diff --git a/modules/wireguard.py b/modules/wireguard.py index 81a06a82..8572e15f 100644 --- a/modules/wireguard.py +++ b/modules/wireguard.py @@ -1,16 +1,48 @@ # Copyright 2024 dhtech -# # Use of this source code is governed by a BSD-style # license that can be found in the LICENSE file + import lib +import sqlite3 +import os +import ipcalc + +DB_FILE = '/etc/ipplan.db' def generate(host, *args): - - # Get current event, used to get up-to-date switch conf + netmask, gatewayip = None, None + info = {} + + # Get current event current_event = lib.get_current_event() + if os.path.isfile(DB_FILE): + try: + conn = sqlite3.connect(DB_FILE) + db = conn.cursor() + except sqlite3.Error: + info['current_event'] = current_event + info['tunnelip'] = tunnelip + return {'wireguard': info} + else: + info['current_event'] = current_event + info['tunnelip'] = tunnelip + return {'wireguard': info} + + db.execute('SELECT ipv4_netmask_dec, ipv4_gateway_txt FROM network WHERE short_name = "TECH-WIREGUARD-VPN";') + res = db.fetchone() + conn.close() + + if res: + netmask, gatewayip = res + tunnelip = ipcalc.IP(gatewayip) + 4 + tunnelip = str(tunnelip) + '/' + str(netmask) + else: + netmask, gatewayip = None, None + info = {} info['current_event'] = current_event + info['tunnelip'] = tunnelip return {'wireguard': info} -# vim: ts=4: sts=4: sw=4: expandtab +# vim: ts=4: sts=4: sw=4: expandtab \ No newline at end of file diff --git a/modules/wireguard/manifests/init.pp b/modules/wireguard/manifests/init.pp index 7a7b6304..97536411 100644 --- a/modules/wireguard/manifests/init.pp +++ b/modules/wireguard/manifests/init.pp @@ -1,68 +1,98 @@ -class wireguard($current_event) { +class wireguard($current_event, $tunnelip) { + #Pull down FW rules from SVN + if ($current_event =~ String[1]) { + file { '/etc/iptables/rules.v4': + ensure => file, + source => "puppet:///svn/${current_event}/services/wireguard/rules.v4", + } + } + + #Apply FW rules + exec { 'fw-rules': + command => '/usr/sbin/iptables-restore /etc/iptables/rules.v4', + require => File['/etc/iptables/rules.v4'], + } + # Execute 'apt-get update' - exec { 'apt-update': # exec resource named 'apt-update' - command => '/usr/bin/apt-get update' # command this resource will run + exec { 'apt-update': + command => '/usr/bin/apt-get update', } # Install wireguard package package { 'wireguard': ensure => installed, - require => Exec['apt-update'], # require 'apt-update' before installing + require => Exec['apt-update'], } - # Create wireguard interface - exec { 'create': + #Create wireguard dir + file{ '/etc/wireguard': + ensure => directory, + mode => '0600', require => Package['wireguard'], - command => '/usr/bin/ip link add dev wg0 type wireguard', - unless => '/usr/bin/ip link show wg0' } + # Enable IPv4 Forwardning + exec { 'enable-forward': + command => '/usr/sbin/sysctl -w net.ipv4.ip_forward=1', + unless => '/usr/sbin/sysctl net.ipv4.ip_forward | grep 0', + require => File['/etc/wireguard'], + } + + # Create wireguard privkey exec { 'create-privkey': - command => '/usr/bin/wg pubkey < /etc/wireguard/privkey > /etc/wireguard/pubkey', - unless => '/usr/bin/ls /etc/wireguard/privkey' - require => Exec['create'], + command => '/usr/bin/wg genkey > /etc/wireguard/privkey', + creates => '/etc/wireguard/privkey', + require => Exec['enable-forward'], } + # Create wireguard pubkey exec { 'create-pubkey': - command => '/usr/bin/wg genkey > /etc/wireguard/privkey', - unless => '/usr/bin/ls /etc/wireguard/privkey' + command => '/usr/bin/wg pubkey < /etc/wireguard/privkey > /etc/wireguard/pubkey', + creates => '/etc/wireguard/pubkey', require => Exec['create-privkey'], } - - exec { 'add-key': - command => '/usr/bin/wg set wg0 listen-port 51820 private-key /etc/wireguard/privkey', + # Create wireguard interface + exec { 'create-interface': require => Exec['create-pubkey'], + command => '/usr/bin/ip link add dev wg0 type wireguard', + unless => '/usr/bin/ip link show wg0' } + #Pull the tunnel up + exec { 'link-up': + require => Exec['create-interface'], + command => '/usr/bin/ip link set up dev wg0', + unless => '/usr/bin/ip link show wg0 | grep UP' + } -# Set wireguard interface IP - exec { 'set-IP': - require => Exec['add-key'], - command => '/usr/bin/ip address add dev wg0 77.80.229.133/25', - unless => '/usr/bin/ip addr show wg0 | grep 77.80.229.133/25' + if ($tunnelip =~ String[1]) { + #Set tunnel IP + exec { 'set-IP': + require => Exec['link-up'], + command => "/usr/bin/ip address add dev wg0 ${tunnelip}", + unless => "/usr/bin/ip addr show wg0 | grep ${tunnelip}" + } } - file { '/etc/wireguard/yaml': - ensure => directory, + #Set port and privkey + exec { 'add-key': + command => '/usr/bin/wg set wg0 listen-port 51820 private-key /etc/wireguard/privkey', require => Exec['set-IP'], - recurse => remote, - source => 'puppet:///svn/$::{current_event}/services/wireguard', -} - + unless => '/usr/bin/wg | grep 51820' + } -# Build the wg0 config file will all clients from previous step - file { 'setConf': + #Pull down clients + file { '/etc/wireguard/wg0.conf': ensure => file, - path => '/etc/wireguard/wg0.conf', - notify => Exec[syncConf], - content => template('wireguard/wg0.conf.erb'), - require => file['/etc/wireguard/yaml'], # require that yaml file exists before trying to use it.... + require => Exec['set-IP'], + recurse => remote, + source => "puppet:///svn/${current_event}/services/wireguard/clients.txt", } -# Sync changes towards the wg0 interface + #Append config file to tunnel config exec { 'syncConf': - require => file['setConf'], - command => '/usr/bin/wg syncconf wg0 /etc/wireguard/wg0.conf', + require => File['/etc/wireguard/wg0.conf'], + command => '/usr/bin/wg addconf wg0 /etc/wireguard/wg0.conf', } -} +} \ No newline at end of file diff --git a/modules/wireguard/metadata.json b/modules/wireguard/metadata.json new file mode 100644 index 00000000..507e8e6a --- /dev/null +++ b/modules/wireguard/metadata.json @@ -0,0 +1,13 @@ +{ + "name": "dhtech-WireGuard", + "version": "0.1.0", + "author": "dhtech", + "summary": "WireGuard serever setup", + "license": "Apache 2.0", + "source": "", + "project_page": null, + "issues_url": null, + "dependencies": [ + {"name":"puppetlabs/stdlib","version_requirement":">= 1.0.0"} + ] + } \ No newline at end of file diff --git a/modules/wireguard/templates/wg0.conf.erb b/modules/wireguard/templates/wg0.conf.erb deleted file mode 100644 index c18d6fad..00000000 --- a/modules/wireguard/templates/wg0.conf.erb +++ /dev/null @@ -1,10 +0,0 @@ -<% require 'yaml' %> -<% clients = YAML.load_file('/etc/wireguard/yaml/wireguard-clients.yaml')['clients'] %> - -<% clients.each do |nick, client| -%> -# <%= nick %> -[Peer] -PublicKey = <%= client['publickey'] %> -AllowedIPs = <%= client['ip'] %> - -<% end -%> \ No newline at end of file