wireguard/babel: init

5c60955d · skorpy · 0eab31ab · 5c60955d · 5c60955d · 5c60955d
Commit 5c60955d authored 6 years ago by skorpy
--- a/wireguard/babel.sls
+++ b/wireguard/babel.sls
+{%- for peer in pillar.babel.get('peers', []) if peer.tunnel.type == 'wireguard' %}
+
+{% set iface_prefix = "babel" %}
+
+/etc/wg/{{ iface_prefix }}_{{ peer.name }}.conf:
+  file.managed:
+    - require:
+      - file: /etc/wg
+    - source: salt://wireguard/files/wg.conf.j2
+    - template: jinja
+    - context:
+      peer: {{ peer }}
+{%- endfor %}
+
+/etc/network/interfaces.d/babel-wireguard:
+  file.managed:
+    - template: jinja
+    - require:
+      - pkg: ifupdown2
+      - pkg: wireguard
+    - source: salt://wireguard/files/babel-interfaces-wireguard.j2
+
+ifreload-wg-babel:
+  cmd.run:
+    - name: /sbin/ifreload -af
+    - onchanges:
+      - file: /etc/network/interfaces.d/babel-wireguard
+
+/etc/ferm/conf.d/50-babel-wireguard.conf:
+  file.managed:
+    - source: salt://wireguard/files/babel-ferm.conf.j2
+    - template: jinja
+    - require:
+      - file: /etc/ferm/conf.d
--- a/wireguard/files/babel-ferm.conf.j2
+++ b/wireguard/files/babel-ferm.conf.j2
+domain (ip ip6) {
+  table filter {
+    chain INPUT {
+      proto udp {
+        {%- for peer in pillar.babel.get('peers', []) if peer.tunnel.type == 'wireguard' %}
+        {% if not peer.tunnel.remote.get('float', False) %}saddr ({{ " ".join(salt['ferm.resolve'](peer.tunnel.remote.host)) }}) {% endif %}dport {{ peer.tunnel.local.port }} ACCEPT;
+        {%- endfor %}
+      }
+      {%- for peer in pillar.babel.get('peers', []) if peer.tunnel.type == 'wireguard' %}
+      interface( babel_{{ peer.name }} ) {
+        proto udp dport (6696) ACCEPT;
+        proto udp dport (27275) ACCEPT;
+      }
+      {% endfor %}
+    }
+  }
+}
--- a/wireguard/files/babel-interfaces-wireguard.j2
+++ b/wireguard/files/babel-interfaces-wireguard.j2
+{%- for peer in pillar.babel.get('peers', []) if peer.tunnel.type == 'wireguard' %}
+{%- set iface_prefix = "babel" %}
+
+auto {{ iface_prefix }}_{{ peer.name }}
+iface {{ iface_prefix }}_{{ peer.name }} inet6 static
+    pre-up ip link add dev $IFACE type wireguard
+    pre-up wg setconf $IFACE /etc/wg/$IFACE.conf
+    address fe80::1/64
+    post-down ip link del dev $IFACE
+
+{% endfor %}