wireguard: init

77c86020 · skorpy · db529740 · 77c86020 · 77c86020 · 77c86020
Commit 77c86020 authored 7 years ago by skorpy
--- a/wireguard/dn42.sls
+++ b/wireguard/dn42.sls
+{%- for peer in pillar.dn42.peers if peer.tunnel.type == 'wireguard' %}
+
+{% if peer.name == "intern" %}
+{% set iface_prefix = "tun" %}
+{% else %}
+{% set iface_prefix = "dn42" %}
+{% endif %}
+
+/etc/wg/{{ iface_prefix }}_{{ peer.name }}.conf:
+  file.managed:
+    - require:
+      - file: /etc/wg
+    - source: salt://wireguard/files/wg.conf.j2
+    - template: jinja
+    - context:
+      peer: {{ peer }}
+{%- endfor %}
+
+/etc/network/interfaces.d/dn42-wireguard:
+  file.managed:
+    - template: jinja
+    - require:
+      - pkg: ifupdown2
+      - pkg: wireguard
+    - source: salt://wireguard/files/dn42-interfaces-wireguard.j2
+
+/etc/ferm/conf.d/50-dn42-wireguard.conf:
+  file.managed:
+    - source: salt://wireguard/files/dn42-ferm.conf.j2
+    - template: jinja
+    - require:
+      - file: /etc/ferm/conf.d
--- a/wireguard/files/dn42-ferm.conf.j2
+++ b/wireguard/files/dn42-ferm.conf.j2
+domain (ip ip6) {
+  table filter {
+    chain INPUT {
+      proto udp {
+        {%- for peer in pillar.dn42.get('peers', []) if peer.tunnel.type == 'wireguard' %}
+        {% if not peer.tunnel.remote.get('float', False) %}saddr ({{ " ".join(salt['ferm.resolve'](peer.tunnel.remote.host)) }}) {% endif %}dport {{ peer.tunnel.local.port }} ACCEPT;
+        {%- endfor %}
+      }
+    }
+  }
+}
--- a/wireguard/files/dn42-interfaces-wireguard.j2
+++ b/wireguard/files/dn42-interfaces-wireguard.j2
+{%- for peer in pillar.dn42.peers if peer.tunnel.type == 'wireguard' %}
+
+{% if peer.name == "intern" %}
+{% set iface_prefix = "tun" %}
+{% else %}
+{% set iface_prefix = "dn42" %}
+{% endif %}
+
+auto {{ iface_prefix }}_{{ peer.name }}
+
+{%- if 'ip4' in peer.addr.local %}
+iface {{ iface_prefix }}_{{ peer.name }} inet static
+    pre-up ip link add dev $IFACE type wireguard
+    pre-up wg setconf $IFACE /etc/wg/$IFACE.conf
+    address {{ peer.addr.local.ip4.address }}/31
+    post-down ip link del dev $IFACE
+{%- endif %}
+
+{%- if 'ip6' in peer.addr.local %}
+iface {{ iface_prefix }}_{{ peer.name }} inet6 static
+    address {{ peer.addr.local.ip6.address }}/127
+{%- endif %}
+
+{% endfor %}
--- a/wireguard/files/wg.conf.j2
+++ b/wireguard/files/wg.conf.j2
+[Interface]
+PrivateKey = {{ peer.tunnel.local.privkey }}
+ListenPort = {{ peer.tunnel.local.port }}
+
+[Peer]
+PublicKey = {{ peer.tunnel.remote.pubkey }}
+{%- if 'host' in peer.tunnel.remote %}
+Endpoint = {{ peer.tunnel.remote.host }}:{{ peer.tunnel.remote.port }}
+{%- endif %}
+AllowedIPs = 0.0.0.0/0,::/0
--- a/wireguard/init.sls
+++ b/wireguard/init.sls
+include:
+  - apt.repository.sid
+
+wireguard:
+  pkg.installed:
+    - pkgs:
+      - wireguard-dkms
+      - wireguard-tools
+    - fromrepo: sid
+    - require:
+      - pkgrepo: sid
+      - pkg: wireguard-dependencies
+
+wirequard-apt-pin:
+  file.accumulated:
+    - name: apt.sid.pinning_exceptions
+    - filename: /etc/apt/preferences.d/sid-pinning
+    - text: wirequard*
+    - require_in:
+      - file: /etc/apt/preferences.d/sid-pinning
+
+wireguard-dependencies:
+  pkg.installed:
+    - pkgs:
+      - linux-headers-amd64
+
+wireguard-kmod:
+  kmod.present:
+    - name: wireguard
+    - persist: True
+
+/etc/wg:
+  file.directory