X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/2b0fa99a5ad90d8b66803deb9be2ba55051dbc5c..4320650b9a9b95fe45992f59255d6f81f3c7e75f:/cookbooks/networking/recipes/default.rb?ds=sidebyside

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 8569c731c..0ae4a12fb 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -240,7 +240,7 @@ if node[:networking][:wireguard][:enabled]
       }
     end
 
-    search(:node, "roles:mail OR roles:prometheus") do |server|
+    search(:node, "roles:shenron OR roles:prometheus") do |server|
       allowed_ips = server.interfaces(:role => :internal).map do |interface|
         "#{interface[:network]}/#{interface[:prefix]}"
       end
@@ -261,6 +261,32 @@ if node[:networking][:wireguard][:enabled]
       :allowed_ips => "10.0.16.1/32",
       :endpoint => "gate.compton.nu:51820"
     }
+
+    # Grant home
+    node.default[:networking][:wireguard][:peers] << {
+      :public_key => "RofATnvlWxP3mt87+QKRXFE5MVxtoCcTsJ+yftZYEE4=",
+      :allowed_ips => "10.89.122.1/32",
+      :endpoint => "gate.firefishy.com:51820"
+    }
+
+    # Grant roaming
+    node.default[:networking][:wireguard][:peers] << {
+      :public_key => "YbUkREE9TAmomqgL/4Fh2e5u2Hh7drN/2o5qg3ndRxg=",
+      :allowed_ips => "10.89.123.1/32",
+      :endpoint => "roaming.firefishy.com:51820"
+    }
+  elsif node[:roles].include?("shenron")
+    search(:node, "roles:gateway") do |gateway|
+      allowed_ips = gateway.interfaces(:role => :internal).map do |interface|
+        "#{interface[:network]}/#{interface[:prefix]}"
+      end
+
+      node.default[:networking][:wireguard][:peers] << {
+        :public_key => gateway[:networking][:wireguard][:public_key],
+        :allowed_ips => allowed_ips,
+        :endpoint => "#{gateway.name}:51820"
+      }
+    end
   end
 
   template "/etc/systemd/network/wireguard.netdev" do
@@ -289,7 +315,7 @@ if node[:networking][:wireguard][:enabled]
       action :nothing
       subscribes :restart, "template[/etc/systemd/network/wireguard.netdev]"
       subscribes :restart, "template[/etc/systemd/network/wireguard.network]"
-      not_if { ENV.key?("TEST_KITCHEN") }
+      not_if { kitchen? }
     end
   else
     execute "networkctl-delete-wg0" do
@@ -304,7 +330,7 @@ if node[:networking][:wireguard][:enabled]
       command "networkctl reload"
       subscribes :run, "template[/etc/systemd/network/wireguard.netdev]"
       subscribes :run, "template[/etc/systemd/network/wireguard.network]"
-      not_if { ENV.key?("TEST_KITCHEN") }
+      not_if { kitchen? }
     end
   end
 end
@@ -317,7 +343,7 @@ end
 execute "hostnamectl-set-hostname" do
   command "hostnamectl set-hostname #{node[:networking][:hostname]}"
   notifies :reload, "ohai[reload-hostname]"
-  not_if { ENV.key?("TEST_KITCHEN") || node[:hostnamectl][:static_hostname] == node[:networking][:hostname] }
+  not_if { kitchen? || node[:hostnamectl][:static_hostname] == node[:networking][:hostname] }
 end
 
 template "/etc/hosts" do
@@ -506,16 +532,24 @@ if node[:networking][:wireguard][:enabled]
   end
 end
 
+file "/etc/shorewall/masq" do
+  action :delete
+end
+
+file "/etc/shorewall/masq.bak" do
+  action :delete
+end
+
 if node[:roles].include?("gateway")
-  template "/etc/shorewall/masq" do
-    source "shorewall-masq.erb"
+  template "/etc/shorewall/snat" do
+    source "shorewall-snat.erb"
     owner "root"
     group "root"
     mode "644"
     notifies :restart, "service[shorewall]"
   end
 else
-  file "/etc/shorewall/masq" do
+  file "/etc/shorewall/snat" do
     action :delete
     notifies :restart, "service[shorewall]"
   end