4 files changed, 78 insertions, 0 deletions

diff --git a/modules/profile/files/kerberos/krb5_client.conf b/modules/profile/files/kerberos/krb5_client.conf
new file mode 100644
index 0000000..3fce983
--- /dev/null
+++ b/modules/profile/files/kerberos/krb5_client.conf
@@ -0,0 +1,12 @@
+[libdefaults]
+  default_realm = IMMAE.EU
+
+[realms]
+  IMMAE.EU = {
+    kdc = kerberos.immae.eu
+    admin_server = kerberos.immae.eu
+  }
+
+[domain_realm]
+  immae.eu = IMMAE.EU
+  .immae.eu = IMMAE.EU
diff --git a/modules/profile/manifests/kerberos/client.pp b/modules/profile/manifests/kerberos/client.pp
new file mode 100644
index 0000000..1f1f2cd
--- /dev/null
+++ b/modules/profile/manifests/kerberos/client.pp
@@ -0,0 +1,7 @@
+class profile::kerberos::client {
+  ensure_packages(["krb5", "cyrus-sasl-gssapi"])
+
+  file { "/etc/krb5.conf":
+    source => "puppet:///modules/profile/kerberos/krb5_client.conf"
+  }
+}
diff --git a/modules/profile/manifests/wireguard.pp b/modules/profile/manifests/wireguard.pp
new file mode 100644
index 0000000..829f82d
--- /dev/null
+++ b/modules/profile/manifests/wireguard.pp
@@ -0,0 +1,40 @@
+class profile::wireguard (
+) {
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+
+  ensure_packages(["linux-headers"], { before => Package["wireguard-dkms"] })
+  ensure_packages(["wireguard-tools", "wireguard-dkms"])
+
+  $host = $facts["ldapvar"]["self"]
+  if has_key($host["vars"], "wireguard_ip") {
+    $ips = $host["vars"]["wireguard_ip"]
+  } else {
+    $ips = []
+  }
+
+  $private_key = generate_password(32, $password_seed, "wireguard", "curve25519", true)
+
+  if file("/usr/bin/wg", "/dev/null") != "" {
+    $puppet_notifies_path = lookup("base_installation::puppet_notifies_path")
+    $public_key = generate("/usr/bin/bash", "-c", "echo $private_key | /usr/bin/wg pubkey")
+    concat::fragment { "host_ldap add wireguard":
+      target  => "$puppet_notifies_path/host_ldap.info",
+      content => "puppetVar: wireguard_public=$public_key",
+      order   => "00-80"
+    }
+  }
+
+  file { "/etc/wireguard/network.conf":
+    ensure  => "file",
+    mode    => "0600",
+    content => template("profile/wireguard/network.conf.erb"),
+    require => [Package["wireguard-tools"], Package["wireguard-dkms"]],
+    notify  => Service["wg-quick@network"],
+  }
+  ->
+  service { "wg-quick@network":
+    ensure => "running",
+    enable => true,
+  }
+
+}
diff --git a/modules/profile/templates/wireguard/network.conf.erb b/modules/profile/templates/wireguard/network.conf.erb
new file mode 100644
index 0000000..5327dfd
--- /dev/null
+++ b/modules/profile/templates/wireguard/network.conf.erb
@@ -0,0 +1,19 @@
+[Interface]
+<%- @ips.each do |ip| -%>
+Address = <%= ip %>
+<%- end -%>
+PrivateKey = <%= @private_key %>
+ListenPort = 51820
+
+<%- @facts["ldapvar"]["other"].each do |host| -%>
+<%- if (host["vars"]["wireguard_public"] || []).count > 0 %>
+[Peer]
+# <%= host["vars"]["real_hostname"][0] %>
+PublicKey = <%= host["vars"]["wireguard_public"][0] %>
+<%- if (host["vars"]["wireguard_ip"] || []).count > 0 -%>
+AllowedIps = <%= host["vars"]["wireguard_ip"].join(", ").gsub /\/\d+/, "/32" %>
+<%- end -%>
+Endpoint = <%= host["vars"]["real_hostname"][0] %>:51820
+
+<% end -%>
+<%- end -%>