Enable wireguard support on all machines that support it

[chef.git] / cookbooks / networking / recipes / default.rb

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 0f7b2e49ab804f2258c7c6174ab2fcfc68b70bb0..4fc08a61bf8d043fc818b64f0883d4c99c4475dd 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -235,13 +235,19 @@ if node[:networking][:wireguard][:enabled]
         :endpoint => "#{gateway.name}:51820"
       }
     end
+
+    node.default[:networking][:wireguard][:peers] << {
+      :public_key => "7Oj9ufNlgidyH/xDc+aHQKMjJPqTmD/ab13agMh6AxA=",
+      :allowed_ips => "10.0.16.1/32",
+      :endpoint => "gate.compton.nu:51820"
+    }
   end
 
   template "/etc/systemd/network/wireguard.netdev" do
     source "wireguard.netdev.erb"
     owner "root"
-    group "root"
-    mode "644"
+    group "systemd-network"
+    mode "640"
   end
 
   template "/etc/systemd/network/wireguard.network" do
@@ -454,9 +460,15 @@ firewall_rule "limit-icmp-echo" do
 end
 
 if node[:networking][:wireguard][:enabled]
+  wireguard_source = if node[:roles].include?("gateway")
+                       "net"
+                     else
+                       "osm"
+                     end
+
   firewall_rule "accept-wireguard" do
     action :accept
-    source "osm"
+    source wireguard_source
     dest "fw"
     proto "udp"
     dest_ports "51820"