]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/networking/recipes/default.rb
projects / chef.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Enable wireguard support on all machines that support it
[chef.git] / cookbooks / networking / recipes / default.rb
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 13fd2252bd849e9752cd51f4e36f3931411aa75e..4fc08a61bf8d043fc818b64f0883d4c99c4475dd 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -37,8 +37,6 @@ netplan = {
   }
 }
 
-node.rm_normal(:networking)
-
 node[:networking][:interfaces].each do |name, interface|
   if interface[:interface]
     if interface[:role] && (role = node[:networking][:roles][interface[:role]])
@@ -237,6 +235,12 @@ if node[:networking][:wireguard][:enabled]
         :endpoint => "#{gateway.name}:51820"
       }
     end
+
+    node.default[:networking][:wireguard][:peers] << {
+      :public_key => "7Oj9ufNlgidyH/xDc+aHQKMjJPqTmD/ab13agMh6AxA=",
+      :allowed_ips => "10.0.16.1/32",
+      :endpoint => "gate.compton.nu:51820"
+    }
   end
 
   template "/etc/systemd/network/wireguard.netdev" do
@@ -456,9 +460,15 @@ firewall_rule "limit-icmp-echo" do
 end
 
 if node[:networking][:wireguard][:enabled]
+  wireguard_source = if node[:roles].include?("gateway")
+                       "net"
+                     else
+                       "osm"
+                     end
+
   firewall_rule "accept-wireguard" do
     action :accept
-    source "osm"
+    source wireguard_source
     dest "fw"
     proto "udp"
     dest_ports "51820"
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.