Skip to content

Commit

Permalink
Merge pull request #100 from voxpupuli/allow
Browse files Browse the repository at this point in the history 
Make default AllowedIPs= configureable
  • Loading branch information
@ekohl
ekohl committed Dec 31, 2023
2 parents b639398 + fb0d287 commit b5d840a
Show file tree
Hide file tree
Showing 9 changed files with 112 additions and 38 deletions.
9 changes: 9 additions & 0 deletions REFERENCE.md
View file
Expand Up @@ -39,6 +39,7 @@ The following parameters are available in the `wireguard` class:
* [`config_directory`](#-wireguard--config_directory)
* [`purge_unknown_keys`](#-wireguard--purge_unknown_keys)
* [`interfaces`](#-wireguard--interfaces)
* [`default_allowlist`](#-wireguard--default_allowlist)

##### <a name="-wireguard--manage_package"></a>`manage_package`

Expand Down Expand Up @@ -88,6 +89,14 @@ hash of interfaces to create. Provides hiera integration.

Default value: `{}`

##### <a name="-wireguard--default_allowlist"></a>`default_allowlist`

Data type: `Array[Stdlib::IP::Address]`

array of allowed IP ranges for interfaces. Can be overwritten for individual interfaces

Default value: `['fe80::/64', 'fd00::/8', '0.0.0.0/0']`

## Defined types

### <a name="wireguard--interface"></a>`wireguard::interface`
Expand Down
2 changes: 2 additions & 0 deletions manifests/init.pp
View file
Expand Up @@ -7,6 +7,7 @@
# @param config_directory the path to the wireguard directory
# @param purge_unknown_keys by default Puppet will purge unknown wireguard keys from `$config_directory`
# @param interfaces hash of interfaces to create. Provides hiera integration.
# @param default_allowlist array of allowed IP ranges for interfaces. Can be overwritten for individual interfaces
#
# @author Tim Meusel <tim@bastelfreak.de>
#
Expand All @@ -17,6 +18,7 @@
Stdlib::Absolutepath $config_directory = '/etc/wireguard',
Boolean $purge_unknown_keys = true,
Hash[String[1], Any] $interfaces = {},
Array[Stdlib::IP::Address] $default_allowlist = ['fe80::/64', 'fd00::/8', '0.0.0.0/0'],
) {
if $manage_package {
package { 'wireguard-tools':
Expand Down
42 changes: 22 additions & 20 deletions manifests/interface.pp
View file
Expand Up @@ -268,30 +268,32 @@
}

wireguard::provider::systemd { $interface :
ensure => $ensure,
interface => $interface,
peers => $peers + $peer,
dport => $dport,
firewall_mark => $firewall_mark,
addresses => $addresses,
description => $description,
mtu => $mtu,
routes => $routes,
ensure => $ensure,
interface => $interface,
peers => $peers + $peer,
dport => $dport,
firewall_mark => $firewall_mark,
addresses => $addresses,
description => $description,
mtu => $mtu,
routes => $routes,
default_allowlist => $wireguard::default_allowlist,
}
}
'wgquick': {
wireguard::provider::wgquick { $interface :
ensure => $ensure,
interface => $interface,
peers => $peers + $peer,
dport => $dport,
firewall_mark => $firewall_mark,
addresses => $addresses,
preup_cmds => $preup_cmds,
postup_cmds => $postup_cmds,
predown_cmds => $predown_cmds,
postdown_cmds => $postdown_cmds,
mtu => $mtu,
ensure => $ensure,
interface => $interface,
peers => $peers + $peer,
dport => $dport,
firewall_mark => $firewall_mark,
addresses => $addresses,
preup_cmds => $preup_cmds,
postup_cmds => $postup_cmds,
predown_cmds => $predown_cmds,
postdown_cmds => $postdown_cmds,
mtu => $mtu,
default_allowlist => $wireguard::default_allowlist,
}
}
default: {
Expand Down
14 changes: 8 additions & 6 deletions manifests/provider/systemd.pp
View file
Expand Up @@ -11,6 +11,7 @@
Optional[String[1]] $description = undef,
Optional[Integer[1200, 9000]] $mtu = undef,
Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [],
Array[Stdlib::IP::Address] $default_allowlist = [],
) {
assert_private()
Expand All @@ -22,12 +23,13 @@
systemd::network { "${interface}.netdev":
ensure => $systemd_ensure,
content => epp("${module_name}/netdev.epp", {
'interface' => $interface,
'dport' => $dport,
'firewall_mark' => $firewall_mark,
'description' => $description,
'mtu' => $mtu,
'peers' => $peers,
'interface' => $interface,
'dport' => $dport,
'firewall_mark' => $firewall_mark,
'description' => $description,
'mtu' => $mtu,
'peers' => $peers,
'default_allowlist' => $default_allowlist,
}),
restart_service => true,
owner => 'root',
Expand Down
22 changes: 12 additions & 10 deletions manifests/provider/wgquick.pp
View file
Expand Up @@ -12,20 +12,22 @@
Array[String[1]] $postup_cmds = [],
Array[String[1]] $predown_cmds = [],
Array[String[1]] $postdown_cmds = [],
Array[Stdlib::IP::Address] $default_allowlist = [],
Optional[Integer[1200, 9000]] $mtu = undef,
) {
assert_private()
$params = {
'interface' => $interface,
'dport' => $dport,
'firewall_mark' => $firewall_mark,
'mtu' => $mtu,
'peers' => $peers,
'addresses' => $addresses,
'preup_cmds' => $preup_cmds,
'postup_cmds' => $postup_cmds,
'predown_cmds' => $predown_cmds,
'postdown_cmds' => $postdown_cmds,
'interface' => $interface,
'dport' => $dport,
'firewall_mark' => $firewall_mark,
'mtu' => $mtu,
'peers' => $peers,
'addresses' => $addresses,
'preup_cmds' => $preup_cmds,
'postup_cmds' => $postup_cmds,
'predown_cmds' => $predown_cmds,
'postdown_cmds' => $postdown_cmds,
'default_allowlist' => $default_allowlist,
}
file { "/etc/wireguard/${interface}.conf":
Expand Down
33 changes: 33 additions & 0 deletions spec/defines/interface_spec.rb
View file
Expand Up @@ -484,6 +484,39 @@
it { is_expected.to compile.with_all_deps }
it { is_expected.to contain_file("/etc/systemd/network/#{title}.netdev").with_content(%r{FirewallMark=1234}) }
end

context 'with modified default_allowlist and systemd provider' do
let :pre_condition do
'class { "wireguard": default_allowlist => ["127.0.0.1/32"],}'
end
let :params do
{
provider: 'systemd',
peers: [
{
public_key: 'blabla==',
endpoint: 'wireguard.example.com:1234',
},
{
public_key: 'foo==',
preshared_key: 'bar=',
description: 'foo',
allowed_ips: ['192.0.2.3'],
}
],
manage_firewall: false,
# we need to set destination_addresses to overwrite the default
# that would configure IPv4+IPv6, but GHA doesn't provide IPv6 for us
destination_addresses: [facts[:networking]['ip'],],
addresses: [{ 'Address' => '192.0.2.1/24' }],
}
end
let :expected_netdev_content_allow do
File.read('spec/fixtures/test_files/peers2.netdev')
end

it { is_expected.to contain_file("/etc/systemd/network/#{title}.netdev").with_content(expected_netdev_content_allow) }
end
end
end
end
22 changes: 22 additions & 0 deletions spec/fixtures/test_files/peers2.netdev
View file
@@ -0,0 +1,22 @@
# THIS FILE IS MANAGED BY PUPPET
# based on https://dn42.dev/howto/wireguard
[NetDev]
Name=as1234
Kind=wireguard

[WireGuard]
PrivateKeyFile=/etc/wireguard/as1234
ListenPort=1234

[WireGuardPeer]
PublicKey=blabla==
Endpoint=wireguard.example.com:1234
PersistentKeepalive=0
AllowedIPs=127.0.0.1/32

[WireGuardPeer]
Description=foo
PublicKey=foo==
PresharedKey=bar=
PersistentKeepalive=0
AllowedIPs=192.0.2.3
3 changes: 2 additions & 1 deletion templates/netdev.epp
View file
Expand Up @@ -4,6 +4,7 @@
Wireguard::Peers $peers,
Optional[String] $description,
Optional[Integer] $mtu,
Array[Stdlib::IP::Address] $default_allowlist,
| -%>
# THIS FILE IS MANAGED BY PUPPET
# based on https://dn42.dev/howto/wireguard
Expand Down Expand Up @@ -37,7 +38,7 @@ PresharedKey=<%= $peer['preshared_key'] %>
Endpoint=<%= $peer['endpoint'] %>
<% } -%>
PersistentKeepalive=<%= pick($peer['persistent_keepalive'], 0) %>
<% pick($peer['allowed_ips'], ['fe80::/64', 'fd00::/8', '0.0.0.0/0']).each |$allowed_ip| { -%>
<% pick($peer['allowed_ips'], $default_allowlist).each |$allowed_ip| { -%>
AllowedIPs=<%= $allowed_ip %>
<% } -%>
<% } -%>
3 changes: 2 additions & 1 deletion templates/wireguard_conf.epp
View file
Expand Up @@ -8,6 +8,7 @@
Array[String[1]] $postup_cmds,
Array[String[1]] $predown_cmds,
Array[String[1]] $postdown_cmds,
Array[Stdlib::IP::Address] $default_allowlist,
Optional[Integer[1280, 9000]] $mtu = undef,
| -%>
# THIS FILE IS MANAGED BY PUPPET
Expand Down Expand Up @@ -53,7 +54,7 @@ Endpoint=<%= $peer['endpoint'] %>
PresharedKey=<%= $peer['preshared_key'] %>
<% } -%>
PersistentKeepalive=<%= pick($peer['persistent_keepalive'], 0) %>
<% pick($peer['allowed_ips'], ['fe80::/64', 'fd00::/8', '0.0.0.0/0']).each |$allowed_ip| { -%>
<% pick($peer['allowed_ips'], $default_allowlist).each |$allowed_ip| { -%>
AllowedIPs=<%= $allowed_ip %>
<% } -%>
<% } -%>

0 comments on commit b5d840a

Please sign in to comment.