Enable wireguard support on all machines that support it

[chef.git] / cookbooks / networking / recipes / default.rb

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 116d90c726d19a769757871734bdcaf1212106f0..4fc08a61bf8d043fc818b64f0883d4c99c4475dd 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -460,9 +460,15 @@ firewall_rule "limit-icmp-echo" do
 end
 
 if node[:networking][:wireguard][:enabled]
+  wireguard_source = if node[:roles].include?("gateway")
+                       "net"
+                     else
+                       "osm"
+                     end
+
   firewall_rule "accept-wireguard" do
     action :accept
-    source "net"
+    source wireguard_source
     dest "fw"
     proto "udp"
     dest_ports "51820"