Add possibility to define routes

voxpupuli · Dec 8, 2021 · 9600c74 · 9600c74
1 parent c1ce989
commit 9600c74
Show file tree

Hide file tree

Showing 4 changed files with 80 additions and 1 deletion.
diff --git a/manifests/interface.pp b/manifests/interface.pp
@@ -14,6 +14,7 @@
 # @param description an optional string that will be added to the wireguard network interface
 # @param mtu configure the MTU (maximum transision unit) for the wireguard tunnel. By default linux will figure this out. You might need to lower it if you're connection through a DSL line. MTU needs to be equal on both tunnel endpoints
 # @param peers is an array of struct (Wireguard::Peers) for multiple peers
+# @param routes different routes for the systemd-networkd configuration
 #
 # @author Tim Meusel <tim@bastelfreak.de>
 # @author Sebastian Rakel <sebastian@devunit.eu>
@@ -87,6 +88,7 @@
   Optional[String[1]] $description = undef,
   Optional[Integer[1280, 9000]] $mtu = undef,
   Optional[String[1]] $public_key = undef,
+  Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [],
 ) {
   require wireguard
 
@@ -155,8 +157,14 @@
     require         => File["/etc/wireguard/${interface}"],
   }
 
+  $network_epp_params = {
+    'interface' => $interface,
+    'addresses' => $addresses,
+    'routes'    => $routes,
+  }
+
   systemd::network { "${interface}.network":
-    content         => epp("${module_name}/network.epp", { 'interface' => $interface, 'addresses' => $addresses }),
+    content         => epp("${module_name}/network.epp", $network_epp_params),
     restart_service => true,
     owner           => 'root',
     group           => 'systemd-network',

diff --git a/spec/defines/interface_spec.rb b/spec/defines/interface_spec.rb
@@ -233,6 +233,48 @@ class {"systemd":
 
         it { is_expected.not_to compile.with_all_deps }
       end
+
+      context 'with required params (peers), routes and without firewall rules' do
+        let :params do
+          {
+            peers: [
+              {
+                public_key: 'blabla==',
+                endpoint: 'wireguard.example.com:1234',
+              },
+              {
+                public_key: 'foo==',
+                allowed_ips: ['192.0.2.3'],
+              }
+            ],
+            manage_firewall: false,
+            # we need to set destination_addresses to overwrite the default
+            # that would configure IPv4+IPv6, but GHA doesn't provide IPv6 for us
+            destination_addresses: [facts[:networking]['ip'],],
+            addresses: [{ 'Address' => '192.0.2.1/24' }],
+            routes: [{ 'Gateway' => '192.0.2.2', 'GatewayOnLink' => true, 'Destination' => '192.0.3.0/24' }],
+          }
+        end
+
+        let(:expected_netdev_content) do
+          File.read('spec/fixtures/test_files/peers.netdev')
+        end
+
+        let(:expected_network_content) do
+          File.read('spec/fixtures/test_files/peers_routes.network')
+        end
+
+        it { is_expected.to compile.with_all_deps }
+        it { is_expected.to contain_class('wireguard') }
+        it { is_expected.to contain_exec("generate #{title} keys") }
+        it { is_expected.to contain_file("/etc/wireguard/#{title}.pub") }
+        it { is_expected.to contain_file("/etc/wireguard/#{title}") }
+        it { is_expected.to contain_systemd__network("#{title}.netdev") }
+        it { is_expected.to contain_systemd__network("#{title}.network") }
+        it { is_expected.to contain_file("/etc/systemd/network/#{title}.netdev").with_content(expected_netdev_content) }
+        it { is_expected.to contain_file("/etc/systemd/network/#{title}.network").with_content(expected_network_content) }
+        it { is_expected.not_to contain_ferm__rule("allow_wg_#{title}") }
+      end
     end
   end
 end
diff --git a/spec/fixtures/test_files/peers_routes.network b/spec/fixtures/test_files/peers_routes.network
@@ -0,0 +1,21 @@
+# THIS FILE IS MANAGED BY PUPPET
+# based on https://dn42.dev/howto/wireguard
+[Match]
+Name=as1234
+
+[Network]
+DHCP=no
+IPv6AcceptRA=false
+IPForward=yes
+
+# for networkd >= 244 KeepConfiguration stops networkd from
+# removing routes on this interface when restarting
+KeepConfiguration=yes
+
+[Address]
+Address=192.0.2.1/24
+
+[Routes]
+Gateway=192.0.2.2
+GatewayOnLink=true
+Destination=192.0.3.0/24
diff --git a/templates/network.epp b/templates/network.epp
@@ -1,6 +1,7 @@
 <%- |
     Array[Hash] $addresses,
     String[1] $interface,
+    Array[Hash[String[1], Variant[String[1], Boolean]]] $routes,
 | -%>
 # THIS FILE IS MANAGED BY PUPPET
 # based on https://dn42.dev/howto/wireguard
@@ -22,4 +23,11 @@ KeepConfiguration=yes
 <%= $key %>=<%= $value %>
 <% } -%>
 <% } -%>
+<% $routes.each |$route| { -%>
+
+[Route]
+<% $route.each |$key, $value| { -%>
+<%= $key %>=<%= $value %>
+<% } -%>
+<% } -%>