Merge branch 'newtype/wireguard' into 'master'
Add types to create wireguard VPN. See merge request ungleich-public/cdist-contrib!14
This commit is contained in:
commit
af66c7e753
14 changed files with 325 additions and 0 deletions
10
type/__wireguard/files/interface.conf.sh
Executable file
10
type/__wireguard/files/interface.conf.sh
Executable file
|
@ -0,0 +1,10 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
cat <<- EOF
|
||||||
|
auto ${WG_IFACE:?}
|
||||||
|
iface ${WG_IFACE:?} inet6 static
|
||||||
|
address ${WG_ADDRESS:?}
|
||||||
|
pre-up ip link add dev ${WG_IFACE:?} type wireguard
|
||||||
|
pre-up wg setconf ${WG_IFACE:?} /etc/wireguard/${WG_IFACE:?}.conf
|
||||||
|
post-down ip link delete dev ${WG_IFACE:?}
|
||||||
|
EOF
|
18
type/__wireguard/files/wireguard.conf.sh
Executable file
18
type/__wireguard/files/wireguard.conf.sh
Executable file
|
@ -0,0 +1,18 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
if [ $# -ne 1 ];
|
||||||
|
then
|
||||||
|
echo "The WG private key must be passed to the script as an argument," >&2
|
||||||
|
echo "as we do not consider the environment to be private. Aborting." >&2
|
||||||
|
exit 1;
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat <<- EOF
|
||||||
|
[Interface]
|
||||||
|
PrivateKey = ${1:?}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ -n "$WG_PORT" ];
|
||||||
|
then
|
||||||
|
echo "ListenPort = ${WG_PORT:?}"
|
||||||
|
fi
|
8
type/__wireguard/gencode-remote
Normal file
8
type/__wireguard/gencode-remote
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
if grep -q "^__block/${__object_id:?}" "${__messages_in:?}"; then
|
||||||
|
cat <<- EOF
|
||||||
|
wg syncconf ${__object_id:?} /etc/wireguard/${__object_id:?}.conf
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
53
type/__wireguard/man.rst
Normal file
53
type/__wireguard/man.rst
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
cdist-type__wireguard(7)
|
||||||
|
========================
|
||||||
|
|
||||||
|
NAME
|
||||||
|
----
|
||||||
|
cdist-type__wireguard - Configure a wireguard interface
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
-----------
|
||||||
|
|
||||||
|
This type creates a wireguard interface named using the `${__object_id}`. It
|
||||||
|
generates a configuration file for wireguard and a configuration file for
|
||||||
|
ifconfig, and then brings the interface up.
|
||||||
|
|
||||||
|
Additional peers for the created wireguard interface can be added using
|
||||||
|
`cdist-type__wireguard_peers(7)`.
|
||||||
|
|
||||||
|
Currently, this type is only implemented for Alpine Linux.
|
||||||
|
|
||||||
|
Currently, this type only supports setting an IPv6 address to assign to the
|
||||||
|
wireguard interface.
|
||||||
|
|
||||||
|
REQUIRED PARAMETERS
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
privkey
|
||||||
|
The private key for this wireguard instance.
|
||||||
|
|
||||||
|
address
|
||||||
|
The IPv6 address to assign to the wireguard interface, optionally with a CIDR
|
||||||
|
mask.
|
||||||
|
|
||||||
|
OPTIONAL PARAMETERS
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
port
|
||||||
|
The port to listen on. If not specified, wireguard will choose one randomly.
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
--------
|
||||||
|
|
||||||
|
`wg(8)`, `wg-quick(8)`, `cdist-type__wireguard(7)`, `cdist-type__block(7)`
|
||||||
|
|
||||||
|
AUTHORS
|
||||||
|
-------
|
||||||
|
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||||
|
|
||||||
|
COPYING
|
||||||
|
-------
|
||||||
|
Copyright \(C) 2020 Joachim Desroches. You can redistribute it
|
||||||
|
and/or modify it under the terms of the GNU General Public License as
|
||||||
|
published by the Free Software Foundation, either version 3 of the
|
||||||
|
License, or (at your option) any later version.
|
56
type/__wireguard/manifest
Normal file
56
type/__wireguard/manifest
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
os="$(cat "${__global:?}"/explorer/os)"
|
||||||
|
|
||||||
|
case $os in
|
||||||
|
'alpine')
|
||||||
|
:
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "This type has no implementation for $os. Aborting." >&2
|
||||||
|
exit 1;
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
__package "wireguard-tools-wg"
|
||||||
|
|
||||||
|
# Template configuration
|
||||||
|
private_key="$(cat "${__object:?}/parameter/privkey")"
|
||||||
|
|
||||||
|
WG_ADDRESS="$(cat "${__object:?}/parameter/address")"
|
||||||
|
WG_IFACE="${__object_id:?}"
|
||||||
|
|
||||||
|
export WG_IFACE
|
||||||
|
export WG_ADDRESS
|
||||||
|
|
||||||
|
WG_PORT=
|
||||||
|
if [ -f "${__object:?}/parameter/port" ];
|
||||||
|
then
|
||||||
|
WG_PORT="$(cat "${__object:?}/parameter/port")"
|
||||||
|
fi
|
||||||
|
export WG_PORT
|
||||||
|
|
||||||
|
mkdir -p "${__object:?}/files/"
|
||||||
|
"${__type:?}/files/wireguard.conf.sh" "$private_key" > "${__object:?}/files/wg-${__object_id:?}.conf"
|
||||||
|
|
||||||
|
# Wireguard configuration. Configured using a block as it is also edited by
|
||||||
|
# cdist-type__wireguard_peer(7).
|
||||||
|
__directory "/etc/wireguard/"
|
||||||
|
require='__directory/etc/wireguard' \
|
||||||
|
__file "/etc/wireguard/${__object_id:?}.conf" --state exists
|
||||||
|
|
||||||
|
require="__file/etc/wireguard/${__object_id:?}.conf" \
|
||||||
|
__block "${__object_id:?}" --file "/etc/wireguard/${__object_id:?}.conf" \
|
||||||
|
--text - <"${__object:?}/files/wg-${__object_id:?}.conf"
|
||||||
|
|
||||||
|
# Network configuration
|
||||||
|
__directory '/etc/network/interfaces.d'
|
||||||
|
__line source-interfaces \
|
||||||
|
--line 'source-directory /etc/network/interfaces.d/' \
|
||||||
|
--file '/etc/network/interfaces'
|
||||||
|
|
||||||
|
"${__type:?}/files/interface.conf.sh" > "${__object:?}/files/iif-${__object_id:?}.conf"
|
||||||
|
require="__directory/etc/network/interfaces.d __line/source-interfaces __block/${__object_id:?}" \
|
||||||
|
__file "/etc/network/interfaces.d/${__object_id:?}.conf" \
|
||||||
|
--source "${__object:?}/files/iif-${__object_id:?}.conf" \
|
||||||
|
--onchange "ifup -a"
|
1
type/__wireguard/parameter/optional
Normal file
1
type/__wireguard/parameter/optional
Normal file
|
@ -0,0 +1 @@
|
||||||
|
port
|
2
type/__wireguard/parameter/required
Normal file
2
type/__wireguard/parameter/required
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
address
|
||||||
|
privkey
|
30
type/__wireguard_peer/files/wg-peer.sh
Executable file
30
type/__wireguard_peer/files/wg-peer.sh
Executable file
|
@ -0,0 +1,30 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# We expect the pre-shared key, if it exists, as an argument because we do not
|
||||||
|
# consider the environment to be secure.
|
||||||
|
|
||||||
|
cat << EOF
|
||||||
|
[Peer]
|
||||||
|
PublicKey = ${PKEY:?}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ -n "$1" ];
|
||||||
|
then
|
||||||
|
echo "PresharedKey = ${1:?}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
for ip in $ALLOWED_IPS;
|
||||||
|
do
|
||||||
|
echo "AllowedIPs = ${ip:?}"
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -n "$ENDPOINT" ];
|
||||||
|
then
|
||||||
|
echo "Endpoint = ${ENDPOINT:?}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$PERSISTENT_KA" ];
|
||||||
|
then
|
||||||
|
echo "PersistentKeepalive = ${PERSISTENT_KA:?}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo
|
10
type/__wireguard_peer/gencode-remote
Normal file
10
type/__wireguard_peer/gencode-remote
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
iface="$(cat "${__object:?}/parameter/iface")"
|
||||||
|
|
||||||
|
if grep -q "^__block/${__object_id:?}" "${__messages_in:?}";
|
||||||
|
then
|
||||||
|
cat <<- EOF
|
||||||
|
wg syncconf ${iface:?} /etc/wireguard/${iface:?}.conf
|
||||||
|
EOF
|
||||||
|
fi
|
70
type/__wireguard_peer/man.rst
Normal file
70
type/__wireguard_peer/man.rst
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
cdist-type__wiregurad_peer(7)
|
||||||
|
=============================
|
||||||
|
|
||||||
|
NAME
|
||||||
|
----
|
||||||
|
cdist-type__wiregurad_peer - Add an authorized peer to a wireguard interface.
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
-----------
|
||||||
|
|
||||||
|
This type configures a peer to be authorized on a wireguard interface. The
|
||||||
|
`${__object_id}` is used to differentiate the `cdist-type__block(7)` where each peer is
|
||||||
|
defined. See `wg(8)` for details on the options.
|
||||||
|
|
||||||
|
Note that this type **requires** a configuration file named after the `iface`
|
||||||
|
parameter to add and remove the peers from. The recommended way to accomplish
|
||||||
|
this is to call `cdist-type__wireguard(7)`, and set it as a requirement for
|
||||||
|
calls to this type adding peers to that interface.
|
||||||
|
|
||||||
|
Currently, this type is only implemented for Alpine Linux.
|
||||||
|
|
||||||
|
REQUIRED PARAMETERS
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
iface
|
||||||
|
The name of the wireguard interface to add the peer to.
|
||||||
|
|
||||||
|
public-key
|
||||||
|
The peer's public key.
|
||||||
|
|
||||||
|
OPTIONAL PARAMETERS
|
||||||
|
-------------------
|
||||||
|
|
||||||
|
endpoint
|
||||||
|
The endpoint for this peer.
|
||||||
|
|
||||||
|
persistent-keepalive
|
||||||
|
Send a keepalive packet every n seconds, expects an integer.
|
||||||
|
|
||||||
|
preshared-key
|
||||||
|
A pre-shared symmetric key. Used for "post-quantum resistance".
|
||||||
|
|
||||||
|
state
|
||||||
|
Directly passed on the `cdist-type__block(7)`, to enable removing a user.
|
||||||
|
|
||||||
|
OPTIONAL MULTIPLE PARAMETERS
|
||||||
|
----------------------------
|
||||||
|
|
||||||
|
allowed-ip
|
||||||
|
A comma-separated list of IP (v4 or v6) addresses with CIDR masks from which
|
||||||
|
incoming traffic for this peer is allowed and to which outgoing traffic
|
||||||
|
for this peer is directed. The catch-all 0.0.0.0/0 may be specified for
|
||||||
|
matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6
|
||||||
|
addresses.
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
--------
|
||||||
|
|
||||||
|
`wg(8)`, `wg-quick(8)`, `cdist-type__wireguard(7)`, `cdist-type__block(7)`
|
||||||
|
|
||||||
|
AUTHORS
|
||||||
|
-------
|
||||||
|
Joachim Desroches <joachim.desroches@epfl.ch>
|
||||||
|
|
||||||
|
COPYING
|
||||||
|
-------
|
||||||
|
Copyright \(C) 2020 Joachim Desroches. You can redistribute it
|
||||||
|
and/or modify it under the terms of the GNU General Public License as
|
||||||
|
published by the Free Software Foundation, either version 3 of the
|
||||||
|
License, or (at your option) any later version.
|
60
type/__wireguard_peer/manifest
Normal file
60
type/__wireguard_peer/manifest
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# expected to be run with a required='__wireguard/ifname'
|
||||||
|
|
||||||
|
os="$(cat "${__global:?}"/explorer/os)"
|
||||||
|
|
||||||
|
case "$os" in
|
||||||
|
alpine)
|
||||||
|
:
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "This type has no implementation for $os. Aborting." >&2;
|
||||||
|
exit 1;
|
||||||
|
esac
|
||||||
|
|
||||||
|
iface="$(cat "${__object:?}/parameter/iface")"
|
||||||
|
|
||||||
|
PKEY="$(cat "${__object:?}/parameter/public-key")"
|
||||||
|
export PKEY
|
||||||
|
|
||||||
|
ALLOWED_IPS=
|
||||||
|
if [ -f "${__object:?}/parameter/allowed-ip" ];
|
||||||
|
then
|
||||||
|
ALLOWED_IPS="$(cat "${__object:?}/parameter/allowed-ip")"
|
||||||
|
fi
|
||||||
|
export ALLOWED_IPS
|
||||||
|
|
||||||
|
ENDPOINT=
|
||||||
|
if [ -f "${__object:?}/parameter/endpoint" ];
|
||||||
|
then
|
||||||
|
ENDPOINT="$(cat "${__object:?}/parameter/endpoint")"
|
||||||
|
fi
|
||||||
|
export ENDPOINT
|
||||||
|
|
||||||
|
PERSISTENT_KA=
|
||||||
|
if [ -f "${__object:?}/parameter/persistent-keepalive" ];
|
||||||
|
then
|
||||||
|
PERSISTENT_KA="$(cat "${__object:?}/parameter/persistent-keepalive")"
|
||||||
|
fi
|
||||||
|
export PERSISTENT_KA
|
||||||
|
|
||||||
|
state=present
|
||||||
|
if [ -f "${__object:?}/parameter/state" ];
|
||||||
|
then
|
||||||
|
state="$(cat "${__object:?}/parameter/state")"
|
||||||
|
fi
|
||||||
|
|
||||||
|
presharedkey=
|
||||||
|
if [ -f "${__object:?}/parameter/preshared-key" ];
|
||||||
|
then
|
||||||
|
presharedkey="$(cat "${__object:?}/parameter/preshared-key")"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
mkdir -p "${__object:?}/files"
|
||||||
|
"${__type:?}/files/wg-peer.sh" "$presharedkey" > "${__object:?}/files/wg-peer"
|
||||||
|
|
||||||
|
required="__file/etc/wireguard/$iface.conf" \
|
||||||
|
__block "${__object_id:?}" --file "/etc/wireguard/$iface.conf" \
|
||||||
|
--text - <"${__object:?}/files/wg-peer" \
|
||||||
|
--state "$state"
|
4
type/__wireguard_peer/parameter/optional
Normal file
4
type/__wireguard_peer/parameter/optional
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
endpoint
|
||||||
|
persistent-keepalive
|
||||||
|
preshared-key
|
||||||
|
state
|
1
type/__wireguard_peer/parameter/optional_multiple
Normal file
1
type/__wireguard_peer/parameter/optional_multiple
Normal file
|
@ -0,0 +1 @@
|
||||||
|
allowed-ip
|
2
type/__wireguard_peer/parameter/required
Normal file
2
type/__wireguard_peer/parameter/required
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
iface
|
||||||
|
public-key
|
Loading…
Reference in a new issue