Puppet Class: wireguard

Defined in:
manifests/init.pp

Summary

manages the wireguard package

Overview

Parameters:

  • manage_package (Boolean) (defaults to: true)

    if the package should be managed or not

  • package_name (String[1]) (defaults to: 'wireguard-tools')

    the name of the package

  • package_ensure (Enum['installed', 'latest', 'absent']) (defaults to: 'installed')

    the ensure state of the package

  • config_directory (Stdlib::Absolutepath) (defaults to: '/etc/wireguard')

    the path to the wireguard directory

  • purge_unknown_keys (Boolean) (defaults to: true)

    by default Puppet will purge unknown wireguard keys from ‘$config_directory`

  • interfaces (Hash[String[1], Any]) (defaults to: {})

    hash of interfaces to create. Provides hiera integration.

  • default_allowlist (Array[Stdlib::IP::Address]) (defaults to: ['fe80::/64', 'fd00::/8', '0.0.0.0/0'])

    array of allowed IP ranges for interfaces. Can be overwritten for individual interfaces

Author:

  • Tim Meusel <tim@bastelfreak.de>



14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'manifests/init.pp', line 14

class wireguard (
  Boolean $manage_package = true,
  String[1] $package_name = 'wireguard-tools',
  Enum['installed', 'latest', 'absent'] $package_ensure = 'installed',
  Stdlib::Absolutepath $config_directory = '/etc/wireguard',
  Boolean $purge_unknown_keys = true,
  Hash[String[1], Any] $interfaces = {},
  Array[Stdlib::IP::Address] $default_allowlist = ['fe80::/64', 'fd00::/8', '0.0.0.0/0'],
) {
  if $manage_package {
    package { 'wireguard-tools':
      ensure => 'installed',
    }
    Package[$package_name] -> File[$config_directory]
  }
  $_file_ensure = $package_ensure ? {
    'absent' => 'absent',
    default  => 'directory',
  }
  if $purge_unknown_keys {
    $options = { recurse => true, purge => true }
  } else {
    $options = undef
  }
  # created by the package, but with different permissions
  file { $config_directory:
    ensure => $_file_ensure,
    owner  => 'root',
    mode   => '0750',
    group  => 'systemd-network',
    *      => $options,
  }

  $interfaces.each |$interfacename, $interfaceattributes| {
    wireguard::interface { $interfacename:
      * => $interfaceattributes,
    }
  }
}