From 5c65ea479bfa8302ddcdd841ed4fb1273d93f8a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Tue, 16 May 2023 08:53:17 +0200 Subject: [PATCH 01/12] Add support for peers using exported ressources Declaring everything in hiera is not always convenient. This commit gives the choice to use exported resources so that peers declare themselves on each other. --- manifests/interface.pp | 17 +++++++++++++++ manifests/peer.pp | 24 +++++++++++++++++++++ manifests/provider/wgquick.pp | 24 +++++++++++++++------ templates/wireguard_head.epp | 39 +++++++++++++++++++++++++++++++++++ templates/wireguard_peer.epp | 22 ++++++++++++++++++++ 5 files changed, 120 insertions(+), 6 deletions(-) create mode 100644 manifests/peer.pp create mode 100644 templates/wireguard_head.epp create mode 100644 templates/wireguard_peer.epp diff --git a/manifests/interface.pp b/manifests/interface.pp index 6b69624..119f9d0 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -105,6 +105,7 @@ Boolean $manage_firewall = true, Array[Stdlib::IP::Address] $source_addresses = [], Array[Hash[String,Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $addresses = [], + Optional[Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $allowed_ips = [], Optional[String[1]] $description = undef, Optional[Integer[1200, 9000]] $mtu = undef, Optional[String[1]] $public_key = undef, @@ -243,4 +244,20 @@ fail("provider ${provider} not supported") } } + if $facts['wireguard_pubkeys'][$interface] { + $peer_params = { + 'description' => $description, + 'public_key' => $facts['wireguard_pubkeys'][$interface], + 'endpoint' => "${facts['fqdn']}:${dport}", + 'allowed_ips' => $allowed_ips, + 'preshared_key' => $preshared_key, + 'persistent_keepalive' => $persistent_keepalive, + 'interface' => $interface, + 'tag' => "wireguard-${interface}" + } + @@wireguard::peer { "${facts['fqdn']}-${interface}-peer": + * => $peer_params, + } + } + Wireguard::Peer <<| tag == "wireguard-${interface}" |>> } diff --git a/manifests/peer.pp b/manifests/peer.pp new file mode 100644 index 0000000..48ccb6e --- /dev/null +++ b/manifests/peer.pp @@ -0,0 +1,24 @@ +define wireguard::peer ( + String $interface, + Optional[String] $description = undef, + String $public_key, + String $endpoint, + Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]] $allowed_ips, + Optional[String] $preshared_key = undef, + Integer[0,65535] $persistent_keepalive = 0, +) { + $peer_params = { + 'description' => $description, + 'public_key' => $public_key, + 'endpoint' => $endpoint, + 'allowed_ips' => $allowed_ips, + 'preshared_key' => $preshared_key, + 'persistent_keepalive' => $persistent_keepalive, + } + + concat::fragment { $name: + order => 20, + target => "/etc/wireguard/${interface}.conf", + content => epp("${module_name}/wireguard_peer.epp", $peer_params), + } +} diff --git a/manifests/provider/wgquick.pp b/manifests/provider/wgquick.pp index 67121f8..b49f705 100644 --- a/manifests/provider/wgquick.pp +++ b/manifests/provider/wgquick.pp @@ -20,7 +20,6 @@ 'dport' => $dport, 'firewall_mark' => $firewall_mark, 'mtu' => $mtu, - 'peers' => $peers, 'addresses' => $addresses, 'preup_cmds' => $preup_cmds, 'postup_cmds' => $postup_cmds, @@ -28,10 +27,23 @@ 'postdown_cmds' => $postdown_cmds, } - file { "/etc/wireguard/${interface}.conf": - ensure => $ensure, - content => epp("${module_name}/wireguard_conf.epp", $params), - owner => 'root', - mode => '0600', + if ! empty($peers) { + file { "/etc/wireguard/${interface}.conf": + ensure => $ensure, + content => epp("${module_name}/wireguard_conf.epp", $params + { 'peers' => $peers }), + owner => 'root', + mode => '0600', + } + } else { + concat { "/etc/wireguard/${interface}.conf": + ensure => $ensure, + owner => 'root', + mode => '0600', + } + concat::fragment { "${interface}_head": + order => 10, + target => "/etc/wireguard/${interface}.conf", + content => epp("${module_name}/wireguard_head.epp", $params), + } } } diff --git a/templates/wireguard_head.epp b/templates/wireguard_head.epp new file mode 100644 index 0000000..2c2ea0b --- /dev/null +++ b/templates/wireguard_head.epp @@ -0,0 +1,39 @@ +<%- | + String[1] $interface, + Stdlib::Port $dport, + Optional[Integer] $firewall_mark, + Array[Hash] $addresses, + Array[String[1]] $preup_cmds, + Array[String[1]] $postup_cmds, + Array[String[1]] $predown_cmds, + Array[String[1]] $postdown_cmds, + Optional[Integer[1280, 9000]] $mtu = undef, +| -%> +# THIS FILE IS MANAGED BY PUPPET +<% $addresses.each |$address| { -%> + +[Interface] +<% $address.each |$key, $value| { -%> +<%= $key %>=<%= $value %> +<% } -%> +<% } -%> +ListenPort=<%= $dport %> +<% if $firewall_mark { -%> +FwMark=<%= $firewall_mark %> +<% } -%> +<% $preup_cmds.each |$cmd| { -%> +PreUp=<%= $cmd %> +<% } -%> +PostUp=wg set %i private-key /etc/wireguard/<%= $interface %> +<% $postup_cmds.each |$cmd| { -%> +PostUp=<%= $cmd %> +<% } -%> +<% $predown_cmds.each |$cmd| { -%> +PreDown=<%= $cmd %> +<% } -%> +<% $postdown_cmds.each |$cmd| { -%> +PostDown=<%= $cmd %> +<% } -%> +<% if $mtu { -%> +MTU=<%= $mtu %> +<% } -%> diff --git a/templates/wireguard_peer.epp b/templates/wireguard_peer.epp new file mode 100644 index 0000000..29c24ff --- /dev/null +++ b/templates/wireguard_peer.epp @@ -0,0 +1,22 @@ +<%- | + Optional[String] $description, + String $public_key, + String $endpoint, + Optional[String] $preshared_key, + Optional[Integer[0,65535]] $persistent_keepalive, + Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]] $allowed_ips, +| -%> + +<% if $description { -%> +# <%= $description %> +<% } -%> +[Peer] +PublicKey=<%= $public_key %> +Endpoint=<%= $endpoint %> +<% if $preshared_key { -%> +PresharedKey=<%= $preshared_key %> +<% } -%> +PersistentKeepalive=<%= pick($persistent_keepalive, 0) %> +<% pick($allowed_ips, ['fe80::/64', 'fd00::/8', '0.0.0.0/0']).each |$allowed_ip| { -%> +AllowedIPs=<%= $allowed_ip %> +<% } -%> From bbb00c307c4d9c1de5e2b64425fc1e64316dc369 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Tue, 16 May 2023 09:33:20 +0200 Subject: [PATCH 02/12] Add service management for wg-quick --- manifests/provider/wgquick.pp | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/manifests/provider/wgquick.pp b/manifests/provider/wgquick.pp index b49f705..d4e9a3b 100644 --- a/manifests/provider/wgquick.pp +++ b/manifests/provider/wgquick.pp @@ -4,6 +4,7 @@ define wireguard::provider::wgquick ( String[1] $interface = $title, Enum['present', 'absent'] $ensure = 'present', + Boolean $enable = true, Wireguard::Peers $peers = [], Integer[1024, 65000] $dport = Integer(regsubst($title, '^\D+(\d+)$', '\1')), Optional[Integer[0,4294967295]] $firewall_mark = undef, @@ -36,9 +37,10 @@ } } else { concat { "/etc/wireguard/${interface}.conf": - ensure => $ensure, - owner => 'root', - mode => '0600', + ensure => $ensure, + owner => 'root', + mode => '0600', + notify => Service["wg-quick@${interface}"], } concat::fragment { "${interface}_head": order => 10, @@ -46,4 +48,13 @@ content => epp("${module_name}/wireguard_head.epp", $params), } } + + $svc_ensure = $ensure ? { + present => 'running', + absent => 'stopped', + } + service { "wg-quick@${interface}": + ensure => $svc_ensure, + enable => $enable, + } } From baaaf402891dc1b3e3652f55bdf2bf1941295ae5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Tue, 16 May 2023 09:39:38 +0200 Subject: [PATCH 03/12] Add dependency to concat --- metadata.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/metadata.json b/metadata.json index 1070f59..7f68c61 100644 --- a/metadata.json +++ b/metadata.json @@ -22,6 +22,10 @@ { "name": "puppetlabs/stdlib", "version_requirement": ">= 7.1.0 < 9.0.0" + }, + { + "name": "puppetlabs/concat", + "version_requirement": ">= 7.1.0 < 9.0.0" } ], "operatingsystem_support": [ From a49e9d2e9ff59984681d3822dd5b065651a5ffcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Wed, 17 May 2023 08:57:14 +0200 Subject: [PATCH 04/12] Add docstrings --- manifests/interface.pp | 1 + manifests/peer.pp | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/manifests/interface.pp b/manifests/interface.pp index 119f9d0..3afe43e 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -24,6 +24,7 @@ # @param postup_cmds is an array of commands which should run as preup command (only supported by wgquick) # @param predown_cmds is an array of commands which should run as preup command (only supported by wgquick) # @param postdown_cmds is an array of commands which should run as preup command (only supported by wgquick) +# @param allowed_ips different addresses that should be routed to this peer # # @author Tim Meusel # @author Sebastian Rakel diff --git a/manifests/peer.pp b/manifests/peer.pp index 48ccb6e..8c51142 100644 --- a/manifests/peer.pp +++ b/manifests/peer.pp @@ -1,3 +1,13 @@ +# @summary define a wireguard peer +# +# @param interface the title of the defined resource, will be used for the targetted wg interface +# @param description provide some identification details about the peer +# @param public_key base64 encoded pubkey from the remote peer +# @param endpoint fqdn:port or ip:port where we connect to +# @param allowed_ips different addresses that should be routed to this peer +# @param preshared_key Define preshared key for the remote peer +# @param persistent_keepalive is set to 1 or greater, that's the interval in seconds wireguard sends a keepalive to the other peer(s). Useful if the sender is behind a NAT gateway or has a dynamic ip address +# define wireguard::peer ( String $interface, Optional[String] $description = undef, From dc0ba16bc7cdb678bd5725ca65db16c469dfd1d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Wed, 17 May 2023 09:21:20 +0200 Subject: [PATCH 05/12] Update REFERENCE.md --- REFERENCE.md | 220 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 147 insertions(+), 73 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 017b65f..1bcdfb9 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -12,7 +12,8 @@ #### Public Defined types -* [`wireguard::interface`](#wireguard--interface): manages a wireguard setup +* [`wireguard::interface`](#wireguardinterface): manages a wireguard setup +* [`wireguard::peer`](#wireguardpeer): define a wireguard peer #### Private Defined types @@ -21,7 +22,7 @@ ### Data types -* [`Wireguard::Peers`](#Wireguard--Peers): custom data type for an array with wireguard peers +* [`Wireguard::Peers`](#wireguardpeers): custom data type for an array with wireguard peers ## Classes @@ -33,22 +34,22 @@ manages the wireguard package The following parameters are available in the `wireguard` class: -* [`manage_package`](#-wireguard--manage_package) -* [`package_name`](#-wireguard--package_name) -* [`package_ensure`](#-wireguard--package_ensure) -* [`config_directory`](#-wireguard--config_directory) -* [`purge_unknown_keys`](#-wireguard--purge_unknown_keys) -* [`interfaces`](#-wireguard--interfaces) +* [`manage_package`](#manage_package) +* [`package_name`](#package_name) +* [`package_ensure`](#package_ensure) +* [`config_directory`](#config_directory) +* [`purge_unknown_keys`](#purge_unknown_keys) +* [`interfaces`](#interfaces) -##### `manage_package` +##### `manage_package` Data type: `Boolean` if the package should be managed or not -Default value: `true` +Default value: ``true`` -##### `package_name` +##### `package_name` Data type: `String[1]` @@ -56,7 +57,7 @@ the name of the package Default value: `'wireguard-tools'` -##### `package_ensure` +##### `package_ensure` Data type: `Enum['installed', 'latest', 'absent']` @@ -64,7 +65,7 @@ the ensure state of the package Default value: `'installed'` -##### `config_directory` +##### `config_directory` Data type: `Stdlib::Absolutepath` @@ -72,15 +73,15 @@ the path to the wireguard directory Default value: `'/etc/wireguard'` -##### `purge_unknown_keys` +##### `purge_unknown_keys` Data type: `Boolean` by default Puppet will purge unknown wireguard keys from `$config_directory` -Default value: `true` +Default value: ``true`` -##### `interfaces` +##### `interfaces` Data type: `Hash[String[1], Any]` @@ -90,7 +91,7 @@ Default value: `{}` ## Defined types -### `wireguard::interface` +### `wireguard::interface` } @@ -182,31 +183,32 @@ wireguard::interface { 'wg0': The following parameters are available in the `wireguard::interface` defined type: -* [`interface`](#-wireguard--interface--interface) -* [`ensure`](#-wireguard--interface--ensure) -* [`input_interface`](#-wireguard--interface--input_interface) -* [`manage_firewall`](#-wireguard--interface--manage_firewall) -* [`dport`](#-wireguard--interface--dport) -* [`firewall_mark`](#-wireguard--interface--firewall_mark) -* [`source_addresses`](#-wireguard--interface--source_addresses) -* [`destination_addresses`](#-wireguard--interface--destination_addresses) -* [`public_key`](#-wireguard--interface--public_key) -* [`endpoint`](#-wireguard--interface--endpoint) -* [`addresses`](#-wireguard--interface--addresses) -* [`persistent_keepalive`](#-wireguard--interface--persistent_keepalive) -* [`description`](#-wireguard--interface--description) -* [`mtu`](#-wireguard--interface--mtu) -* [`peers`](#-wireguard--interface--peers) -* [`routes`](#-wireguard--interface--routes) -* [`private_key`](#-wireguard--interface--private_key) -* [`preshared_key`](#-wireguard--interface--preshared_key) -* [`provider`](#-wireguard--interface--provider) -* [`preup_cmds`](#-wireguard--interface--preup_cmds) -* [`postup_cmds`](#-wireguard--interface--postup_cmds) -* [`predown_cmds`](#-wireguard--interface--predown_cmds) -* [`postdown_cmds`](#-wireguard--interface--postdown_cmds) - -##### `interface` +* [`interface`](#interface) +* [`ensure`](#ensure) +* [`input_interface`](#input_interface) +* [`manage_firewall`](#manage_firewall) +* [`dport`](#dport) +* [`firewall_mark`](#firewall_mark) +* [`source_addresses`](#source_addresses) +* [`destination_addresses`](#destination_addresses) +* [`public_key`](#public_key) +* [`endpoint`](#endpoint) +* [`addresses`](#addresses) +* [`persistent_keepalive`](#persistent_keepalive) +* [`description`](#description) +* [`mtu`](#mtu) +* [`peers`](#peers) +* [`routes`](#routes) +* [`private_key`](#private_key) +* [`preshared_key`](#preshared_key) +* [`provider`](#provider) +* [`preup_cmds`](#preup_cmds) +* [`postup_cmds`](#postup_cmds) +* [`predown_cmds`](#predown_cmds) +* [`postdown_cmds`](#postdown_cmds) +* [`allowed_ips`](#allowed_ips) + +##### `interface` Data type: `String[1]` @@ -214,7 +216,7 @@ the title of the defined resource, will be used for the wg interface Default value: `$title` -##### `ensure` +##### `ensure` Data type: `Enum['present', 'absent']` @@ -222,7 +224,7 @@ will ensure that the files for the provider will be present or absent Default value: `'present'` -##### `input_interface` +##### `input_interface` Data type: `String[1]` @@ -230,15 +232,15 @@ ethernet interface where the wireguard packages will enter the system, used for Default value: `$facts['networking']['primary']` -##### `manage_firewall` +##### `manage_firewall` Data type: `Boolean` if true, a ferm rule will be created -Default value: `true` +Default value: ``true`` -##### `dport` +##### `dport` Data type: `Integer[1024, 65000]` @@ -246,15 +248,15 @@ destination for firewall rules / where our wg instance will listen on. defaults Default value: `Integer(regsubst($title, '^\D+(\d+)$', '\1'))` -##### `firewall_mark` +##### `firewall_mark` Data type: `Optional[Integer[0, 4294967295]]` netfilter firewall mark to set on outgoing packages from this wireguard interface -Default value: `undef` +Default value: ``undef`` -##### `source_addresses` +##### `source_addresses` Data type: `Array[Stdlib::IP::Address]` @@ -262,7 +264,7 @@ an array of ip addresses from where we receive wireguard connections Default value: `[]` -##### `destination_addresses` +##### `destination_addresses` Data type: `Array[Stdlib::IP::Address]` @@ -270,23 +272,23 @@ array of addresses where the remote peer connects to (our local ips), used for f Default value: `delete_undef_values([$facts['networking']['ip'], $facts['networking']['ip6'],])` -##### `public_key` +##### `public_key` Data type: `Optional[String[1]]` base64 encoded pubkey from the remote peer -Default value: `undef` +Default value: ``undef`` -##### `endpoint` +##### `endpoint` Data type: `Optional[String[1]]` fqdn:port or ip:port where we connect to -Default value: `undef` +Default value: ``undef`` -##### `addresses` +##### `addresses` Data type: `Array[Hash[String,Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]]` @@ -294,7 +296,7 @@ different addresses for the systemd-networkd configuration Default value: `[]` -##### `persistent_keepalive` +##### `persistent_keepalive` Data type: `Integer[0, 65535]` @@ -302,23 +304,23 @@ is set to 1 or greater, that's the interval in seconds wireguard sends a keepali Default value: `0` -##### `description` +##### `description` Data type: `Optional[String[1]]` an optional string that will be added to the wireguard network interface -Default value: `undef` +Default value: ``undef`` -##### `mtu` +##### `mtu` Data type: `Optional[Integer[1200, 9000]]` configure the MTU (maximum transision unit) for the wireguard tunnel. By default linux will figure this out. You might need to lower it if you're connection through a DSL line. MTU needs to be equal on both tunnel endpoints -Default value: `undef` +Default value: ``undef`` -##### `peers` +##### `peers` Data type: `Wireguard::Peers` @@ -326,7 +328,7 @@ is an array of struct (Wireguard::Peers) for multiple peers Default value: `[]` -##### `routes` +##### `routes` Data type: `Array[Hash[String[1], Variant[String[1], Boolean]]]` @@ -334,23 +336,23 @@ different routes for the systemd-networkd configuration Default value: `[]` -##### `private_key` +##### `private_key` Data type: `Optional[String[1]]` Define private key which should be used for this interface, if not provided a private key will be generated -Default value: `undef` +Default value: ``undef`` -##### `preshared_key` +##### `preshared_key` Data type: `Optional[String[1]]` Define preshared key for the remote peer -Default value: `undef` +Default value: ``undef`` -##### `provider` +##### `provider` Data type: `Enum['systemd', 'wgquick']` @@ -358,7 +360,7 @@ The specific backend to use for this `wireguard::interface` resource Default value: `'systemd'` -##### `preup_cmds` +##### `preup_cmds` Data type: `Array[String[1]]` @@ -366,7 +368,7 @@ is an array of commands which should run as preup command (only supported by wgq Default value: `[]` -##### `postup_cmds` +##### `postup_cmds` Data type: `Array[String[1]]` @@ -374,7 +376,7 @@ is an array of commands which should run as preup command (only supported by wgq Default value: `[]` -##### `predown_cmds` +##### `predown_cmds` Data type: `Array[String[1]]` @@ -382,7 +384,7 @@ is an array of commands which should run as preup command (only supported by wgq Default value: `[]` -##### `postdown_cmds` +##### `postdown_cmds` Data type: `Array[String[1]]` @@ -390,9 +392,81 @@ is an array of commands which should run as preup command (only supported by wgq Default value: `[]` +##### `allowed_ips` + +Data type: `Optional[Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]]` + +different addresses that should be routed to this peer + +Default value: `[]` + +### `wireguard::peer` + +define a wireguard peer + +#### Parameters + +The following parameters are available in the `wireguard::peer` defined type: + +* [`interface`](#interface) +* [`description`](#description) +* [`public_key`](#public_key) +* [`endpoint`](#endpoint) +* [`allowed_ips`](#allowed_ips) +* [`preshared_key`](#preshared_key) +* [`persistent_keepalive`](#persistent_keepalive) + +##### `interface` + +Data type: `String` + +the title of the defined resource, will be used for the targetted wg interface + +##### `description` + +Data type: `Optional[String]` + +provide some identification details about the peer + +Default value: ``undef`` + +##### `public_key` + +Data type: `String` + +base64 encoded pubkey from the remote peer + +##### `endpoint` + +Data type: `String` + +fqdn:port or ip:port where we connect to + +##### `allowed_ips` + +Data type: `Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]` + +different addresses that should be routed to this peer + +##### `preshared_key` + +Data type: `Optional[String]` + +Define preshared key for the remote peer + +Default value: ``undef`` + +##### `persistent_keepalive` + +Data type: `Integer[0,65535]` + +is set to 1 or greater, that's the interval in seconds wireguard sends a keepalive to the other peer(s). Useful if the sender is behind a NAT gateway or has a dynamic ip address + +Default value: `0` + ## Data types -### `Wireguard::Peers` +### `Wireguard::Peers` custom data type for an array with wireguard peers From a5bd8b70f03e456e9c0d53b10133e6fee4acf8b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Wed, 17 May 2023 14:50:01 +0200 Subject: [PATCH 06/12] Check if wireguard_pubkeys fact is present Before relying on it we need to check for its presence. The facts is actually available only after a Puppet pass which will deploy the keys on the target host --- manifests/interface.pp | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index 3afe43e..530dcbe 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -245,19 +245,21 @@ fail("provider ${provider} not supported") } } - if $facts['wireguard_pubkeys'][$interface] { - $peer_params = { - 'description' => $description, - 'public_key' => $facts['wireguard_pubkeys'][$interface], - 'endpoint' => "${facts['fqdn']}:${dport}", - 'allowed_ips' => $allowed_ips, - 'preshared_key' => $preshared_key, - 'persistent_keepalive' => $persistent_keepalive, - 'interface' => $interface, - 'tag' => "wireguard-${interface}" - } - @@wireguard::peer { "${facts['fqdn']}-${interface}-peer": - * => $peer_params, + if 'wireguard_pubkeys' in $facts { + if $interface in $facts['wireguard_pubkeys'] { + $peer_params = { + 'description' => $description, + 'public_key' => $facts['wireguard_pubkeys'][$interface], + 'endpoint' => "${facts['fqdn']}:${dport}", + 'allowed_ips' => $allowed_ips, + 'preshared_key' => $preshared_key, + 'persistent_keepalive' => $persistent_keepalive, + 'interface' => $interface, + 'tag' => "wireguard-${interface}" + } + @@wireguard::peer { "${facts['fqdn']}-${interface}-peer": + * => $peer_params, + } } } Wireguard::Peer <<| tag == "wireguard-${interface}" |>> From c705d2a11c00a27370dd6e4b74600c3037502dc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Thu, 15 Jun 2023 15:15:02 +0200 Subject: [PATCH 07/12] Set String minimal length to [1] --- manifests/peer.pp | 10 +++++----- templates/wireguard_peer.epp | 8 ++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/manifests/peer.pp b/manifests/peer.pp index 8c51142..b56d399 100644 --- a/manifests/peer.pp +++ b/manifests/peer.pp @@ -9,12 +9,12 @@ # @param persistent_keepalive is set to 1 or greater, that's the interval in seconds wireguard sends a keepalive to the other peer(s). Useful if the sender is behind a NAT gateway or has a dynamic ip address # define wireguard::peer ( - String $interface, - Optional[String] $description = undef, - String $public_key, - String $endpoint, + String[1] $interface, + Optional[String[1]] $description = undef, + String[1] $public_key, + String[1] $endpoint, Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]] $allowed_ips, - Optional[String] $preshared_key = undef, + Optional[String[1]] $preshared_key = undef, Integer[0,65535] $persistent_keepalive = 0, ) { $peer_params = { diff --git a/templates/wireguard_peer.epp b/templates/wireguard_peer.epp index 29c24ff..f4ff3d0 100644 --- a/templates/wireguard_peer.epp +++ b/templates/wireguard_peer.epp @@ -1,8 +1,8 @@ <%- | - Optional[String] $description, - String $public_key, - String $endpoint, - Optional[String] $preshared_key, + Optional[String[1]] $description, + String[1] $public_key, + String[1] $endpoint, + Optional[String[1]] $preshared_key, Optional[Integer[0,65535]] $persistent_keepalive, Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]] $allowed_ips, | -%> From 17d5d612261c0eadf623d06cad58bd7b2b989660 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Thu, 15 Jun 2023 15:20:10 +0200 Subject: [PATCH 08/12] Do not use Optional on Array type --- manifests/interface.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index 530dcbe..5ec1248 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -106,7 +106,7 @@ Boolean $manage_firewall = true, Array[Stdlib::IP::Address] $source_addresses = [], Array[Hash[String,Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $addresses = [], - Optional[Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $allowed_ips = [], + Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $allowed_ips = [], Optional[String[1]] $description = undef, Optional[Integer[1200, 9000]] $mtu = undef, Optional[String[1]] $public_key = undef, From 3d941f16ce8cc905ea378473bdae321c168ce627 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Sat, 1 Jul 2023 10:50:11 +0200 Subject: [PATCH 09/12] fix typo --- manifests/interface.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index 5ec1248..1a28ef5 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -106,7 +106,7 @@ Boolean $manage_firewall = true, Array[Stdlib::IP::Address] $source_addresses = [], Array[Hash[String,Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $addresses = [], - Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $allowed_ips = [], + Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]] $allowed_ips = [], Optional[String[1]] $description = undef, Optional[Integer[1200, 9000]] $mtu = undef, Optional[String[1]] $public_key = undef, From 73b03e1455cf784fd115e4c0a1b3428fe207fbe5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Wed, 27 Sep 2023 15:25:51 +0200 Subject: [PATCH 10/12] fix indentation --- manifests/peer.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/peer.pp b/manifests/peer.pp index b56d399..7157de4 100644 --- a/manifests/peer.pp +++ b/manifests/peer.pp @@ -27,8 +27,8 @@ } concat::fragment { $name: - order => 20, - target => "/etc/wireguard/${interface}.conf", - content => epp("${module_name}/wireguard_peer.epp", $peer_params), + order => 20, + target => "/etc/wireguard/${interface}.conf", + content => epp("${module_name}/wireguard_peer.epp", $peer_params), } } From d86a24bd962d33ce17fc9af268e974fc6bb8acda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Wed, 27 Sep 2023 15:34:32 +0200 Subject: [PATCH 11/12] Update REFERENCE.md --- REFERENCE.md | 198 +++++++++++++++++++++++++-------------------------- 1 file changed, 99 insertions(+), 99 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 1bcdfb9..84ec2c3 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -12,8 +12,8 @@ #### Public Defined types -* [`wireguard::interface`](#wireguardinterface): manages a wireguard setup -* [`wireguard::peer`](#wireguardpeer): define a wireguard peer +* [`wireguard::interface`](#wireguard--interface): manages a wireguard setup +* [`wireguard::peer`](#wireguard--peer): define a wireguard peer #### Private Defined types @@ -22,7 +22,7 @@ ### Data types -* [`Wireguard::Peers`](#wireguardpeers): custom data type for an array with wireguard peers +* [`Wireguard::Peers`](#Wireguard--Peers): custom data type for an array with wireguard peers ## Classes @@ -34,22 +34,22 @@ manages the wireguard package The following parameters are available in the `wireguard` class: -* [`manage_package`](#manage_package) -* [`package_name`](#package_name) -* [`package_ensure`](#package_ensure) -* [`config_directory`](#config_directory) -* [`purge_unknown_keys`](#purge_unknown_keys) -* [`interfaces`](#interfaces) +* [`manage_package`](#-wireguard--manage_package) +* [`package_name`](#-wireguard--package_name) +* [`package_ensure`](#-wireguard--package_ensure) +* [`config_directory`](#-wireguard--config_directory) +* [`purge_unknown_keys`](#-wireguard--purge_unknown_keys) +* [`interfaces`](#-wireguard--interfaces) -##### `manage_package` +##### `manage_package` Data type: `Boolean` if the package should be managed or not -Default value: ``true`` +Default value: `true` -##### `package_name` +##### `package_name` Data type: `String[1]` @@ -57,7 +57,7 @@ the name of the package Default value: `'wireguard-tools'` -##### `package_ensure` +##### `package_ensure` Data type: `Enum['installed', 'latest', 'absent']` @@ -65,7 +65,7 @@ the ensure state of the package Default value: `'installed'` -##### `config_directory` +##### `config_directory` Data type: `Stdlib::Absolutepath` @@ -73,15 +73,15 @@ the path to the wireguard directory Default value: `'/etc/wireguard'` -##### `purge_unknown_keys` +##### `purge_unknown_keys` Data type: `Boolean` by default Puppet will purge unknown wireguard keys from `$config_directory` -Default value: ``true`` +Default value: `true` -##### `interfaces` +##### `interfaces` Data type: `Hash[String[1], Any]` @@ -91,7 +91,7 @@ Default value: `{}` ## Defined types -### `wireguard::interface` +### `wireguard::interface` } @@ -183,32 +183,32 @@ wireguard::interface { 'wg0': The following parameters are available in the `wireguard::interface` defined type: -* [`interface`](#interface) -* [`ensure`](#ensure) -* [`input_interface`](#input_interface) -* [`manage_firewall`](#manage_firewall) -* [`dport`](#dport) -* [`firewall_mark`](#firewall_mark) -* [`source_addresses`](#source_addresses) -* [`destination_addresses`](#destination_addresses) -* [`public_key`](#public_key) -* [`endpoint`](#endpoint) -* [`addresses`](#addresses) -* [`persistent_keepalive`](#persistent_keepalive) -* [`description`](#description) -* [`mtu`](#mtu) -* [`peers`](#peers) -* [`routes`](#routes) -* [`private_key`](#private_key) -* [`preshared_key`](#preshared_key) -* [`provider`](#provider) -* [`preup_cmds`](#preup_cmds) -* [`postup_cmds`](#postup_cmds) -* [`predown_cmds`](#predown_cmds) -* [`postdown_cmds`](#postdown_cmds) -* [`allowed_ips`](#allowed_ips) - -##### `interface` +* [`interface`](#-wireguard--interface--interface) +* [`ensure`](#-wireguard--interface--ensure) +* [`input_interface`](#-wireguard--interface--input_interface) +* [`manage_firewall`](#-wireguard--interface--manage_firewall) +* [`dport`](#-wireguard--interface--dport) +* [`firewall_mark`](#-wireguard--interface--firewall_mark) +* [`source_addresses`](#-wireguard--interface--source_addresses) +* [`destination_addresses`](#-wireguard--interface--destination_addresses) +* [`public_key`](#-wireguard--interface--public_key) +* [`endpoint`](#-wireguard--interface--endpoint) +* [`addresses`](#-wireguard--interface--addresses) +* [`persistent_keepalive`](#-wireguard--interface--persistent_keepalive) +* [`description`](#-wireguard--interface--description) +* [`mtu`](#-wireguard--interface--mtu) +* [`peers`](#-wireguard--interface--peers) +* [`routes`](#-wireguard--interface--routes) +* [`private_key`](#-wireguard--interface--private_key) +* [`preshared_key`](#-wireguard--interface--preshared_key) +* [`provider`](#-wireguard--interface--provider) +* [`preup_cmds`](#-wireguard--interface--preup_cmds) +* [`postup_cmds`](#-wireguard--interface--postup_cmds) +* [`predown_cmds`](#-wireguard--interface--predown_cmds) +* [`postdown_cmds`](#-wireguard--interface--postdown_cmds) +* [`allowed_ips`](#-wireguard--interface--allowed_ips) + +##### `interface` Data type: `String[1]` @@ -216,7 +216,7 @@ the title of the defined resource, will be used for the wg interface Default value: `$title` -##### `ensure` +##### `ensure` Data type: `Enum['present', 'absent']` @@ -224,7 +224,7 @@ will ensure that the files for the provider will be present or absent Default value: `'present'` -##### `input_interface` +##### `input_interface` Data type: `String[1]` @@ -232,15 +232,15 @@ ethernet interface where the wireguard packages will enter the system, used for Default value: `$facts['networking']['primary']` -##### `manage_firewall` +##### `manage_firewall` Data type: `Boolean` if true, a ferm rule will be created -Default value: ``true`` +Default value: `true` -##### `dport` +##### `dport` Data type: `Integer[1024, 65000]` @@ -248,15 +248,15 @@ destination for firewall rules / where our wg instance will listen on. defaults Default value: `Integer(regsubst($title, '^\D+(\d+)$', '\1'))` -##### `firewall_mark` +##### `firewall_mark` Data type: `Optional[Integer[0, 4294967295]]` netfilter firewall mark to set on outgoing packages from this wireguard interface -Default value: ``undef`` +Default value: `undef` -##### `source_addresses` +##### `source_addresses` Data type: `Array[Stdlib::IP::Address]` @@ -264,7 +264,7 @@ an array of ip addresses from where we receive wireguard connections Default value: `[]` -##### `destination_addresses` +##### `destination_addresses` Data type: `Array[Stdlib::IP::Address]` @@ -272,23 +272,23 @@ array of addresses where the remote peer connects to (our local ips), used for f Default value: `delete_undef_values([$facts['networking']['ip'], $facts['networking']['ip6'],])` -##### `public_key` +##### `public_key` Data type: `Optional[String[1]]` base64 encoded pubkey from the remote peer -Default value: ``undef`` +Default value: `undef` -##### `endpoint` +##### `endpoint` Data type: `Optional[String[1]]` fqdn:port or ip:port where we connect to -Default value: ``undef`` +Default value: `undef` -##### `addresses` +##### `addresses` Data type: `Array[Hash[String,Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]]` @@ -296,7 +296,7 @@ different addresses for the systemd-networkd configuration Default value: `[]` -##### `persistent_keepalive` +##### `persistent_keepalive` Data type: `Integer[0, 65535]` @@ -304,23 +304,23 @@ is set to 1 or greater, that's the interval in seconds wireguard sends a keepali Default value: `0` -##### `description` +##### `description` Data type: `Optional[String[1]]` an optional string that will be added to the wireguard network interface -Default value: ``undef`` +Default value: `undef` -##### `mtu` +##### `mtu` Data type: `Optional[Integer[1200, 9000]]` configure the MTU (maximum transision unit) for the wireguard tunnel. By default linux will figure this out. You might need to lower it if you're connection through a DSL line. MTU needs to be equal on both tunnel endpoints -Default value: ``undef`` +Default value: `undef` -##### `peers` +##### `peers` Data type: `Wireguard::Peers` @@ -328,7 +328,7 @@ is an array of struct (Wireguard::Peers) for multiple peers Default value: `[]` -##### `routes` +##### `routes` Data type: `Array[Hash[String[1], Variant[String[1], Boolean]]]` @@ -336,23 +336,23 @@ different routes for the systemd-networkd configuration Default value: `[]` -##### `private_key` +##### `private_key` Data type: `Optional[String[1]]` Define private key which should be used for this interface, if not provided a private key will be generated -Default value: ``undef`` +Default value: `undef` -##### `preshared_key` +##### `preshared_key` Data type: `Optional[String[1]]` Define preshared key for the remote peer -Default value: ``undef`` +Default value: `undef` -##### `provider` +##### `provider` Data type: `Enum['systemd', 'wgquick']` @@ -360,7 +360,7 @@ The specific backend to use for this `wireguard::interface` resource Default value: `'systemd'` -##### `preup_cmds` +##### `preup_cmds` Data type: `Array[String[1]]` @@ -368,7 +368,7 @@ is an array of commands which should run as preup command (only supported by wgq Default value: `[]` -##### `postup_cmds` +##### `postup_cmds` Data type: `Array[String[1]]` @@ -376,7 +376,7 @@ is an array of commands which should run as preup command (only supported by wgq Default value: `[]` -##### `predown_cmds` +##### `predown_cmds` Data type: `Array[String[1]]` @@ -384,7 +384,7 @@ is an array of commands which should run as preup command (only supported by wgq Default value: `[]` -##### `postdown_cmds` +##### `postdown_cmds` Data type: `Array[String[1]]` @@ -392,15 +392,15 @@ is an array of commands which should run as preup command (only supported by wgq Default value: `[]` -##### `allowed_ips` +##### `allowed_ips` -Data type: `Optional[Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]]` +Data type: `Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]` different addresses that should be routed to this peer Default value: `[]` -### `wireguard::peer` +### `wireguard::peer` define a wireguard peer @@ -408,55 +408,55 @@ define a wireguard peer The following parameters are available in the `wireguard::peer` defined type: -* [`interface`](#interface) -* [`description`](#description) -* [`public_key`](#public_key) -* [`endpoint`](#endpoint) -* [`allowed_ips`](#allowed_ips) -* [`preshared_key`](#preshared_key) -* [`persistent_keepalive`](#persistent_keepalive) +* [`interface`](#-wireguard--peer--interface) +* [`description`](#-wireguard--peer--description) +* [`public_key`](#-wireguard--peer--public_key) +* [`endpoint`](#-wireguard--peer--endpoint) +* [`allowed_ips`](#-wireguard--peer--allowed_ips) +* [`preshared_key`](#-wireguard--peer--preshared_key) +* [`persistent_keepalive`](#-wireguard--peer--persistent_keepalive) -##### `interface` +##### `interface` -Data type: `String` +Data type: `String[1]` the title of the defined resource, will be used for the targetted wg interface -##### `description` +##### `description` -Data type: `Optional[String]` +Data type: `Optional[String[1]]` provide some identification details about the peer -Default value: ``undef`` +Default value: `undef` -##### `public_key` +##### `public_key` -Data type: `String` +Data type: `String[1]` base64 encoded pubkey from the remote peer -##### `endpoint` +##### `endpoint` -Data type: `String` +Data type: `String[1]` fqdn:port or ip:port where we connect to -##### `allowed_ips` +##### `allowed_ips` Data type: `Array[Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]` different addresses that should be routed to this peer -##### `preshared_key` +##### `preshared_key` -Data type: `Optional[String]` +Data type: `Optional[String[1]]` Define preshared key for the remote peer -Default value: ``undef`` +Default value: `undef` -##### `persistent_keepalive` +##### `persistent_keepalive` Data type: `Integer[0,65535]` @@ -466,7 +466,7 @@ Default value: `0` ## Data types -### `Wireguard::Peers` +### `Wireguard::Peers` custom data type for an array with wireguard peers From 32e8dd0b5c96293c5e4e9aca17263e0b2aacf023 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bruno=20L=C3=A9on?= Date: Wed, 27 Sep 2023 15:35:54 +0200 Subject: [PATCH 12/12] Update $fqdn fact syntax --- manifests/interface.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/interface.pp b/manifests/interface.pp index 1a28ef5..3acf919 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -250,14 +250,14 @@ $peer_params = { 'description' => $description, 'public_key' => $facts['wireguard_pubkeys'][$interface], - 'endpoint' => "${facts['fqdn']}:${dport}", + 'endpoint' => "${facts['networking']['fqdn']}:${dport}", 'allowed_ips' => $allowed_ips, 'preshared_key' => $preshared_key, 'persistent_keepalive' => $persistent_keepalive, 'interface' => $interface, - 'tag' => "wireguard-${interface}" + 'tag' => "wireguard-${interface}", } - @@wireguard::peer { "${facts['fqdn']}-${interface}-peer": + @@wireguard::peer { "${facts['networking']['fqdn']}-${interface}-peer": * => $peer_params, } }