Explorar el Código

Add state to manage Wireguard tunnel configuration

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Maximilian Wilhelm hace 2 años
padre
commit
19aecd6893
Se han modificado 2 ficheros con 55 adiciones y 0 borrados
  1. 39 0
      wireguard/init.sls
  2. 16 0
      wireguard/wireguard.conf.tmpl

+ 39 - 0
wireguard/init.sls

@@ -0,0 +1,39 @@
+#
+# Wireguard VPNs
+#
+{% set tunnels = salt['pillar.get']('nodes:' ~ grains.id ~ ':wireguard', {}) %}
+
+
+include:
+ - sysctl	# Make sure udp_l3mdev_accept is set
+
+# Install wireguard-tools (from backports currently)
+wireguard-tools:
+  pkg.installed
+
+
+Create /etc/wireguard:
+  file.directory:
+    - name: /etc/wireguard
+    - require:
+      - pkg: wireguard-tools
+
+Cleanup /etc/wireguard:
+  file.directory:
+    - name: /etc/wireguard
+    - clean: true
+    # Add cleanup action for active tunnels
+
+{% for iface, tunnel_config in tunnels.items () %}
+/etc/wireguard/{{ iface }}.conf:
+  file.managed:
+    - source: salt://wireguard/wireguard.conf.tmpl
+    - template: jinja
+    - context:
+      config: {{ tunnel_config }}
+    - require:
+      - file: Create /etc/wireguard
+    - require_in:
+      - file: Cleanup /etc/wireguard
+    # start/reload tunnel
+{% endfor %}

+ 16 - 0
wireguard/wireguard.conf.tmpl

@@ -0,0 +1,16 @@
+#
+# Wireguard tunnel to {{ config['peer_fqdn'] }} (Salt managed)
+#
+[Interface]
+PrivateKey = {{ config['local_privkey'] }}
+{%- if config['mode'] == 'server' %}
+ListenPort = {{ config['port'] }}
+{%- endif %}
+FwMark = 0x1023
+
+[Peer]
+{%- if config['mode'] == 'client' %}
+Endpoint = {{ config['peer_ip'] }}:{{ config['port'] }}
+{%- endif %}
+PublicKey = {{ config['peer_pubkey'] }}
+AllowedIPs = 0.0.0.0/0, ::/0