Add basic infrastructure for wireguard tunnels

[chef.git] / cookbooks / networking / recipes / default.rb

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index c195251e6803b7fdf3ff65492ada07020759ace8..c92ffc4bc7ce2bd82c0bee8de145f19d4ee5f0d2 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -23,6 +23,8 @@
 require "ipaddr"
 require "yaml"
 
+keys = data_bag_item("networking", "keys")
+
 package "netplan.io"
 
 netplan = {
@@ -219,6 +221,67 @@ package "cloud-init" do
   action :purge
 end
 
+if node[:networking][:wireguard][:enabled]
+  package "wireguard-tools" do
+    compile_time true
+  end
+
+  directory "/var/lib/systemd/wireguard" do
+    owner "root"
+    group "systemd-network"
+    mode "750"
+    compile_time true
+  end
+
+  file "/var/lib/systemd/wireguard/private.key" do
+    action :create_if_missing
+    owner "root"
+    group "systemd-network"
+    mode "640"
+    content %x{wg genkey}
+    compile_time true
+  end
+
+  node.default[:networking][:wireguard][:public_key] = %x{wg pubkey < /var/lib/systemd/wireguard/private.key}
+
+  file "/var/lib/systemd/wireguard/preshared.key" do
+    action :create_if_missing
+    owner "root"
+    group "systemd-network"
+    mode "640"
+    content keys["wireguard"]
+  end
+
+  template "/etc/systemd/network/wireguard.netdev" do
+    source "wireguard.netdev.erb"
+    owner "root"
+    group "root"
+    mode "644"
+  end
+
+  template "/etc/systemd/network/wireguard.network" do
+    source "wireguard.network.erb"
+    owner "root"
+    group "root"
+    mode "644"
+  end
+
+  execute "ip-link-delete-wg0" do
+    action :nothing
+    command "ip link delete wg0"
+    subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
+    only_if { ::File.exist?("/sys/class/net/wg0") }
+  end
+
+  execute "networkctl-reload" do
+    action :nothing
+    command "networkctl reload"
+    subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
+    subscribes :run, "template[/etc/systemd/network/wireguard.network]"
+    not_if { ENV.key?("TEST_KITCHEN") }
+  end
+end
+
 ohai "reload-hostname" do
   action :nothing
   plugin "hostname"
@@ -357,10 +420,18 @@ notify_group "shorewall-rules" do
   notifies :create, "template[/etc/shorewall/rules]"
 end
 
-service "shorewall" do
-  action [:enable, :start]
-  supports :restart => true
-  status_command "shorewall status"
+if node[:networking][:firewall][:enabled]
+  service "shorewall" do
+    action [:enable, :start]
+    supports :restart => true
+    status_command "shorewall status"
+  end
+else
+  service "shorewall" do
+    action [:disable, :stop]
+    supports :restart => true
+    status_command "shorewall status"
+  end
 end
 
 template "/etc/logrotate.d/shorewall" do
@@ -392,6 +463,17 @@ end
   end
 end
 
+if node[:networking][:wireguard][:enabled]
+  firewall_rule "accept-wireguard" do
+    action :accept
+    source "osm"
+    dest "fw"
+    proto "udp"
+    dest_ports "51820"
+    source_ports "51820"
+  end
+end
+
 if node[:roles].include?("gateway")
   template "/etc/shorewall/masq" do
     source "shorewall-masq.erb"
@@ -484,10 +566,18 @@ unless node.interfaces(:family => :inet6).empty?
     notifies :create, "template[/etc/shorewall6/rules]"
   end
 
-  service "shorewall6" do
-    action [:enable, :start]
-    supports :restart => true
-    status_command "shorewall6 status"
+  if node[:networking][:firewall][:enabled]
+    service "shorewall6" do
+      action [:enable, :start]
+      supports :restart => true
+      status_command "shorewall6 status"
+    end
+  else
+    service "shorewall6" do
+      action [:disable, :stop]
+      supports :restart => true
+      status_command "shorewall6 status"
+    end
   end
 
   template "/etc/logrotate.d/shorewall6" do