Skip to content

Commit 5c65ea4

Browse files
committed
Add support for peers using exported ressources
Declaring everything in hiera is not always convenient. This commit gives the choice to use exported resources so that peers declare themselves on each other.
1 parent 14bd7fd commit 5c65ea4

File tree

5 files changed

+120
-6
lines changed

5 files changed

+120
-6
lines changed

manifests/interface.pp

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -105,6 +105,7 @@
105105
Boolean $manage_firewall = true,
106106
Array[Stdlib::IP::Address] $source_addresses = [],
107107
Array[Hash[String,Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $addresses = [],
108+
Optional[Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $allowed_ips = [],
108109
Optional[String[1]] $description = undef,
109110
Optional[Integer[1200, 9000]] $mtu = undef,
110111
Optional[String[1]] $public_key = undef,
@@ -243,4 +244,20 @@
243244
fail("provider ${provider} not supported")
244245
}
245246
}
247+
if $facts['wireguard_pubkeys'][$interface] {
248+
$peer_params = {
249+
'description' => $description,
250+
'public_key' => $facts['wireguard_pubkeys'][$interface],
251+
'endpoint' => "${facts['fqdn']}:${dport}",
252+
'allowed_ips' => $allowed_ips,
253+
'preshared_key' => $preshared_key,
254+
'persistent_keepalive' => $persistent_keepalive,
255+
'interface' => $interface,
256+
'tag' => "wireguard-${interface}"
257+
}
258+
@@wireguard::peer { "${facts['fqdn']}-${interface}-peer":
259+
* => $peer_params,
260+
}
261+
}
262+
Wireguard::Peer <<| tag == "wireguard-${interface}" |>>
246263
}

manifests/peer.pp

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
define wireguard::peer (
2+
String $interface,
3+
Optional[String] $description = undef,
4+
String $public_key,
5+
String $endpoint,
6+
Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]] $allowed_ips,
7+
Optional[String] $preshared_key = undef,
8+
Integer[0,65535] $persistent_keepalive = 0,
9+
) {
10+
$peer_params = {
11+
'description' => $description,
12+
'public_key' => $public_key,
13+
'endpoint' => $endpoint,
14+
'allowed_ips' => $allowed_ips,
15+
'preshared_key' => $preshared_key,
16+
'persistent_keepalive' => $persistent_keepalive,
17+
}
18+
19+
concat::fragment { $name:
20+
order => 20,
21+
target => "/etc/wireguard/${interface}.conf",
22+
content => epp("${module_name}/wireguard_peer.epp", $peer_params),
23+
}
24+
}

manifests/provider/wgquick.pp

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -20,18 +20,30 @@
2020
'dport' => $dport,
2121
'firewall_mark' => $firewall_mark,
2222
'mtu' => $mtu,
23-
'peers' => $peers,
2423
'addresses' => $addresses,
2524
'preup_cmds' => $preup_cmds,
2625
'postup_cmds' => $postup_cmds,
2726
'predown_cmds' => $predown_cmds,
2827
'postdown_cmds' => $postdown_cmds,
2928
}
3029
31-
file { "/etc/wireguard/${interface}.conf":
32-
ensure => $ensure,
33-
content => epp("${module_name}/wireguard_conf.epp", $params),
34-
owner => 'root',
35-
mode => '0600',
30+
if ! empty($peers) {
31+
file { "/etc/wireguard/${interface}.conf":
32+
ensure => $ensure,
33+
content => epp("${module_name}/wireguard_conf.epp", $params + { 'peers' => $peers }),
34+
owner => 'root',
35+
mode => '0600',
36+
}
37+
} else {
38+
concat { "/etc/wireguard/${interface}.conf":
39+
ensure => $ensure,
40+
owner => 'root',
41+
mode => '0600',
42+
}
43+
concat::fragment { "${interface}_head":
44+
order => 10,
45+
target => "/etc/wireguard/${interface}.conf",
46+
content => epp("${module_name}/wireguard_head.epp", $params),
47+
}
3648
}
3749
}

templates/wireguard_head.epp

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
<%- |
2+
String[1] $interface,
3+
Stdlib::Port $dport,
4+
Optional[Integer] $firewall_mark,
5+
Array[Hash] $addresses,
6+
Array[String[1]] $preup_cmds,
7+
Array[String[1]] $postup_cmds,
8+
Array[String[1]] $predown_cmds,
9+
Array[String[1]] $postdown_cmds,
10+
Optional[Integer[1280, 9000]] $mtu = undef,
11+
| -%>
12+
# THIS FILE IS MANAGED BY PUPPET
13+
<% $addresses.each |$address| { -%>
14+
15+
[Interface]
16+
<% $address.each |$key, $value| { -%>
17+
<%= $key %>=<%= $value %>
18+
<% } -%>
19+
<% } -%>
20+
ListenPort=<%= $dport %>
21+
<% if $firewall_mark { -%>
22+
FwMark=<%= $firewall_mark %>
23+
<% } -%>
24+
<% $preup_cmds.each |$cmd| { -%>
25+
PreUp=<%= $cmd %>
26+
<% } -%>
27+
PostUp=wg set %i private-key /etc/wireguard/<%= $interface %>
28+
<% $postup_cmds.each |$cmd| { -%>
29+
PostUp=<%= $cmd %>
30+
<% } -%>
31+
<% $predown_cmds.each |$cmd| { -%>
32+
PreDown=<%= $cmd %>
33+
<% } -%>
34+
<% $postdown_cmds.each |$cmd| { -%>
35+
PostDown=<%= $cmd %>
36+
<% } -%>
37+
<% if $mtu { -%>
38+
MTU=<%= $mtu %>
39+
<% } -%>

templates/wireguard_peer.epp

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
<%- |
2+
Optional[String] $description,
3+
String $public_key,
4+
String $endpoint,
5+
Optional[String] $preshared_key,
6+
Optional[Integer[0,65535]] $persistent_keepalive,
7+
Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]] $allowed_ips,
8+
| -%>
9+
10+
<% if $description { -%>
11+
# <%= $description %>
12+
<% } -%>
13+
[Peer]
14+
PublicKey=<%= $public_key %>
15+
Endpoint=<%= $endpoint %>
16+
<% if $preshared_key { -%>
17+
PresharedKey=<%= $preshared_key %>
18+
<% } -%>
19+
PersistentKeepalive=<%= pick($persistent_keepalive, 0) %>
20+
<% pick($allowed_ips, ['fe80::/64', 'fd00::/8', '0.0.0.0/0']).each |$allowed_ip| { -%>
21+
AllowedIPs=<%= $allowed_ip %>
22+
<% } -%>

0 commit comments

Comments
 (0)