voxpupuli · stuartrobert · Mar 5, 2025 · Mar 5, 2025 · Mar 5, 2025 · May 8, 2025
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -33,6 +33,7 @@ manages the wireguard package
 
 The following parameters are available in the `wireguard` class:
 
+* [`config_directory_group`](#-wireguard--config_directory_group)
 * [`manage_package`](#-wireguard--manage_package)
 * [`package_name`](#-wireguard--package_name)
 * [`package_ensure`](#-wireguard--package_ensure)
@@ -41,6 +42,12 @@ The following parameters are available in the `wireguard` class:
 * [`interfaces`](#-wireguard--interfaces)
 * [`default_allowlist`](#-wireguard--default_allowlist)
 
+##### <a name="-wireguard--config_directory_group"></a>`config_directory_group`
+
+Data type: `String`
+
+specify the group on `$config_directory`
+
 ##### <a name="-wireguard--manage_package"></a>`manage_package`
 
 Data type: `Boolean`

diff --git a/data/common.yaml b/data/common.yaml
@@ -0,0 +1,3 @@
+---
+
+wireguard::config_directory_group: 'systemd-network'
diff --git a/data/os/RedHat.yaml b/data/os/RedHat.yaml
@@ -0,0 +1,3 @@
+---
+
+wireguard::config_directory_group: 'root'
diff --git a/hiera.yaml b/hiera.yaml
@@ -0,0 +1,13 @@
+---
+version: 5
+
+defaults:  # Used for any hierarchy level that omits these keys.
+  datadir: data         # This path is relative to hiera.yaml's directory.
+  data_hash: yaml_data  # Use the built-in YAML backend.
+
+hierarchy:
+  - name: "osfamily"
+    paths:
+      - "os/%{facts.os.family}.yaml"
+  - name: 'common'
+    path: 'common.yaml'
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -1,6 +1,7 @@
 #
 # @summary manages the wireguard package
 #
+# @param config_directory_group specify the group on `$config_directory`
 # @param manage_package if the package should be managed or not
 # @param package_name the name of the package
 # @param package_ensure the ensure state of the package
@@ -12,6 +13,7 @@
 # @author Tim Meusel <tim@bastelfreak.de>
 #
 class wireguard (
+  String $config_directory_group,
   Boolean $manage_package = true,
   String[1] $package_name = 'wireguard-tools',
   Enum['installed', 'latest', 'absent'] $package_ensure = 'installed',
@@ -40,7 +42,7 @@
     ensure => $_file_ensure,
     owner  => 'root',
     mode   => '0750',
-    group  => 'systemd-network',
+    group  => $config_directory_group,
     *      => $options,
   }
 

diff --git a/manifests/interface.pp b/manifests/interface.pp
@@ -270,7 +270,7 @@
       ensure  => 'file',
       content => $private_key,
       owner   => 'root',
-      group   => 'systemd-network',
+      group   => $wireguard::config_directory_group,
       mode    => '0640',
       notify  => Exec["generate public key ${interface}"],
     }
@@ -287,7 +287,7 @@
     file { $private_key_path:
       ensure => 'file',
       owner  => 'root',
-      group  => 'systemd-network',
+      group  => $wireguard::config_directory_group,
       mode   => '0640',
     }
   }
@@ -303,7 +303,7 @@
     ensure  => 'file',
     owner   => 'root',
     group   => 'root',
-    mode    => '0600',
+    mode    => '0644',
     require => Exec["generate public key ${interface}"],
   }
 

diff --git a/manifests/provider/systemd.pp b/manifests/provider/systemd.pp
@@ -38,7 +38,7 @@
     owner           => 'root',
     group           => 'systemd-network',
     mode            => '0440',
-    require         => File["/etc/wireguard/${interface}"],
+    require         => File["${wireguard::config_directory}/${interface}"],
   }
 
   $network_epp_params = {

diff --git a/manifests/provider/wgquick.pp b/manifests/provider/wgquick.pp
@@ -32,10 +32,11 @@
     'default_allowlist' => $default_allowlist,
   }
 
-  file { "/etc/wireguard/${interface}.conf":
+  file { "${wireguard::config_directory}/${interface}.conf":
     ensure  => $ensure,
     content => epp("${module_name}/wireguard_conf.epp", $params),
     owner   => 'root',
-    mode    => '0600',
+    group   => $wireguard::config_directory_group,
+    mode    => '0640',
   }
 }
diff --git a/metadata.json b/metadata.json
@@ -1,4 +1,4 @@
 {
  "name": "puppet-wireguard",
  "version": "4.1.1-rc0",
  "author": "Vox Pupuli",
@@ -44,6 +44,12 @@
         "11",
         "12"
       ]
+    },
+    {
+      "operatingsystem": "RedHat",
+      "operatingsystemrelease": [
+        "9"
+      ]
     }
   ],
   "requirements": [
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		---

		wireguard::config_directory_group: 'systemd-network'
Copy link Member bastelfreak May 8, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. has redhat no equivalent group? Copy link Author stuartrobert May 10, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others. Learn more. Not out of the box. The systemd-network group is only created if you install systemd-networkd. The RHEL 9 docs don't even mention any configuration using networkctl - here is the RHEL 9 networking documentation (free to access): https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/configuring_and_managing_networking/index On RHEL 9 wireguard-tools only requires that systemd-resolved be installed that is "extra" (ie not systemd-networkd). The default ownership on /etc/wireguard is root/root with mode 0700. Looking at some old bugzilla reports, Redhat didn't want to support systemd-networkd for RHEL 8 and perhaps RHEL 9, but I've struggled to find mention of it in RHEL 9 docs.