newtype: __wireguard.

This commit is contained in:
sparrowhawk 2021-06-09 16:37:05 +02:00
parent 2f4c92803b
commit 87c43b042d
14 changed files with 325 additions and 0 deletions

View file

@ -0,0 +1,10 @@
#!/bin/sh
cat <<- EOF
auto ${WG_IFACE:?}
iface ${WG_IFACE:?} inet6 static
address ${WG_ADDRESS:?}
pre-up ip link add dev ${WG_IFACE:?} type wireguard
pre-up wg setconf ${WG_IFACE:?} /etc/wireguard/${WG_IFACE:?}.conf
post-down ip link delete dev ${WG_IFACE:?}
EOF

View file

@ -0,0 +1,18 @@
#!/bin/sh
if [ $# -ne 1 ];
then
echo "The WG private key must be passed to the script as an argument," >&2
echo "as we do not consider the environment to be private. Aborting." >&2
exit 1;
fi
cat <<- EOF
[Interface]
PrivateKey = ${1:?}
EOF
if [ -n "$WG_PORT" ];
then
echo "ListenPort = ${WG_PORT:?}"
fi

View file

@ -0,0 +1,8 @@
#!/bin/sh
if grep -q "^__block/${__object_id:?}" "${__messages_in:?}"; then
cat <<- EOF
wg syncconf ${__object_id:?} /etc/wireguard/${__object_id:?}.conf
EOF
fi

53
type/__wireguard/man.rst Normal file
View file

@ -0,0 +1,53 @@
cdist-type__wireguard(7)
========================
NAME
----
cdist-type__wireguard - Configure a wireguard interface
DESCRIPTION
-----------
This type creates a wireguard interface named using the `${__object_id}`. It
generates a configuration file for wireguard and a configuration file for
ifconfig, and then brings the interface up.
Additional peers for the created wireguard interface can be added using
`cdist-type__wireguard_peers(7)`.
Currently, this type is only implemented for Alpine Linux.
Currently, this type only supports setting an IPv6 address to assign to the
wireguard interface.
REQUIRED PARAMETERS
-------------------
privkey
The private key for this wireguard instance.
address
The IPv6 address to assign to the wireguard interface, optionally with a CIDR
mask.
OPTIONAL PARAMETERS
-------------------
port
The port to listen on. If not specified, wireguard will choose one randomly.
SEE ALSO
--------
`wg(8)`, `wg-quick(8)`, `cdist-type__wireguard(7)`, `cdist-type__block(7)`
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2020 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

56
type/__wireguard/manifest Normal file
View file

@ -0,0 +1,56 @@
#!/bin/sh
os="$(cat "${__global:?}"/explorer/os)"
case $os in
'alpine')
:
;;
*)
echo "This type has no implementation for $os. Aborting." >&2
exit 1;
;;
esac
__package "wireguard-tools-wg"
# Template configuration
private_key="$(cat "${__object:?}/parameter/privkey")"
WG_ADDRESS="$(cat "${__object:?}/parameter/address")"
WG_IFACE="${__object_id:?}"
export WG_IFACE
export WG_ADDRESS
WG_PORT=
if [ -f "${__object:?}/parameter/port" ];
then
WG_PORT="$(cat "${__object:?}/parameter/port")"
fi
export WG_PORT
mkdir -p "${__object:?}/files/"
"${__type:?}/files/wireguard.conf.sh" "$private_key" > "${__object:?}/files/wg-${__object_id:?}.conf"
# Wireguard configuration. Configured using a block as it is also edited by
# cdist-type__wireguard_peer(7).
__directory "/etc/wireguard/"
require='__directory/etc/wireguard' \
__file "/etc/wireguard/${__object_id:?}.conf" --state exists
require="__file/etc/wireguard/${__object_id:?}.conf" \
__block "${__object_id:?}" --file "/etc/wireguard/${__object_id:?}.conf" \
--text - <"${__object:?}/files/wg-${__object_id:?}.conf"
# Network configuration
__directory '/etc/network/interfaces.d'
__line source-interfaces \
--line 'source-directory /etc/network/interfaces.d/' \
--file '/etc/network/interfaces'
"${__type:?}/files/interface.conf.sh" > "${__object:?}/files/iif-${__object_id:?}.conf"
require="__directory/etc/network/interfaces.d __line/source-interfaces __block/${__object_id:?}" \
__file "/etc/network/interfaces.d/${__object_id:?}.conf" \
--source "${__object:?}/files/iif-${__object_id:?}.conf" \
--onchange "ifup -a"

View file

@ -0,0 +1 @@
port

View file

@ -0,0 +1,2 @@
address
privkey

View file

@ -0,0 +1,30 @@
#!/bin/sh
# We expect the pre-shared key, if it exists, as an argument because we do not
# consider the environment to be secure.
cat << EOF
[Peer]
PublicKey = ${PKEY:?}
EOF
if [ -n "$1" ];
then
echo "PresharedKey = ${1:?}"
fi
for ip in $ALLOWED_IPS;
do
echo "AllowedIPs = ${ip:?}"
done
if [ -n "$ENDPOINT" ];
then
echo "Endpoint = ${ENDPOINT:?}"
fi
if [ -n "$PERSISTENT_KA" ];
then
echo "PersistentKeepalive = ${PERSISTENT_KA:?}"
fi
echo

View file

@ -0,0 +1,10 @@
#!/bin/sh
iface="$(cat "${__object:?}/parameter/iface")"
if grep -q "^__block/${__object_id:?}" "${__messages_in:?}";
then
cat <<- EOF
wg syncconf ${iface:?} /etc/wireguard/${iface:?}.conf
EOF
fi

View file

@ -0,0 +1,70 @@
cdist-type__wiregurad_peer(7)
=============================
NAME
----
cdist-type__wiregurad_peer - Add an authorized peer to a wireguard interface.
DESCRIPTION
-----------
This type configures a peer to be authorized on a wireguard interface. The
`${__object_id}` is used to differentiate the `cdist-type__block(7)` where each peer is
defined. See `wg(8)` for details on the options.
Note that this type **requires** a configuration file named after the `iface`
parameter to add and remove the peers from. The recommended way to accomplish
this is to call `cdist-type__wireguard(7)`, and set it as a requirement for
calls to this type adding peers to that interface.
Currently, this type is only implemented for Alpine Linux.
REQUIRED PARAMETERS
-------------------
iface
The name of the wireguard interface to add the peer to.
public-key
The peer's public key.
OPTIONAL PARAMETERS
-------------------
endpoint
The endpoint for this peer.
persistent-keepalive
Send a keepalive packet every n seconds, expects an integer.
preshared-key
A pre-shared symmetric key. Used for "post-quantum resistance".
state
Directly passed on the `cdist-type__block(7)`, to enable removing a user.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
allowed-ip
A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which
incoming traffic for this peer is allowed and to which outgoing traffic
for this peer is directed. The catch-all 0.0.0.0/0 may be specified for
matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6
addresses.
SEE ALSO
--------
`wg(8)`, `wg-quick(8)`, `cdist-type__wireguard(7)`, `cdist-type__block(7)`
AUTHORS
-------
Joachim Desroches <joachim.desroches@epfl.ch>
COPYING
-------
Copyright \(C) 2020 Joachim Desroches. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,60 @@
#!/bin/sh
# expected to be run with a required='__wireguard/ifname'
os="$(cat "${__global:?}"/explorer/os)"
case "$os" in
alpine)
:
;;
*)
echo "This type has no implementation for $os. Aborting." >&2;
exit 1;
esac
iface="$(cat "${__object:?}/parameter/iface")"
PKEY="$(cat "${__object:?}/parameter/public-key")"
export PKEY
ALLOWED_IPS=
if [ -f "${__object:?}/parameter/allowed-ip" ];
then
ALLOWED_IPS="$(cat "${__object:?}/parameter/allowed-ip")"
fi
export ALLOWED_IPS
ENDPOINT=
if [ -f "${__object:?}/parameter/endpoint" ];
then
ENDPOINT="$(cat "${__object:?}/parameter/endpoint")"
fi
export ENDPOINT
PERSISTENT_KA=
if [ -f "${__object:?}/parameter/persistent-keepalive" ];
then
PERSISTENT_KA="$(cat "${__object:?}/parameter/persistent-keepalive")"
fi
export PERSISTENT_KA
state=present
if [ -f "${__object:?}/parameter/state" ];
then
state="$(cat "${__object:?}/parameter/state")"
fi
presharedkey=
if [ -f "${__object:?}/parameter/preshared-key" ];
then
presharedkey="$(cat "${__object:?}/parameter/preshared-key")"
fi
mkdir -p "${__object:?}/files"
"${__type:?}/files/wg-peer.sh" "$presharedkey" > "${__object:?}/files/wg-peer"
required="__file/etc/wireguard/$iface.conf" \
__block "${__object_id:?}" --file "/etc/wireguard/$iface.conf" \
--text - <"${__object:?}/files/wg-peer" \
--state "$state"

View file

@ -0,0 +1,4 @@
endpoint
persistent-keepalive
preshared-key
state

View file

@ -0,0 +1 @@
allowed-ip

View file

@ -0,0 +1,2 @@
iface
public-key