From 5fae0fc5594d33b38966e604b5cf600144bc1eb9 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 30 Jul 2020 09:39:26 +0100
Subject: [PATCH] Include VPN routes in the netplan config

---
 .rubocop_todo.yml                       |  7 ++-
 cookbooks/networking/recipes/default.rb | 66 ++++++++++++++-----------
 2 files changed, 44 insertions(+), 29 deletions(-)

diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index de96b3d16..2f7e6ded4 100644
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2020-07-29 12:02:45 UTC using RuboCop version 0.88.0.
+# on 2020-07-30 08:39:06 UTC using RuboCop version 0.88.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -19,3 +19,8 @@ ChefModernize/Definitions:
 # SupportedStyles: strings, symbols
 ChefStyle/AttributeKeys:
   EnforcedStyle: symbols
+
+# Offense count: 3
+# Configuration parameters: CountBlocks.
+Metrics/BlockNesting:
+  Max: 4
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index b643296f4..d85f2ebbd 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -130,6 +130,44 @@ node[:networking][:interfaces].each do |name, interface|
           "scope" => "link"
         )
       end
+
+      if interface[:role] == "internal" && interface[:gateway] != interface[:address]
+        search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
+          next unless gateway[:openvpn]
+
+          gateway[:openvpn][:tunnels].each_value do |tunnel|
+            if tunnel[:peer][:address]
+              deviceplan["routes"].push(
+                "to" => "#{tunnel[:peer][:address]}/32",
+                "via" => interface[:gateway]
+              )
+
+              route tunnel[:peer][:address] do
+                netmask "255.255.255.255"
+                gateway interface[:gateway]
+                device interface[:interface]
+              end
+            end
+
+            next unless tunnel[:peer][:networks]
+
+            tunnel[:peer][:networks].each do |network|
+              prefix = IPAddr.new("#{network[:address]}/#{network[:netmask]}").prefix
+
+              deviceplan["routes"].push(
+                "to" => "#{network[:address]}/#{prefix}",
+                "via" => interface[:gateway]
+              )
+
+              route network[:address] do
+                netmask network[:netmask]
+                gateway interface[:gateway]
+                device interface[:interface]
+              end
+            end
+          end
+        end
+      end
     end
 
     if interface[:routes]
@@ -229,34 +267,6 @@ link "/etc/resolv.conf" do
   to "../run/systemd/resolve/stub-resolv.conf"
 end
 
-node.interfaces(:role => :internal) do |interface|
-  if interface[:gateway] && interface[:gateway] != interface[:address]
-    search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
-      next unless gateway[:openvpn]
-
-      gateway[:openvpn][:tunnels].each_value do |tunnel|
-        if tunnel[:peer][:address]
-          route tunnel[:peer][:address] do
-            netmask "255.255.255.255"
-            gateway interface[:gateway]
-            device interface[:interface]
-          end
-        end
-
-        next unless tunnel[:peer][:networks]
-
-        tunnel[:peer][:networks].each do |network|
-          route network[:address] do
-            netmask network[:netmask]
-            gateway interface[:gateway]
-            device interface[:interface]
-          end
-        end
-      end
-    end
-  end
-end
-
 zones = {}
 
 search(:node, "networking:interfaces").collect do |n|
-- 
2.43.2