Add cloud-router configuration templates and scripts

- Introduced debian templates for cloud-router configuration parameters. - Added simple-ca.sh script for managing a minimal Certificate Authority (CA) for IKEv2 PKI. - Created sysctl configuration to enable IP forwarding and adjust rp_filter settings. - Implemented configure script to render configuration files using Jinja2 templates. - Added simple-ca script for generating CA and certificates. - Created Jinja2 templates for various configuration files including netplan, strongSwan, and WireGuard. - Implemented UFW rules setup for IPsec and WireGuard. - Added support for road-warrior and site-to-site VPN configurations.
2026-05-27 00:33:07 +02:00
parent db78066d5c
commit 3c665c2b6c
22 changed files with 1676 additions and 0 deletions
@@ -0,0 +1,5 @@
+cloud-router (1.0.0-1) unstable; urgency=medium
+
+  * Initial release.
+
+ -- Sławomir Koszewski <slawek@koszewscy.waw.pl>  Tue, 26 May 2026 00:00:00 +0200
@@ -0,0 +1,23 @@
+#!/bin/sh
+set -e
+. /usr/share/debconf/confmodule
+
+db_input high cloud-router/local_addrs || true
+db_input high cloud-router/local_fqdn || true
+db_input high cloud-router/local_id_mode || true
+db_input high cloud-router/local_cidrs || true
+db_input high cloud-router/remote_addrs || true
+db_input high cloud-router/remote_id || true
+db_input high cloud-router/psk || true
+db_input high cloud-router/remote_cidrs || true
+db_input high cloud-router/router_int_gateway_ip || true
+db_input high cloud-router/p2s_address_pool || true
+db_input high cloud-router/wg_enabled || true
+db_go || true
+
+db_get cloud-router/wg_enabled
+if [ "$RET" = "true" ]; then
+    db_input high cloud-router/wg_address || true
+    db_input high cloud-router/wg_listen_port || true
+    db_go || true
+fi
@@ -0,0 +1,29 @@
+Source: cloud-router
+Section: net
+Priority: optional
+Maintainer: Sławomir Koszewski <slawek@koszewscy.waw.pl>
+Build-Depends: debhelper-compat (= 14)
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
+
+Package: cloud-router
+Architecture: all
+Depends: ${misc:Depends},
+         strongswan-swanctl,
+         charon-systemd,
+         libstrongswan-extra-plugins,
+         libcharon-extra-plugins,
+         wireguard-tools,
+         ufw,
+         debconf,
+         openssl,
+         python3-jinja2
+Description: Linux cloud router with IPSec and optional WireGuard
+ Configures a Linux host as a cloud router providing site-to-site IKEv2
+ IPSec (strongSwan swanctl) and road-warrior P2S VPN (EAP-TLS). WireGuard
+ is optionally enabled. Includes a PKI helper library (simple-ca.sh) for
+ managing the road-warrior certificate authority.
+ .
+ Site-specific values are collected via debconf at install time and written
+ to /etc/default/cloud-router. A one-shot systemd service (cloud-router-setup)
+ applies UFW rules and WireGuard keys on first boot.
@@ -0,0 +1,28 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: cloud-router
+Upstream-Contact: Sławomir Koszewski <slawek@koszewscy.waw.pl>
+
+Files: *
+Copyright: 2026 Sławomir Koszewski
+License: MIT
+
+License: MIT
+ MIT License
+ .
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included in all
+ copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
@@ -0,0 +1,10 @@
+etc/cloud-router
+etc/cloud-router/pki
+etc/wireguard
+etc/swanctl/conf.d
+etc/swanctl/x509ca
+etc/swanctl/x509
+etc/swanctl/private
+etc/systemd/resolved.conf.d
+usr/lib/cloud-router
+usr/share/cloud-router/templates
@@ -0,0 +1,4 @@
+src/etc/sysctl.d/99-cloud-router.conf             etc/sysctl.d/
+src/usr/local/sbin/simple-ca                      usr/local/sbin/
+src/usr/lib/cloud-router/configure                usr/lib/cloud-router/
+src/usr/share/cloud-router/templates/*            usr/share/cloud-router/templates/
@@ -0,0 +1,53 @@
+#!/bin/sh
+set -e
+. /usr/share/debconf/confmodule
+
+case "$1" in
+    configure)
+        # ── Read debconf answers ──────────────────────────────────────────────
+        db_get cloud-router/local_addrs;           CLOUD_ROUTER_LOCAL_ADDRS="$RET"
+        db_get cloud-router/local_fqdn;            CLOUD_ROUTER_LOCAL_FQDN="$RET"
+        db_get cloud-router/local_id_mode;         CLOUD_ROUTER_LOCAL_ID_MODE="$RET"
+        db_get cloud-router/local_cidrs;           CLOUD_ROUTER_LOCAL_CIDRS="$RET"
+        db_get cloud-router/remote_addrs;          CLOUD_ROUTER_REMOTE_ADDRS="$RET"
+        db_get cloud-router/remote_id;             CLOUD_ROUTER_REMOTE_ID="$RET"
+        db_get cloud-router/psk;                   CLOUD_ROUTER_PSK="$RET"
+        db_get cloud-router/remote_cidrs;          CLOUD_ROUTER_REMOTE_CIDRS="$RET"
+        db_get cloud-router/router_int_gateway_ip; CLOUD_ROUTER_ROUTER_INT_GATEWAY_IP="$RET"
+        db_get cloud-router/p2s_address_pool;      CLOUD_ROUTER_P2S_ADDRESS_POOL="$RET"
+        db_get cloud-router/wg_enabled;            CLOUD_ROUTER_WG_ENABLED="$RET"
+        db_get cloud-router/wg_address;            CLOUD_ROUTER_WG_ADDRESS="$RET"
+        db_get cloud-router/wg_listen_port;        CLOUD_ROUTER_WG_LISTEN_PORT="$RET"
+
+        # ── Render configuration files via Jinja2 templates ─────────────────
+        export CLOUD_ROUTER_LOCAL_ADDRS CLOUD_ROUTER_LOCAL_FQDN \
+               CLOUD_ROUTER_LOCAL_ID_MODE CLOUD_ROUTER_LOCAL_CIDRS \
+               CLOUD_ROUTER_REMOTE_ADDRS CLOUD_ROUTER_REMOTE_ID \
+               CLOUD_ROUTER_PSK CLOUD_ROUTER_REMOTE_CIDRS \
+               CLOUD_ROUTER_ROUTER_INT_GATEWAY_IP CLOUD_ROUTER_P2S_ADDRESS_POOL \
+               CLOUD_ROUTER_WG_ENABLED CLOUD_ROUTER_WG_ADDRESS \
+               CLOUD_ROUTER_WG_LISTEN_PORT
+
+        /usr/lib/cloud-router/configure
+
+        db_set cloud-router/psk ""
+
+        # ── Apply system settings ─────────────────────────────────────────────
+        sysctl --system
+        netplan apply
+        systemctl daemon-reload
+        systemctl restart systemd-resolved
+
+        # ── UFW: ensure SSH is allowed then enable ────────────────────────────
+        ufw allow 22/tcp
+        ufw --force enable
+        ufw reload
+
+        # ── strongSwan ────────────────────────────────────────────────────────
+        systemctl enable --now strongswan
+        ;;
+esac
+
+#DEBHELPER#
+
+db_stop
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+
+case "$1" in
+    remove|deconfigure)
+        systemctl disable --now strongswan || true
+        ;;
+esac
+
+#DEBHELPER#
@@ -0,0 +1,3 @@
+#!/usr/bin/make -f
+%:
+	dh $@
@@ -0,0 +1,80 @@
+Template: cloud-router/local_addrs
+Type: string
+Description: Local WAN IP address(es)
+ Comma-separated list of local WAN IP addresses that strongSwan binds on
+ for the site-to-site and road-warrior tunnels (e.g. 10.1.2.3).
+
+Template: cloud-router/local_fqdn
+Type: string
+Description: Local router FQDN
+ Fully-qualified domain name of this router (e.g. router.example.com).
+ Used as the road-warrior server identity and certificate CN.
+
+Template: cloud-router/local_id_mode
+Type: select
+Choices: fqdn, public_ip, internal_ip
+Default: fqdn
+Description: IKE local identity mode
+ How to derive the IKE identity advertised to the remote site:
+  fqdn        — use the FQDN (default; requires matching on remote side)
+  public_ip   — resolve the public IP from DNS at first boot
+  internal_ip — use the local WAN IP address
+
+Template: cloud-router/local_cidrs
+Type: string
+Description: Local subnet CIDR(s)
+ Comma-separated list of local subnet CIDRs to advertise into the
+ site-to-site tunnel (e.g. 10.0.0.0/24 or 10.0.0.0/24,10.0.1.0/24).
+
+Template: cloud-router/remote_addrs
+Type: string
+Description: Remote site WAN IP address(es)
+ Comma-separated list of remote site WAN IP addresses for the
+ site-to-site IPSec tunnel.
+
+Template: cloud-router/remote_id
+Type: string
+Description: Remote site IKE identity
+ IKE identity of the remote peer (FQDN, without leading @).
+
+Template: cloud-router/psk
+Type: password
+Description: Pre-shared key (PSK)
+ Pre-shared key for the site-to-site IKEv2 tunnel. Must match the
+ value configured on the remote peer.
+
+Template: cloud-router/remote_cidrs
+Type: string
+Description: Remote subnet CIDR(s)
+ Comma-separated list of remote subnet CIDRs for the site-to-site
+ tunnel (e.g. 192.168.0.0/24).
+
+Template: cloud-router/router_int_gateway_ip
+Type: string
+Description: Internal network gateway IP
+ IP address of the next-hop gateway on the internal NIC (eth1).
+ Used in the netplan route for the local subnet.
+
+Template: cloud-router/p2s_address_pool
+Type: string
+Description: Road-warrior address pool
+ CIDR block assigned to road-warrior VPN clients (e.g. 172.16.0.0/24).
+
+Template: cloud-router/wg_enabled
+Type: boolean
+Default: false
+Description: Enable WireGuard VPN?
+ If true, WireGuard is configured on wg0 and its UFW rules are installed.
+
+Template: cloud-router/wg_address
+Type: string
+Default: 10.0.1.1/24
+Description: WireGuard interface address
+ IP address and prefix length for the wg0 interface (e.g. 10.0.1.1/24).
+ Only used when WireGuard is enabled.
+
+Template: cloud-router/wg_listen_port
+Type: string
+Default: 51820
+Description: WireGuard listen port
+ UDP port that WireGuard listens on. Only used when WireGuard is enabled.