3 files changed, 43 insertions, 0 deletions
diff --git a/modules/profile/manifests/wireguard.pp b/modules/profile/manifests/wireguard.pp
new file mode 100644
index 0000000..ad1b081
--- /dev/null
+++ b/modules/profile/manifests/wireguard.pp
@@ -0,0 +1,29 @@
+class profile::wireguard (
+) {
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+  ensure_packages(["linux-headers"], { before => Package["wireguard-dkms"] })
+  ensure_packages(["wireguard-tools", "wireguard-dkms"])
+  $host = $facts["ldapvar"]["self"]
+  if has_key($host["vars"], "wireguard_ip") {
+    $ips = $host["vars"]["wireguard_ip"]
+  } else {
+    $ips = []
+  }
+  $private_key = generate_password(32, $password_seed, "wireguard", "curve25519", true)
+  file { "/etc/wireguard/network.conf":
+    ensure  => "file",
+    mode    => "0600",
+    content => template("profile/wireguard/network.conf.erb"),
+    require => [Package["wireguard-tools"], Package["wireguard-dkms"]],
+  }
+  ->
+  service { "wg-quick@network":
+    ensure => "running",
+    enable => true,
+  }
+}
diff --git a/modules/profile/templates/wireguard/network.conf.erb b/modules/profile/templates/wireguard/network.conf.erb
new file mode 100644
index 0000000..0528050
--- /dev/null
+++ b/modules/profile/templates/wireguard/network.conf.erb
@@ -0,0 +1,13 @@
+[Interface]
+<%- @ips.each do |ip| %>
+Address = <%= ip %>
+<% end -%>
+PrivateKey = <%= @private_key %>
+<%- @facts["ldapvar"]["other"].each do |host| -%>
+<%- if (host["vars"]["wireguard_public"] || []).count > 0 %>
+[Peer]
+PublicKey = host["vars"]["wireguard_public"][0]
+<% end -%>
+<%- end -%>
diff --git a/modules/role/manifests/file_store.pp b/modules/role/manifests/file_store.pp
index ec12d75..bf4afe7 100644
--- a/modules/role/manifests/file_store.pp
+++ b/modules/role/manifests/file_store.pp
@@ -8,6 +8,7 @@ class role::file_store (
  include "profile::tools"
  include "profile::monitoring"
  include "profile::kerberos::client"
+  include "profile::wireguard"
  unless empty($mountpoint) {
    class { "::nfs":

diff --git a/modules/profile/manifests/wireguard.pp b/modules/profile/manifests/wireguard.pp new file mode 100644 index 0000000..ad1b081 --- /dev/null +++ b/modules/profile/manifests/wireguard.pp
@@ -0,0 +1,29 @@
		1	class profile::wireguard (
		2	) {
		3	$password_seed = lookup("base_installation::puppet_pass_seed")
		4
		5	ensure_packages(["linux-headers"], { before => Package["wireguard-dkms"] })
		6	ensure_packages(["wireguard-tools", "wireguard-dkms"])
		7
		8	$host = $facts["ldapvar"]["self"]
		9	if has_key($host["vars"], "wireguard_ip") {
		10	$ips = $host["vars"]["wireguard_ip"]
		11	} else {
		12	$ips = []
		13	}
		14
		15	$private_key = generate_password(32, $password_seed, "wireguard", "curve25519", true)
		16
		17	file { "/etc/wireguard/network.conf":
		18	ensure => "file",
		19	mode => "0600",
		20	content => template("profile/wireguard/network.conf.erb"),
		21	require => [Package["wireguard-tools"], Package["wireguard-dkms"]],
		22	}
		23	->
		24	service { "wg-quick@network":
		25	ensure => "running",
		26	enable => true,
		27	}
		28
		29	}


diff --git a/modules/profile/templates/wireguard/network.conf.erb b/modules/profile/templates/wireguard/network.conf.erb new file mode 100644 index 0000000..0528050 --- /dev/null +++ b/modules/profile/templates/wireguard/network.conf.erb
@@ -0,0 +1,13 @@
		1	[Interface]
		2	<%- @ips.each do \|ip\| %>
		3	Address = <%= ip %>
		4	<% end -%>
		5	PrivateKey = <%= @private_key %>
		6
		7	<%- @facts["ldapvar"]["other"].each do \|host\| -%>
		8	<%- if (host["vars"]["wireguard_public"] \|\| []).count > 0 %>
		9	[Peer]
		10	PublicKey = host["vars"]["wireguard_public"][0]
		11
		12	<% end -%>
		13	<%- end -%>


diff --git a/modules/role/manifests/file_store.pp b/modules/role/manifests/file_store.pp index ec12d75..bf4afe7 100644 --- a/modules/role/manifests/file_store.pp +++ b/modules/role/manifests/file_store.pp
@@ -8,6 +8,7 @@ class role::file_store (
8	include "profile::tools"	8	include "profile::tools"
9	include "profile::monitoring"	9	include "profile::monitoring"
10	include "profile::kerberos::client"	10	include "profile::kerberos::client"
		11	include "profile::wireguard"
11		12
12	unless empty($mountpoint) {	13	unless empty($mountpoint) {
13	class { "::nfs":	14	class { "::nfs":