newtype: __wireguard.

2021-06-09 16:37:05 +02:00 · 2021-06-09 16:37:05 +02:00 · 87c43b042d
commit 87c43b042d
parent 2f4c92803b
14 changed files with 325 additions and 0 deletions
--- a/type/__wireguard/files/interface.conf.sh
+++ b/type/__wireguard/files/interface.conf.sh
@ -0,0 +1,10 @@
+#!/bin/sh
+
+cat <<- EOF
+	auto ${WG_IFACE:?}
+	iface ${WG_IFACE:?} inet6 static
+	address ${WG_ADDRESS:?}
+	pre-up ip link add dev ${WG_IFACE:?} type wireguard
+	pre-up wg setconf ${WG_IFACE:?} /etc/wireguard/${WG_IFACE:?}.conf
+	post-down ip link delete dev ${WG_IFACE:?}
+EOF
--- a/type/__wireguard/files/wireguard.conf.sh
+++ b/type/__wireguard/files/wireguard.conf.sh
@ -0,0 +1,18 @@
+#!/bin/sh
+
+if [ $# -ne 1 ];
+then
+	echo "The WG private key must be passed to the script as an argument," >&2
+	echo "as we do not consider the environment to be private. Aborting." >&2
+	exit 1;
+fi
+
+cat <<- EOF
+	[Interface]
+	PrivateKey = ${1:?}
+EOF
+
+if [ -n "$WG_PORT" ];
+then
+	echo "ListenPort = ${WG_PORT:?}"
+fi
--- a/type/__wireguard/gencode-remote
+++ b/type/__wireguard/gencode-remote
@ -0,0 +1,8 @@
+#!/bin/sh
+
+if grep -q "^__block/${__object_id:?}" "${__messages_in:?}"; then
+	cat <<- EOF
+	wg syncconf ${__object_id:?} /etc/wireguard/${__object_id:?}.conf
+	EOF
+fi
+
--- a/type/__wireguard/man.rst
+++ b/type/__wireguard/man.rst
@ -0,0 +1,53 @@
+cdist-type__wireguard(7)
+========================
+
+NAME
+----
+cdist-type__wireguard - Configure a wireguard interface
+
+DESCRIPTION
+-----------
+
+This type creates a wireguard interface named using the `${__object_id}`. It
+generates a configuration file for wireguard and a configuration file for
+ifconfig, and then brings the interface up.
+
+Additional peers for the created wireguard interface can be added using
+`cdist-type__wireguard_peers(7)`.
+
+Currently, this type is only implemented for Alpine Linux.
+
+Currently, this type only supports setting an IPv6 address to assign to the
+wireguard interface.
+
+REQUIRED PARAMETERS
+-------------------
+
+privkey
+  The private key for this wireguard instance.
+
+address
+  The IPv6 address to assign to the wireguard interface, optionally with a CIDR
+  mask.
+
+OPTIONAL PARAMETERS
+-------------------
+
+port
+  The port to listen on. If not specified, wireguard will choose one randomly.
+
+SEE ALSO
+--------
+
+`wg(8)`, `wg-quick(8)`, `cdist-type__wireguard(7)`, `cdist-type__block(7)`
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+COPYING
+-------
+Copyright \(C) 2020 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
--- a/type/__wireguard/manifest
+++ b/type/__wireguard/manifest
@ -0,0 +1,56 @@
+#!/bin/sh
+
+os="$(cat "${__global:?}"/explorer/os)"
+
+case $os in
+	'alpine')
+		:
+		;;
+	*)
+		echo "This type has no implementation for $os. Aborting." >&2
+		exit 1;
+		;;
+esac
+
+__package "wireguard-tools-wg"
+
+# Template configuration
+private_key="$(cat "${__object:?}/parameter/privkey")"
+
+WG_ADDRESS="$(cat "${__object:?}/parameter/address")"
+WG_IFACE="${__object_id:?}"
+
+export WG_IFACE
+export WG_ADDRESS
+
+WG_PORT=
+if [ -f "${__object:?}/parameter/port" ];
+then
+	WG_PORT="$(cat "${__object:?}/parameter/port")"
+fi
+export WG_PORT
+
+mkdir -p "${__object:?}/files/"
+"${__type:?}/files/wireguard.conf.sh" "$private_key" > "${__object:?}/files/wg-${__object_id:?}.conf"
+
+# Wireguard configuration. Configured using a block as it is also edited by
+# cdist-type__wireguard_peer(7).
+__directory "/etc/wireguard/"
+require='__directory/etc/wireguard' \
+	__file "/etc/wireguard/${__object_id:?}.conf" --state exists
+
+require="__file/etc/wireguard/${__object_id:?}.conf" \
+	__block "${__object_id:?}" --file "/etc/wireguard/${__object_id:?}.conf" \
+		--text - <"${__object:?}/files/wg-${__object_id:?}.conf"
+
+# Network configuration
+__directory '/etc/network/interfaces.d'
+__line source-interfaces \
+	--line 'source-directory /etc/network/interfaces.d/' \
+	--file '/etc/network/interfaces'
+
+"${__type:?}/files/interface.conf.sh" > "${__object:?}/files/iif-${__object_id:?}.conf"
+require="__directory/etc/network/interfaces.d __line/source-interfaces __block/${__object_id:?}" \
+	__file "/etc/network/interfaces.d/${__object_id:?}.conf" \
+	--source "${__object:?}/files/iif-${__object_id:?}.conf" \
+	--onchange "ifup -a"
--- a/type/__wireguard/parameter/optional
+++ b/type/__wireguard/parameter/optional
@ -0,0 +1 @@
+port
--- a/type/__wireguard/parameter/required
+++ b/type/__wireguard/parameter/required
@ -0,0 +1,2 @@
+address
+privkey
--- a/type/__wireguard_peer/files/wg-peer.sh
+++ b/type/__wireguard_peer/files/wg-peer.sh
@ -0,0 +1,30 @@
+#!/bin/sh
+# We expect the pre-shared key, if it exists, as an argument because we do not
+# consider the environment to be secure.
+
+cat << EOF
+[Peer]
+PublicKey = ${PKEY:?}
+EOF
+
+if [ -n "$1" ];
+then
+	echo "PresharedKey = ${1:?}"
+fi
+
+for ip in $ALLOWED_IPS;
+do
+	echo "AllowedIPs = ${ip:?}"
+done
+
+if [ -n "$ENDPOINT" ];
+then
+	echo "Endpoint = ${ENDPOINT:?}"
+fi
+
+if [ -n "$PERSISTENT_KA" ];
+then
+	echo "PersistentKeepalive = ${PERSISTENT_KA:?}"
+fi
+
+echo
--- a/type/__wireguard_peer/gencode-remote
+++ b/type/__wireguard_peer/gencode-remote
@ -0,0 +1,10 @@
+#!/bin/sh
+
+iface="$(cat "${__object:?}/parameter/iface")"
+
+if grep -q "^__block/${__object_id:?}" "${__messages_in:?}";
+then
+	cat <<- EOF
+	wg syncconf ${iface:?} /etc/wireguard/${iface:?}.conf
+	EOF
+fi
--- a/type/__wireguard_peer/man.rst
+++ b/type/__wireguard_peer/man.rst
@ -0,0 +1,70 @@
+cdist-type__wiregurad_peer(7)
+=============================
+
+NAME
+----
+cdist-type__wiregurad_peer - Add an authorized peer to a wireguard interface.
+
+DESCRIPTION
+-----------
+
+This type configures a peer to be authorized on a wireguard interface. The
+`${__object_id}` is used to differentiate the `cdist-type__block(7)` where each peer is
+defined. See `wg(8)` for details on the options.
+
+Note that this type **requires** a configuration file named after the `iface`
+parameter to add and remove the peers from. The recommended way to accomplish
+this is to call `cdist-type__wireguard(7)`, and set it as a requirement for
+calls to this type adding peers to that interface.
+
+Currently, this type is only implemented for Alpine Linux.
+
+REQUIRED PARAMETERS
+-------------------
+
+iface
+  The name of the wireguard interface to add the peer to.
+
+public-key
+  The peer's public key.
+
+OPTIONAL PARAMETERS
+-------------------
+
+endpoint
+  The endpoint for this peer.
+
+persistent-keepalive
+  Send a keepalive packet every n seconds, expects an integer.
+
+preshared-key
+  A pre-shared symmetric key. Used for "post-quantum resistance".
+
+state
+  Directly passed on the `cdist-type__block(7)`, to enable removing a user.
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+
+allowed-ip
+  A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which
+  incoming traffic for this peer is  allowed  and  to which  outgoing  traffic
+  for this peer is directed. The catch-all 0.0.0.0/0 may be specified for
+  matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6
+  addresses.
+
+SEE ALSO
+--------
+
+`wg(8)`, `wg-quick(8)`, `cdist-type__wireguard(7)`, `cdist-type__block(7)`
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+COPYING
+-------
+Copyright \(C) 2020 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
--- a/type/__wireguard_peer/manifest
+++ b/type/__wireguard_peer/manifest
@ -0,0 +1,60 @@
+#!/bin/sh
+# expected to be run with a required='__wireguard/ifname'
+
+os="$(cat "${__global:?}"/explorer/os)"
+
+case "$os" in
+	alpine)
+		:
+		;;
+	*)
+		echo "This type has no implementation for $os. Aborting." >&2;
+		exit 1;
+esac
+
+iface="$(cat "${__object:?}/parameter/iface")"
+
+PKEY="$(cat "${__object:?}/parameter/public-key")"
+export PKEY
+
+ALLOWED_IPS=
+if [ -f "${__object:?}/parameter/allowed-ip" ];
+then
+	ALLOWED_IPS="$(cat "${__object:?}/parameter/allowed-ip")"
+fi
+export ALLOWED_IPS
+
+ENDPOINT=
+if [ -f "${__object:?}/parameter/endpoint" ];
+then
+	ENDPOINT="$(cat "${__object:?}/parameter/endpoint")"
+fi
+export ENDPOINT
+
+PERSISTENT_KA=
+if [ -f "${__object:?}/parameter/persistent-keepalive" ];
+then
+	PERSISTENT_KA="$(cat "${__object:?}/parameter/persistent-keepalive")"
+fi
+export PERSISTENT_KA
+
+state=present
+if [ -f "${__object:?}/parameter/state" ];
+then
+	state="$(cat "${__object:?}/parameter/state")"
+fi
+
+presharedkey=
+if [ -f "${__object:?}/parameter/preshared-key" ];
+then
+	presharedkey="$(cat "${__object:?}/parameter/preshared-key")"
+fi
+
+
+mkdir -p "${__object:?}/files"
+"${__type:?}/files/wg-peer.sh" "$presharedkey" > "${__object:?}/files/wg-peer"
+
+required="__file/etc/wireguard/$iface.conf" \
+	__block "${__object_id:?}" --file "/etc/wireguard/$iface.conf" \
+		--text - <"${__object:?}/files/wg-peer" \
+		--state "$state"
--- a/type/__wireguard_peer/parameter/optional
+++ b/type/__wireguard_peer/parameter/optional
@ -0,0 +1,4 @@
+endpoint
+persistent-keepalive
+preshared-key
+state
--- a/type/__wireguard_peer/parameter/optional_multiple
+++ b/type/__wireguard_peer/parameter/optional_multiple
@ -0,0 +1 @@
+allowed-ip
--- a/type/__wireguard_peer/parameter/required
+++ b/type/__wireguard_peer/parameter/required
@ -0,0 +1,2 @@
+iface
+public-key