Add custom sections to systemd network

REFERENCE.md

@@ -187,6 +187,26 @@ wireguard::interface { 'wg0':
 }
 ```
 
+##### Peer with one node, setup dualstack firewall rules and RoutingPolicyRule
+
+```puppet
+wireguard::interface {'as2273':
+  source_addresses => ['2003:4f8:c17:4cf::1', '149.9.255.4'],
+  public_key       => 'BcxLll1BVxGQ5DeijroesjroiesjrjvX+EBhS4vcDn0R0=',
+  endpoint         => 'wg.example.com:53668',
+  addresses        => [{'Address' => '192.168.123.6/30',},{'Address' => 'fe80::beef:1/64'},],
+  sections         => {
+    'RoutingPolicyRule' => [
+      {
+        'From'              => '10.0.0.0/24',
+        'Table'             => '1010',
+        'IncomingInterface' => 'as2273',
+      },
+    ],
+  },
+}
+```
+
 #### Parameters
 
 The following parameters are available in the `wireguard::interface` defined type:
@@ -208,6 +228,7 @@ The following parameters are available in the `wireguard::interface` defined typ
 * [`mtu`](#-wireguard--interface--mtu)
 * [`peers`](#-wireguard--interface--peers)
 * [`routes`](#-wireguard--interface--routes)
+* [`sections`](#-wireguard--interface--sections)
 * [`private_key`](#-wireguard--interface--private_key)
 * [`preshared_key`](#-wireguard--interface--preshared_key)
 * [`provider`](#-wireguard--interface--provider)
@@ -353,6 +374,14 @@ different routes for the systemd-networkd configuration
 
 Default value: `[]`
 
+##### <a name="-wireguard--interface--sections"></a>`sections`
+
+Data type: `Hash[String, Hash[Any, String]]`
+
+additional sections for the systemd-networkd configuration
+
+Default value: `{}`
+
 ##### <a name="-wireguard--interface--private_key"></a>`private_key`
 
 Data type: `Optional[String[1]]`

manifests/interface.pp

@@ -18,6 +18,7 @@
 # @param mtu configure the MTU (maximum transision unit) for the wireguard tunnel. By default linux will figure this out. You might need to lower it if you're connection through a DSL line. MTU needs to be equal on both tunnel endpoints
 # @param peers is an array of struct (Wireguard::Peers) for multiple peers
 # @param routes different routes for the systemd-networkd configuration
+# @param sections additional sections for the systemd-networkd configuration
 # @param private_key Define private key which should be used for this interface, if not provided a private key will be generated
 # @param preshared_key Define preshared key for the remote peer
 # @param provider The specific backend to use for this `wireguard::interface` resource
@@ -94,6 +95,23 @@
 #    addresses        => [{'Address' => '192.168.123.6/30',},{'Address' => 'fe80::beef:1/64'},],
 #  }
 #
+# @example Peer with one node, setup dualstack firewall rules and RoutingPolicyRule
+#  wireguard::interface {'as2273':
+#    source_addresses => ['2003:4f8:c17:4cf::1', '149.9.255.4'],
+#    public_key       => 'BcxLll1BVxGQ5DeijroesjroiesjrjvX+EBhS4vcDn0R0=',
+#    endpoint         => 'wg.example.com:53668',
+#    addresses        => [{'Address' => '192.168.123.6/30',},{'Address' => 'fe80::beef:1/64'},],
+#    sections         => {
+#      'RoutingPolicyRule' => [
+#        {
+#          'From'              => '10.0.0.0/24',
+#          'Table'             => '1010',
+#          'IncomingInterface' => 'as2273',
+#        },
+#      ],
+#    },
+#  }
+#
 define wireguard::interface (
   Enum['present', 'absent'] $ensure = 'present',
   Wireguard::Peers $peers = [],
@@ -112,6 +130,7 @@
   Optional[Integer[1200, 9000]] $mtu = undef,
   Optional[String[1]] $public_key = undef,
   Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [],
+  Hash[String, Hash[Any, String]] $sections = {},
   Optional[String[1]] $private_key = undef,
   Optional[String[1]] $preshared_key = undef,
   Enum['systemd', 'wgquick'] $provider = 'systemd',
@@ -327,10 +346,15 @@
         description       => $description,
         mtu               => $mtu,
         routes            => $routes,
+        sections          => $sections,
         default_allowlist => $wireguard::default_allowlist,
       }
     }
     'wgquick': {
+      if !empty($sections) {
+        warning('Systemd sections are not supported by wgquick')
+      }
+
       wireguard::provider::wgquick { $interface :
         ensure            => $ensure,
         interface         => $interface,

manifests/provider/systemd.pp

@@ -12,6 +12,7 @@
   Optional[String[1]] $description = undef,
   Optional[Integer[1200, 9000]] $mtu = undef,
   Array[Hash[String[1], Variant[String[1], Boolean]]] $routes = [],
+  Hash[String, Hash[Any, String]] $sections = {},
   Array[Stdlib::IP::Address] $default_allowlist = [],
 ) {
   assert_private()
@@ -44,6 +45,7 @@
     'interface'       => $interface,
     'addresses'       => $addresses,
     'routes'          => $routes,
+    'sections'        => $sections,
   }
 
   systemd::network { "${interface}.network":

templates/network.epp

@@ -31,3 +31,11 @@ KeepConfiguration=yes
 <% } -%>
 <% } -%>
 
+<% $sections.each |$section_key, $section_value| { -%>
+<% $section_value.each |$section| { -%>
+[<%= $section_key %>]
+<% $section.each |$key, $value| { -%>
+<%= $key %>=<%= $value %>
+<% } -%>
+<% } -%>
+<% } -%>