+wireguard_id = %x(systemd-id128 machine-id -a 3f36688c233848dfa84e4b176195622e)
+
default[:networking][:firewall][:enabled] = true
default[:networking][:firewall][:inet] = []
default[:networking][:firewall][:inet6] = []
default[:networking][:search] = []
default[:networking][:dnssec] = "allow-downgrade"
default[:networking][:hostname] = node.name
+default[:networking][:wireguard][:enabled] = false
+default[:networking][:wireguard][:address] = "fd43:e709:ea6d:1:#{wireguard_id[0,4]}:#{wireguard_id[4,4]}:#{wireguard_id[8,4]}:#{wireguard_id[12,4]}"
+default[:networking][:wireguard][:keepalive] = false
+default[:networking][:wireguard][:peers] = []
require "ipaddr"
require "yaml"
+keys = data_bag_item("networking", "keys")
+
package "netplan.io"
netplan = {
action :purge
end
+if node[:networking][:wireguard][:enabled]
+ package "wireguard-tools" do
+ compile_time true
+ end
+
+ directory "/var/lib/systemd/wireguard" do
+ owner "root"
+ group "systemd-network"
+ mode "750"
+ compile_time true
+ end
+
+ file "/var/lib/systemd/wireguard/private.key" do
+ action :create_if_missing
+ owner "root"
+ group "systemd-network"
+ mode "640"
+ content %x{wg genkey}
+ compile_time true
+ end
+
+ node.default[:networking][:wireguard][:public_key] = %x{wg pubkey < /var/lib/systemd/wireguard/private.key}
+
+ file "/var/lib/systemd/wireguard/preshared.key" do
+ action :create_if_missing
+ owner "root"
+ group "systemd-network"
+ mode "640"
+ content keys["wireguard"]
+ end
+
+ template "/etc/systemd/network/wireguard.netdev" do
+ source "wireguard.netdev.erb"
+ owner "root"
+ group "root"
+ mode "644"
+ end
+
+ template "/etc/systemd/network/wireguard.network" do
+ source "wireguard.network.erb"
+ owner "root"
+ group "root"
+ mode "644"
+ end
+
+ execute "ip-link-delete-wg0" do
+ action :nothing
+ command "ip link delete wg0"
+ subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
+ only_if { ::File.exist?("/sys/class/net/wg0") }
+ end
+
+ execute "networkctl-reload" do
+ action :nothing
+ command "networkctl reload"
+ subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
+ subscribes :run, "template[/etc/systemd/network/wireguard.network]"
+ not_if { ENV.key?("TEST_KITCHEN") }
+ end
+end
+
ohai "reload-hostname" do
action :nothing
plugin "hostname"
end
end
+if node[:networking][:wireguard][:enabled]
+ firewall_rule "accept-wireguard" do
+ action :accept
+ source "osm"
+ dest "fw"
+ proto "udp"
+ dest_ports "51820"
+ source_ports "51820"
+ end
+end
+
if node[:roles].include?("gateway")
template "/etc/shorewall/masq" do
source "shorewall-masq.erb"
--- /dev/null
+[NetDev]
+Name=wg0
+Kind=wireguard
+
+[WireGuard]
+PrivateKeyFile=/var/lib/systemd/wireguard/private.key
+ListenPort=51820
+<% node[:networking][:wireguard][:peers].each do |peer| -%>
+
+[WireGuardPeer]
+PublicKey=<%= peer[:public_key] %>
+PresharedKeyFile=/var/lib/systemd/wireguard/preshared.key
+AllowedIPs=<%= Array(peer[:allowed_ips]).sort.join(",") %>
+<% if peer[:endpoint] -%>
+Endpoint=<%= peer[:endpoint] %>
+<% end -%>
+<% if node[:networking][:wireguard][:keepalive] -%>
+PersistentKeepalive=<%= node[:networking][:wireguard][:keepalive] %>
+<% end -%>
+<% end -%>
projects / chef.git / commitdiff