predown_cmds'  => $predown_cmds,
     'postdown_cmds' => $postdown_cmds,
   }
 
-  file { "/etc/wireguard/${interface}.conf":
-    ensure  => $ensure,
-    content => epp("${module_name}/wireguard_conf.epp", $params),
-    owner   => 'root',
-    mode    => '0600',
+  if ! empty($peers) {
+    file { "/etc/wireguard/${interface}.conf":
+      ensure  => $ensure,
+      content => epp("${module_name}/wireguard_conf.epp", $params + { 'peers' => $peers }),
+      owner   => 'root',
+      mode    => '0600',
+    }
+  } else {
+    concat { "/etc/wireguard/${interface}.conf":
+      ensure  => $ensure,
+      owner   => 'root',
+      mode    => '0600',
+    }
+    concat::fragment { "${interface}_head":
+      order   => 10,
+      target  => "/etc/wireguard/${interface}.conf",
+      content => epp("${module_name}/wireguard_head.epp", $params),
+    }
   }
 }

templates/wireguard_head.epp

@@ -0,0 +1,39 @@
+<%- |
+    String[1] $interface,
+    Stdlib::Port $dport,
+    Optional[Integer] $firewall_mark,
+    Array[Hash] $addresses,
+    Array[String[1]] $preup_cmds,
+    Array[String[1]] $postup_cmds,
+    Array[String[1]] $predown_cmds,
+    Array[String[1]] $postdown_cmds,
+    Optional[Integer[1280, 9000]] $mtu = undef,
+| -%>
+# THIS FILE IS MANAGED BY PUPPET
+<% $addresses.each |$address| { -%>
+
+[Interface]
+<% $address.each |$key, $value| { -%>
+<%= $key %>=<%= $value %>
+<% } -%>
+<% } -%>
+ListenPort=<%= $dport %>
+<% if $firewall_mark { -%>
+FwMark=<%= $firewall_mark %>
+<% } -%>
+<% $preup_cmds.each |$cmd| { -%>
+PreUp=<%= $cmd %>
+<% } -%>
+PostUp=wg set %i private-key /etc/wireguard/<%= $interface %>
+<% $postup_cmds.each |$cmd| { -%>
+PostUp=<%= $cmd %>
+<% } -%>
+<% $predown_cmds.each |$cmd| { -%>
+PreDown=<%= $cmd %>
+<% } -%>
+<% $postdown_cmds.each |$cmd| { -%>
+PostDown=<%= $cmd %>
+<% } -%>
+<% if $mtu { -%>
+MTU=<%= $mtu %>
+<% } -%>

templates/wireguard_peer.epp

@@ -0,0 +1,22 @@
+<%- |
+    Optional[String] $description,
+    String $public_key,
+    String $endpoint,
+    Optional[String] $preshared_key,
+    Optional[Integer[0,65535]] $persistent_keepalive,
+    Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]] $allowed_ips,
+| -%>
+
+<% if $description { -%>
+# <%= $description %>
+<% } -%>
+[Peer]
+PublicKey=<%= $public_key %>
+Endpoint=<%= $endpoint %>
+<% if $preshared_key { -%>
+PresharedKey=<%= $preshared_key %>
+<% } -%>
+PersistentKeepalive=<%= pick($persistent_keepalive, 0) %>
+<% pick($allowed_ips, ['fe80::/64', 'fd00::/8', '0.0.0.0/0']).each |$allowed_ip| { -%>
+AllowedIPs=<%= $allowed_ip %>
+<% } -%>