Limit wireguard special casing to shenron

In 7ed52aa26 special support was added to make shenron establish
tunnels to the gateway nodes but it is keyed off the mail role so
would apply to all mail servers. This breaks that link and makes it
only apply to shenron.

diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb
index 8a1fd5efb562c22d0b7924ca975d191a3dd7eeaf..f8a50f9c97f118b6912e714c9ba80cbc650f9b14 100644 (file)
--- a/cookbooks/exim/recipes/default.rb
+++ b/cookbooks/exim/recipes/default.rb
@@ -77,18 +77,6 @@ end
 relay_from_hosts = node[:exim][:relay_from_hosts]
 
 if node[:exim][:smarthost_name]
 relay_from_hosts = node[:exim][:relay_from_hosts]
 
 if node[:exim][:smarthost_name]

-  search(:node, "roles:gateway") do |gateway|
-    allowed_ips = gateway.interfaces(:role => :internal).map do |interface|
-      "#{interface[:network]}/#{interface[:prefix]}"
-    end
-
-    node.default[:networking][:wireguard][:peers] << {
-      :public_key => gateway[:networking][:wireguard][:public_key],
-      :allowed_ips => allowed_ips,
-      :endpoint => "#{gateway.name}:51820"
-    }
-  end
-

   search(:node, "exim_smarthost_via:#{node[:exim][:smarthost_name]}\\:*").each do |host|
     relay_from_hosts |= host.ipaddresses(:role => :external)
   end
   search(:node, "exim_smarthost_via:#{node[:exim][:smarthost_name]}\\:*").each do |host|
     relay_from_hosts |= host.ipaddresses(:role => :external)
   end

diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 81437acc0869664f0213ce50759b2ec22465c03e..0ae4a12fba08fe03a132d5d3a0d2f2dc955c9f2c 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -240,7 +240,7 @@ if node[:networking][:wireguard][:enabled]
       }
     end
 
       }
     end
 

-    search(:node, "roles:mail OR roles:prometheus") do |server|
+    search(:node, "roles:shenron OR roles:prometheus") do |server|

       allowed_ips = server.interfaces(:role => :internal).map do |interface|
         "#{interface[:network]}/#{interface[:prefix]}"
       end
       allowed_ips = server.interfaces(:role => :internal).map do |interface|
         "#{interface[:network]}/#{interface[:prefix]}"
       end


@@ -275,6 +275,18 @@ if node[:networking][:wireguard][:enabled]
       :allowed_ips => "10.89.123.1/32",
       :endpoint => "roaming.firefishy.com:51820"
     }
       :allowed_ips => "10.89.123.1/32",
       :endpoint => "roaming.firefishy.com:51820"
     }

+  elsif node[:roles].include?("shenron")
+    search(:node, "roles:gateway") do |gateway|
+      allowed_ips = gateway.interfaces(:role => :internal).map do |interface|
+        "#{interface[:network]}/#{interface[:prefix]}"
+      end
+
+      node.default[:networking][:wireguard][:peers] << {
+        :public_key => gateway[:networking][:wireguard][:public_key],
+        :allowed_ips => allowed_ips,
+        :endpoint => "#{gateway.name}:51820"
+      }
+    end

   end
 
   template "/etc/systemd/network/wireguard.netdev" do
   end
 
   template "/etc/systemd/network/wireguard.netdev" do