.

2021-10-12 15:00:09 +02:00 · 2021-10-12 15:00:09 +02:00 · fcdda55ed9
commit fcdda55ed9
parent 1a6f230702
6 changed files with 59 additions and 0 deletions
--- a/salt/pillars/top.sls
+++ b/salt/pillars/top.sls
@ -7,6 +7,7 @@ base:
    - docker
    - remote-desktop
    - ssh
    - wireguard
 {% if salt['pillar.file_exists']('local.sls') %}
    - local
 {% endif %}
--- a/salt/pillars/wireguard.sls
+++ b/salt/pillars/wireguard.sls
@ -0,0 +1,9 @@
 wireguard:
  iface: wg-vpn
  address: 172.20.1.1/24
  postup:
  postdown:
  port: 62666
  privatekey:
  publickey:
  peers: []
--- a/salt/states/firewalld/init.sls
+++ b/salt/states/firewalld/init.sls
@ -1,3 +1,9 @@
 Configure wireguard service:
  firewalld.service:
    - name: wireguard
    - ports:
      - {{ pillar['wireguard']['port'] }}/udp
 Configure firewalld for external interface:
  firewalld.present:
    - name: external
@ -10,6 +16,7 @@ Configure firewalld for external interface:
      - {{ pillar['network']['interface']['external'] }}
    - services:
      - ssh
      - wireguard
 Configure firewalld for internal network:
  firewalld.present:
@ -20,6 +27,7 @@ Configure firewalld for internal network:
    - prune_sources: True
    - interfaces:
      - {{ pillar['network']['interface']['internal'] }}
      - {{ pillar['wireguard']['iface'] }}
    - sources:
      - {{ pillar['network']['netaddress'] }}/{{ pillar['network']['netmask'] }}
    - services:
--- a/salt/states/top.sls
+++ b/salt/states/top.sls
@ -2,6 +2,7 @@ base:
  '*':
    - hostname
    - firewalld
    - ssh
    - chrony
    - atftp
    - dnsmasq
--- a/salt/states/wireguard/files/interface.conf.template
+++ b/salt/states/wireguard/files/interface.conf.template
@ -0,0 +1,14 @@
 [Interface]
 Address = {{ pillar['wireguard']['address'] }}
 PrivateKey = {{ pillar['wireguard']['privatekey'] }}
 ListenPort = {{ pillar['wireguard']['port'] }}
 PostUp = iptables -A FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ pillar['network']['interface']['internal'] }} -j MASQUERADE
 PostDOWN = iptables -D FORWARD -i {{ pillar['wireguard']['iface'] }} -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ pillar['network']['interface']['internal'] }} -j MASQUERADE
 {% for peer in pillar['wireguard']['peers'] -%}
 [peer]
 PublicKey = {{ peer['publickey'] }}
 PresharedKey = {{ peer['presharedkey'] }}
 AllowedIPs = {{ peer['allowedips'] }}
 {% endfor %}
--- a/salt/states/wireguard/init.sls
+++ b/salt/states/wireguard/init.sls
@ -0,0 +1,26 @@
 Install wireguard tools:
  pkg.installed:
    - name: wireguard-tools
 {% if pillar['wireguard']['privatekey'] %}
 configure wireguard interface:
  file.managed:
    - name: /etc/wireguard/{{ pillar['wireguard']['iface'] }}.conf
    - source: salt://wireguard/files/interface.conf.template
    - template: jinja
    - user: root
    - group: root
    - mode: "0600"
 stop wireguard interface:
  cmd.run:
    - name: wg-quick down {{ pillar['wireguard']['iface'] }}
    - onlyif: wg show {{ pillar['wireguard']['iface'] }}
    - onchanges:
      - file: configure wireguard interface
 start wireguard interface:
  cmd.run:
    - name: wg-quick up {{ pillar['wireguard']['iface'] }}
    - unless: wg show {{ pillar['wireguard']['iface'] }}
 {% endif %}