Skip to content

Commit

Permalink
Wireguard (#409)
Browse files Browse the repository at this point in the history
Final release of the WireGuard puppet module.
  • Loading branch information
AlexanderMalmstrom authored Nov 21, 2024
1 parent 21fb129 commit d3d969e
Show file tree
Hide file tree
Showing 4 changed files with 116 additions and 51 deletions.
40 changes: 36 additions & 4 deletions modules/wireguard.py
Original file line number Diff line number Diff line change
@@ -1,16 +1,48 @@
# Copyright 2024 dhtech
#
# Use of this source code is governed by a BSD-style
# license that can be found in the LICENSE file

import lib
import sqlite3
import os
import ipcalc

DB_FILE = '/etc/ipplan.db'

def generate(host, *args):

# Get current event, used to get up-to-date switch conf
netmask, gatewayip = None, None
info = {}

# Get current event
current_event = lib.get_current_event()

if os.path.isfile(DB_FILE):
try:
conn = sqlite3.connect(DB_FILE)
db = conn.cursor()
except sqlite3.Error:
info['current_event'] = current_event
info['tunnelip'] = tunnelip
return {'wireguard': info}
else:
info['current_event'] = current_event
info['tunnelip'] = tunnelip
return {'wireguard': info}

db.execute('SELECT ipv4_netmask_dec, ipv4_gateway_txt FROM network WHERE short_name = "TECH-WIREGUARD-VPN";')
res = db.fetchone()
conn.close()

if res:
netmask, gatewayip = res
tunnelip = ipcalc.IP(gatewayip) + 4
tunnelip = str(tunnelip) + '/' + str(netmask)
else:
netmask, gatewayip = None, None

info = {}
info['current_event'] = current_event
info['tunnelip'] = tunnelip
return {'wireguard': info}

# vim: ts=4: sts=4: sw=4: expandtab
# vim: ts=4: sts=4: sw=4: expandtab
104 changes: 67 additions & 37 deletions modules/wireguard/manifests/init.pp
Original file line number Diff line number Diff line change
@@ -1,68 +1,98 @@
class wireguard($current_event) {
class wireguard($current_event, $tunnelip) {
#Pull down FW rules from SVN
if ($current_event =~ String[1]) {
file { '/etc/iptables/rules.v4':
ensure => file,
source => "puppet:///svn/${current_event}/services/wireguard/rules.v4",
}
}

#Apply FW rules
exec { 'fw-rules':
command => '/usr/sbin/iptables-restore /etc/iptables/rules.v4',
require => File['/etc/iptables/rules.v4'],
}

# Execute 'apt-get update'
exec { 'apt-update': # exec resource named 'apt-update'
command => '/usr/bin/apt-get update' # command this resource will run
exec { 'apt-update':
command => '/usr/bin/apt-get update',
}

# Install wireguard package
package { 'wireguard':
ensure => installed,
require => Exec['apt-update'], # require 'apt-update' before installing
require => Exec['apt-update'],
}

# Create wireguard interface
exec { 'create':
#Create wireguard dir
file{ '/etc/wireguard':
ensure => directory,
mode => '0600',
require => Package['wireguard'],
command => '/usr/bin/ip link add dev wg0 type wireguard',
unless => '/usr/bin/ip link show wg0'
}

# Enable IPv4 Forwardning
exec { 'enable-forward':
command => '/usr/sbin/sysctl -w net.ipv4.ip_forward=1',
unless => '/usr/sbin/sysctl net.ipv4.ip_forward | grep 0',
require => File['/etc/wireguard'],
}

# Create wireguard privkey
exec { 'create-privkey':
command => '/usr/bin/wg pubkey < /etc/wireguard/privkey > /etc/wireguard/pubkey',
unless => '/usr/bin/ls /etc/wireguard/privkey'
require => Exec['create'],
command => '/usr/bin/wg genkey > /etc/wireguard/privkey',
creates => '/etc/wireguard/privkey',
require => Exec['enable-forward'],
}

# Create wireguard pubkey
exec { 'create-pubkey':
command => '/usr/bin/wg genkey > /etc/wireguard/privkey',
unless => '/usr/bin/ls /etc/wireguard/privkey'
command => '/usr/bin/wg pubkey < /etc/wireguard/privkey > /etc/wireguard/pubkey',
creates => '/etc/wireguard/pubkey',
require => Exec['create-privkey'],
}


exec { 'add-key':
command => '/usr/bin/wg set wg0 listen-port 51820 private-key /etc/wireguard/privkey',
# Create wireguard interface
exec { 'create-interface':
require => Exec['create-pubkey'],
command => '/usr/bin/ip link add dev wg0 type wireguard',
unless => '/usr/bin/ip link show wg0'
}

#Pull the tunnel up
exec { 'link-up':
require => Exec['create-interface'],
command => '/usr/bin/ip link set up dev wg0',
unless => '/usr/bin/ip link show wg0 | grep UP'
}

# Set wireguard interface IP
exec { 'set-IP':
require => Exec['add-key'],
command => '/usr/bin/ip address add dev wg0 77.80.229.133/25',
unless => '/usr/bin/ip addr show wg0 | grep 77.80.229.133/25'
if ($tunnelip =~ String[1]) {
#Set tunnel IP
exec { 'set-IP':
require => Exec['link-up'],
command => "/usr/bin/ip address add dev wg0 ${tunnelip}",
unless => "/usr/bin/ip addr show wg0 | grep ${tunnelip}"
}
}

file { '/etc/wireguard/yaml':
ensure => directory,
#Set port and privkey
exec { 'add-key':
command => '/usr/bin/wg set wg0 listen-port 51820 private-key /etc/wireguard/privkey',
require => Exec['set-IP'],
recurse => remote,
source => 'puppet:///svn/$::{current_event}/services/wireguard',
}

unless => '/usr/bin/wg | grep 51820'
}

# Build the wg0 config file will all clients from previous step
file { 'setConf':
#Pull down clients
file { '/etc/wireguard/wg0.conf':
ensure => file,
path => '/etc/wireguard/wg0.conf',
notify => Exec[syncConf],
content => template('wireguard/wg0.conf.erb'),
require => file['/etc/wireguard/yaml'], # require that yaml file exists before trying to use it....
require => Exec['set-IP'],
recurse => remote,
source => "puppet:///svn/${current_event}/services/wireguard/clients.txt",
}

# Sync changes towards the wg0 interface
#Append config file to tunnel config
exec { 'syncConf':
require => file['setConf'],
command => '/usr/bin/wg syncconf wg0 /etc/wireguard/wg0.conf',
require => File['/etc/wireguard/wg0.conf'],
command => '/usr/bin/wg addconf wg0 /etc/wireguard/wg0.conf',
}
}
}
13 changes: 13 additions & 0 deletions modules/wireguard/metadata.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"name": "dhtech-WireGuard",
"version": "0.1.0",
"author": "dhtech",
"summary": "WireGuard serever setup",
"license": "Apache 2.0",
"source": "",
"project_page": null,
"issues_url": null,
"dependencies": [
{"name":"puppetlabs/stdlib","version_requirement":">= 1.0.0"}
]
}
10 changes: 0 additions & 10 deletions modules/wireguard/templates/wg0.conf.erb

This file was deleted.

0 comments on commit d3d969e

Please sign in to comment.