-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Final release of the WireGuard puppet module.
- Loading branch information
1 parent
21fb129
commit d3d969e
Showing
4 changed files
with
116 additions
and
51 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,48 @@ | ||
# Copyright 2024 dhtech | ||
# | ||
# Use of this source code is governed by a BSD-style | ||
# license that can be found in the LICENSE file | ||
|
||
import lib | ||
import sqlite3 | ||
import os | ||
import ipcalc | ||
|
||
DB_FILE = '/etc/ipplan.db' | ||
|
||
def generate(host, *args): | ||
|
||
# Get current event, used to get up-to-date switch conf | ||
netmask, gatewayip = None, None | ||
info = {} | ||
|
||
# Get current event | ||
current_event = lib.get_current_event() | ||
|
||
if os.path.isfile(DB_FILE): | ||
try: | ||
conn = sqlite3.connect(DB_FILE) | ||
db = conn.cursor() | ||
except sqlite3.Error: | ||
info['current_event'] = current_event | ||
info['tunnelip'] = tunnelip | ||
return {'wireguard': info} | ||
else: | ||
info['current_event'] = current_event | ||
info['tunnelip'] = tunnelip | ||
return {'wireguard': info} | ||
|
||
db.execute('SELECT ipv4_netmask_dec, ipv4_gateway_txt FROM network WHERE short_name = "TECH-WIREGUARD-VPN";') | ||
res = db.fetchone() | ||
conn.close() | ||
|
||
if res: | ||
netmask, gatewayip = res | ||
tunnelip = ipcalc.IP(gatewayip) + 4 | ||
tunnelip = str(tunnelip) + '/' + str(netmask) | ||
else: | ||
netmask, gatewayip = None, None | ||
|
||
info = {} | ||
info['current_event'] = current_event | ||
info['tunnelip'] = tunnelip | ||
return {'wireguard': info} | ||
|
||
# vim: ts=4: sts=4: sw=4: expandtab | ||
# vim: ts=4: sts=4: sw=4: expandtab |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,68 +1,98 @@ | ||
class wireguard($current_event) { | ||
class wireguard($current_event, $tunnelip) { | ||
#Pull down FW rules from SVN | ||
if ($current_event =~ String[1]) { | ||
file { '/etc/iptables/rules.v4': | ||
ensure => file, | ||
source => "puppet:///svn/${current_event}/services/wireguard/rules.v4", | ||
} | ||
} | ||
|
||
#Apply FW rules | ||
exec { 'fw-rules': | ||
command => '/usr/sbin/iptables-restore /etc/iptables/rules.v4', | ||
require => File['/etc/iptables/rules.v4'], | ||
} | ||
|
||
# Execute 'apt-get update' | ||
exec { 'apt-update': # exec resource named 'apt-update' | ||
command => '/usr/bin/apt-get update' # command this resource will run | ||
exec { 'apt-update': | ||
command => '/usr/bin/apt-get update', | ||
} | ||
|
||
# Install wireguard package | ||
package { 'wireguard': | ||
ensure => installed, | ||
require => Exec['apt-update'], # require 'apt-update' before installing | ||
require => Exec['apt-update'], | ||
} | ||
|
||
# Create wireguard interface | ||
exec { 'create': | ||
#Create wireguard dir | ||
file{ '/etc/wireguard': | ||
ensure => directory, | ||
mode => '0600', | ||
require => Package['wireguard'], | ||
command => '/usr/bin/ip link add dev wg0 type wireguard', | ||
unless => '/usr/bin/ip link show wg0' | ||
} | ||
|
||
# Enable IPv4 Forwardning | ||
exec { 'enable-forward': | ||
command => '/usr/sbin/sysctl -w net.ipv4.ip_forward=1', | ||
unless => '/usr/sbin/sysctl net.ipv4.ip_forward | grep 0', | ||
require => File['/etc/wireguard'], | ||
} | ||
|
||
# Create wireguard privkey | ||
exec { 'create-privkey': | ||
command => '/usr/bin/wg pubkey < /etc/wireguard/privkey > /etc/wireguard/pubkey', | ||
unless => '/usr/bin/ls /etc/wireguard/privkey' | ||
require => Exec['create'], | ||
command => '/usr/bin/wg genkey > /etc/wireguard/privkey', | ||
creates => '/etc/wireguard/privkey', | ||
require => Exec['enable-forward'], | ||
} | ||
|
||
# Create wireguard pubkey | ||
exec { 'create-pubkey': | ||
command => '/usr/bin/wg genkey > /etc/wireguard/privkey', | ||
unless => '/usr/bin/ls /etc/wireguard/privkey' | ||
command => '/usr/bin/wg pubkey < /etc/wireguard/privkey > /etc/wireguard/pubkey', | ||
creates => '/etc/wireguard/pubkey', | ||
require => Exec['create-privkey'], | ||
} | ||
|
||
|
||
exec { 'add-key': | ||
command => '/usr/bin/wg set wg0 listen-port 51820 private-key /etc/wireguard/privkey', | ||
# Create wireguard interface | ||
exec { 'create-interface': | ||
require => Exec['create-pubkey'], | ||
command => '/usr/bin/ip link add dev wg0 type wireguard', | ||
unless => '/usr/bin/ip link show wg0' | ||
} | ||
|
||
#Pull the tunnel up | ||
exec { 'link-up': | ||
require => Exec['create-interface'], | ||
command => '/usr/bin/ip link set up dev wg0', | ||
unless => '/usr/bin/ip link show wg0 | grep UP' | ||
} | ||
|
||
# Set wireguard interface IP | ||
exec { 'set-IP': | ||
require => Exec['add-key'], | ||
command => '/usr/bin/ip address add dev wg0 77.80.229.133/25', | ||
unless => '/usr/bin/ip addr show wg0 | grep 77.80.229.133/25' | ||
if ($tunnelip =~ String[1]) { | ||
#Set tunnel IP | ||
exec { 'set-IP': | ||
require => Exec['link-up'], | ||
command => "/usr/bin/ip address add dev wg0 ${tunnelip}", | ||
unless => "/usr/bin/ip addr show wg0 | grep ${tunnelip}" | ||
} | ||
} | ||
|
||
file { '/etc/wireguard/yaml': | ||
ensure => directory, | ||
#Set port and privkey | ||
exec { 'add-key': | ||
command => '/usr/bin/wg set wg0 listen-port 51820 private-key /etc/wireguard/privkey', | ||
require => Exec['set-IP'], | ||
recurse => remote, | ||
source => 'puppet:///svn/$::{current_event}/services/wireguard', | ||
} | ||
|
||
unless => '/usr/bin/wg | grep 51820' | ||
} | ||
|
||
# Build the wg0 config file will all clients from previous step | ||
file { 'setConf': | ||
#Pull down clients | ||
file { '/etc/wireguard/wg0.conf': | ||
ensure => file, | ||
path => '/etc/wireguard/wg0.conf', | ||
notify => Exec[syncConf], | ||
content => template('wireguard/wg0.conf.erb'), | ||
require => file['/etc/wireguard/yaml'], # require that yaml file exists before trying to use it.... | ||
require => Exec['set-IP'], | ||
recurse => remote, | ||
source => "puppet:///svn/${current_event}/services/wireguard/clients.txt", | ||
} | ||
|
||
# Sync changes towards the wg0 interface | ||
#Append config file to tunnel config | ||
exec { 'syncConf': | ||
require => file['setConf'], | ||
command => '/usr/bin/wg syncconf wg0 /etc/wireguard/wg0.conf', | ||
require => File['/etc/wireguard/wg0.conf'], | ||
command => '/usr/bin/wg addconf wg0 /etc/wireguard/wg0.conf', | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
{ | ||
"name": "dhtech-WireGuard", | ||
"version": "0.1.0", | ||
"author": "dhtech", | ||
"summary": "WireGuard serever setup", | ||
"license": "Apache 2.0", | ||
"source": "", | ||
"project_page": null, | ||
"issues_url": null, | ||
"dependencies": [ | ||
{"name":"puppetlabs/stdlib","version_requirement":">= 1.0.0"} | ||
] | ||
} |
This file was deleted.
Oops, something went wrong.