From fcdda55ed94d5f6fc8ff1138d90bd643fd0aaa10 Mon Sep 17 00:00:00 2001 From: Jonas Forsberg Date: Tue, 12 Oct 2021 15:00:09 +0200 Subject: [PATCH] . --- salt/pillars/top.sls | 1 + salt/pillars/wireguard.sls | 9 +++++++ salt/states/firewalld/init.sls | 8 ++++++ salt/states/top.sls | 1 + .../wireguard/files/interface.conf.template | 14 ++++++++++ salt/states/wireguard/init.sls | 26 +++++++++++++++++++ 6 files changed, 59 insertions(+) create mode 100644 salt/pillars/wireguard.sls create mode 100644 salt/states/wireguard/files/interface.conf.template create mode 100644 salt/states/wireguard/init.sls diff --git a/salt/pillars/top.sls b/salt/pillars/top.sls index a641a35..c1deed5 100644 --- a/salt/pillars/top.sls +++ b/salt/pillars/top.sls @@ -7,6 +7,7 @@ base: - docker - remote-desktop - ssh + - wireguard {% if salt['pillar.file_exists']('local.sls') %} - local {% endif %} diff --git a/salt/pillars/wireguard.sls b/salt/pillars/wireguard.sls new file mode 100644 index 0000000..63eab9e --- /dev/null +++ b/salt/pillars/wireguard.sls @@ -0,0 +1,9 @@ +wireguard: + iface: wg-vpn + address: 172.20.1.1/24 + postup: + postdown: + port: 62666 + privatekey: + publickey: + peers: [] diff --git a/salt/states/firewalld/init.sls b/salt/states/firewalld/init.sls index 63367c4..d02d634 100644 --- a/salt/states/firewalld/init.sls +++ b/salt/states/firewalld/init.sls @@ -1,3 +1,9 @@ +Configure wireguard service: + firewalld.service: + - name: wireguard + - ports: + - {{ pillar['wireguard']['port'] }}/udp + Configure firewalld for external interface: firewalld.present: - name: external @@ -10,6 +16,7 @@ Configure firewalld for external interface: - {{ pillar['network']['interface']['external'] }} - services: - ssh + - wireguard Configure firewalld for internal network: firewalld.present: @@ -20,6 +27,7 @@ Configure firewalld for internal network: - prune_sources: True - interfaces: - {{ pillar['network']['interface']['internal'] }} + - {{ pillar['wireguard']['iface'] }} - sources: - {{ pillar['network']['netaddress'] }}/{{ pillar['network']['netmask'] }} - services: diff --git a/salt/states/top.sls b/salt/states/top.sls index fe0e3c8..87687ab 100644 --- a/salt/states/top.sls +++ b/salt/states/top.sls @@ -2,6 +2,7 @@ base: '*': - hostname - firewalld + - ssh - chrony - atftp - dnsmasq diff --git a/salt/states/wireguard/files/interface.conf.template b/salt/states/wireguard/files/interface.conf.template new file mode 100644 index 0000000..15d3ece --- /dev/null +++ b/salt/states/wireguard/files/interface.conf.template @@ -0,0 +1,14 @@ +[Interface] +Address = {{ pillar['wireguard']['address'] }} +PrivateKey = {{ pillar['wireguard']['privatekey'] }} +ListenPort = {{ pillar['wireguard']['port'] }} +PostUp = iptables -A FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ pillar['network']['interface']['internal'] }} -j MASQUERADE +PostDOWN = iptables -D FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ pillar['network']['interface']['internal'] }} -j MASQUERADE + +{% for peer in pillar['wireguard']['peers'] -%} +[peer] +PublicKey = {{ peer['publickey'] }} +PresharedKey = {{ peer['presharedkey'] }} +AllowedIPs = {{ peer['allowedips'] }} +{% endfor %} + diff --git a/salt/states/wireguard/init.sls b/salt/states/wireguard/init.sls new file mode 100644 index 0000000..7d7a642 --- /dev/null +++ b/salt/states/wireguard/init.sls @@ -0,0 +1,26 @@ +Install wireguard tools: + pkg.installed: + - name: wireguard-tools + +{% if pillar['wireguard']['privatekey'] %} +configure wireguard interface: + file.managed: + - name: /etc/wireguard/{{ pillar['wireguard']['iface'] }}.conf + - source: salt://wireguard/files/interface.conf.template + - template: jinja + - user: root + - group: root + - mode: "0600" + +stop wireguard interface: + cmd.run: + - name: wg-quick down {{ pillar['wireguard']['iface'] }} + - onlyif: wg show {{ pillar['wireguard']['iface'] }} + - onchanges: + - file: configure wireguard interface + +start wireguard interface: + cmd.run: + - name: wg-quick up {{ pillar['wireguard']['iface'] }} + - unless: wg show {{ pillar['wireguard']['iface'] }} +{% endif %}