]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/networking/recipes/default.rb
projects / chef.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix configuration of wireguard keys on 18.04
[chef.git] / cookbooks / networking / recipes / default.rb
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index d638d913217f5c1e4e7f7e3c863ed33c494c1abb..34a1a52afba33d0e3e860cf3e6eb6ddcdc975000 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -186,6 +186,10 @@ package "cloud-init" do
 end
 
 if node[:networking][:wireguard][:enabled]
+  wireguard_id = persistent_token("networking", "wireguard")
+
+  node.default[:networking][:wireguard][:address] = "fd43:e709:ea6d:1:#{wireguard_id[0, 4]}:#{wireguard_id[4, 4]}:#{wireguard_id[8, 4]}:#{wireguard_id[12, 4]}"
+
   package "wireguard-tools" do
     compile_time true
   end
@@ -202,11 +206,11 @@ if node[:networking][:wireguard][:enabled]
     owner "root"
     group "systemd-network"
     mode "640"
-    content %x{wg genkey}
+    content %x(wg genkey)
     compile_time true
   end
 
-  node.default[:networking][:wireguard][:public_key] = %x{wg pubkey < /var/lib/systemd/wireguard/private.key}
+  node.default[:networking][:wireguard][:public_key] = %x(wg pubkey < /var/lib/systemd/wireguard/private.key).chomp
 
   file "/var/lib/systemd/wireguard/preshared.key" do
     action :create_if_missing
@@ -222,7 +226,7 @@ if node[:networking][:wireguard][:enabled]
       next unless gateway[:networking][:wireguard] && gateway[:networking][:wireguard][:enabled]
 
       allowed_ips = gateway.interfaces(:role => :internal).map do |interface|
-        "#{interface[:network]}/#{interface[:metric]}"
+        "#{interface[:network]}/#{interface[:prefix]}"
       end
 
       node.default[:networking][:wireguard][:peers] << {
@@ -236,8 +240,8 @@ if node[:networking][:wireguard][:enabled]
   template "/etc/systemd/network/wireguard.netdev" do
     source "wireguard.netdev.erb"
     owner "root"
-    group "root"
-    mode "644"
+    group "systemd-network"
+    mode "640"
   end
 
   template "/etc/systemd/network/wireguard.network" do
@@ -247,19 +251,35 @@ if node[:networking][:wireguard][:enabled]
     mode "644"
   end
 
-  execute "ip-link-delete-wg0" do
-    action :nothing
-    command "ip link delete wg0"
-    subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
-    only_if { ::File.exist?("/sys/class/net/wg0") }
-  end
+  if node[:lsb][:release].to_f < 20.04
+    execute "ip-link-delete-wg0" do
+      action :nothing
+      command "ip link delete wg0"
+      subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
+      only_if { ::File.exist?("/sys/class/net/wg0") }
+    end
 
-  execute "networkctl-reload" do
-    action :nothing
-    command "networkctl reload"
-    subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
-    subscribes :run, "template[/etc/systemd/network/wireguard.network]"
-    not_if { ENV.key?("TEST_KITCHEN") }
+    service "systemd-networkd" do
+      action :nothing
+      subscribes :restart, "template[/etc/systemd/network/wireguard.netdev]"
+      subscribes :restart, "template[/etc/systemd/network/wireguard.network]"
+      not_if { ENV.key?("TEST_KITCHEN") }
+    end
+  else
+    execute "networkctl-delete-wg0" do
+      action :nothing
+      command "networkctl delete wg0"
+      subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
+      only_if { ::File.exist?("/sys/class/net/wg0") }
+    end
+
+    execute "networkctl-reload" do
+      action :nothing
+      command "networkctl reload"
+      subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
+      subscribes :run, "template[/etc/systemd/network/wireguard.network]"
+      not_if { ENV.key?("TEST_KITCHEN") }
+    end
   end
 end
 
Chef configuration management public repo for configuring & maintaining the OpenStreetMap servers.