From 9fcc3f8faac4a24fb97fff87a4a49bf362967fa2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Mon, 13 Aug 2018 01:12:20 +0200
Subject: Add kerberos client profile

---
 modules/profile/files/kerberos/krb5_client.conf | 12 ++++++++++++
 modules/profile/manifests/kerberos/client.pp    |  7 +++++++
 2 files changed, 19 insertions(+)
 create mode 100644 modules/profile/files/kerberos/krb5_client.conf
 create mode 100644 modules/profile/manifests/kerberos/client.pp

(limited to 'modules/profile')

diff --git a/modules/profile/files/kerberos/krb5_client.conf b/modules/profile/files/kerberos/krb5_client.conf
new file mode 100644
index 0000000..3fce983
--- /dev/null
+++ b/modules/profile/files/kerberos/krb5_client.conf
@@ -0,0 +1,12 @@
+[libdefaults]
+  default_realm = IMMAE.EU
+
+[realms]
+  IMMAE.EU = {
+    kdc = kerberos.immae.eu
+    admin_server = kerberos.immae.eu
+  }
+
+[domain_realm]
+  immae.eu = IMMAE.EU
+  .immae.eu = IMMAE.EU
diff --git a/modules/profile/manifests/kerberos/client.pp b/modules/profile/manifests/kerberos/client.pp
new file mode 100644
index 0000000..1f1f2cd
--- /dev/null
+++ b/modules/profile/manifests/kerberos/client.pp
@@ -0,0 +1,7 @@
+class profile::kerberos::client {
+  ensure_packages(["krb5", "cyrus-sasl-gssapi"])
+
+  file { "/etc/krb5.conf":
+    source => "puppet:///modules/profile/kerberos/krb5_client.conf"
+  }
+}
-- 
cgit v1.2.3


From 7f8c632757246813c0a9fdbf0c26ef036ff396be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Tue, 14 Aug 2018 19:23:47 +0200
Subject: Add wireguard profile

---
 modules/profile/manifests/wireguard.pp             | 29 ++++++++++++++++++++++
 .../profile/templates/wireguard/network.conf.erb   | 13 ++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 modules/profile/manifests/wireguard.pp
 create mode 100644 modules/profile/templates/wireguard/network.conf.erb

(limited to 'modules/profile')

diff --git a/modules/profile/manifests/wireguard.pp b/modules/profile/manifests/wireguard.pp
new file mode 100644
index 0000000..ad1b081
--- /dev/null
+++ b/modules/profile/manifests/wireguard.pp
@@ -0,0 +1,29 @@
+class profile::wireguard (
+) {
+  $password_seed = lookup("base_installation::puppet_pass_seed")
+
+  ensure_packages(["linux-headers"], { before => Package["wireguard-dkms"] })
+  ensure_packages(["wireguard-tools", "wireguard-dkms"])
+
+  $host = $facts["ldapvar"]["self"]
+  if has_key($host["vars"], "wireguard_ip") {
+    $ips = $host["vars"]["wireguard_ip"]
+  } else {
+    $ips = []
+  }
+
+  $private_key = generate_password(32, $password_seed, "wireguard", "curve25519", true)
+
+  file { "/etc/wireguard/network.conf":
+    ensure  => "file",
+    mode    => "0600",
+    content => template("profile/wireguard/network.conf.erb"),
+    require => [Package["wireguard-tools"], Package["wireguard-dkms"]],
+  }
+  ->
+  service { "wg-quick@network":
+    ensure => "running",
+    enable => true,
+  }
+
+}
diff --git a/modules/profile/templates/wireguard/network.conf.erb b/modules/profile/templates/wireguard/network.conf.erb
new file mode 100644
index 0000000..0528050
--- /dev/null
+++ b/modules/profile/templates/wireguard/network.conf.erb
@@ -0,0 +1,13 @@
+[Interface]
+<%- @ips.each do |ip| %>
+Address = <%= ip %>
+<% end -%>
+PrivateKey = <%= @private_key %>
+
+<%- @facts["ldapvar"]["other"].each do |host| -%>
+<%- if (host["vars"]["wireguard_public"] || []).count > 0 %>
+[Peer]
+PublicKey = host["vars"]["wireguard_public"][0]
+
+<% end -%>
+<%- end -%>
-- 
cgit v1.2.3


From cfad76106ad85e170c08a196e7e365a78293aa7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Fri, 17 Aug 2018 12:51:55 +0200
Subject: Add wireguard to host_ldap

---
 modules/profile/manifests/wireguard.pp               | 11 +++++++++++
 modules/profile/templates/wireguard/network.conf.erb | 12 +++++++++---
 2 files changed, 20 insertions(+), 3 deletions(-)

(limited to 'modules/profile')

diff --git a/modules/profile/manifests/wireguard.pp b/modules/profile/manifests/wireguard.pp
index ad1b081..829f82d 100644
--- a/modules/profile/manifests/wireguard.pp
+++ b/modules/profile/manifests/wireguard.pp
@@ -14,11 +14,22 @@ class profile::wireguard (
 
   $private_key = generate_password(32, $password_seed, "wireguard", "curve25519", true)
 
+  if file("/usr/bin/wg", "/dev/null") != "" {
+    $puppet_notifies_path = lookup("base_installation::puppet_notifies_path")
+    $public_key = generate("/usr/bin/bash", "-c", "echo $private_key | /usr/bin/wg pubkey")
+    concat::fragment { "host_ldap add wireguard":
+      target  => "$puppet_notifies_path/host_ldap.info",
+      content => "puppetVar: wireguard_public=$public_key",
+      order   => "00-80"
+    }
+  }
+
   file { "/etc/wireguard/network.conf":
     ensure  => "file",
     mode    => "0600",
     content => template("profile/wireguard/network.conf.erb"),
     require => [Package["wireguard-tools"], Package["wireguard-dkms"]],
+    notify  => Service["wg-quick@network"],
   }
   ->
   service { "wg-quick@network":
diff --git a/modules/profile/templates/wireguard/network.conf.erb b/modules/profile/templates/wireguard/network.conf.erb
index 0528050..5327dfd 100644
--- a/modules/profile/templates/wireguard/network.conf.erb
+++ b/modules/profile/templates/wireguard/network.conf.erb
@@ -1,13 +1,19 @@
 [Interface]
-<%- @ips.each do |ip| %>
+<%- @ips.each do |ip| -%>
 Address = <%= ip %>
-<% end -%>
+<%- end -%>
 PrivateKey = <%= @private_key %>
+ListenPort = 51820
 
 <%- @facts["ldapvar"]["other"].each do |host| -%>
 <%- if (host["vars"]["wireguard_public"] || []).count > 0 %>
 [Peer]
-PublicKey = host["vars"]["wireguard_public"][0]
+# <%= host["vars"]["real_hostname"][0] %>
+PublicKey = <%= host["vars"]["wireguard_public"][0] %>
+<%- if (host["vars"]["wireguard_ip"] || []).count > 0 -%>
+AllowedIps = <%= host["vars"]["wireguard_ip"].join(", ").gsub /\/\d+/, "/32" %>
+<%- end -%>
+Endpoint = <%= host["vars"]["real_hostname"][0] %>:51820
 
 <% end -%>
 <%- end -%>
-- 
cgit v1.2.3