-search(:node, "networking:interfaces").collect do |n|
- if n[:fqdn] != node[:fqdn]
- n.interfaces.each do |interface|
- if interface[:role] == "external" && interface[:zone]
- zones[interface[:zone]] ||= Hash.new
- zones[interface[:zone]][interface[:family]] ||= Array.new
- zones[interface[:zone]][interface[:family]] << interface[:address]
+service "systemd-networkd" do
+ action [:enable, :start]
+end
+
+if node[:networking][:wireguard][:enabled]
+ wireguard_id = persistent_token("networking", "wireguard")
+
+ node.default[:networking][:wireguard][:address] = "fd43:e709:ea6d:1:#{wireguard_id[0, 4]}:#{wireguard_id[4, 4]}:#{wireguard_id[8, 4]}:#{wireguard_id[12, 4]}"
+
+ package "wireguard-tools" do
+ compile_time true
+ options "--no-install-recommends"
+ end
+
+ directory "/var/lib/systemd/wireguard" do
+ owner "root"
+ group "systemd-network"
+ mode "750"
+ compile_time true
+ end
+
+ file "/var/lib/systemd/wireguard/private.key" do
+ action :create_if_missing
+ owner "root"
+ group "systemd-network"
+ mode "640"
+ content %x(wg genkey)
+ compile_time true
+ end
+
+ node.default[:networking][:wireguard][:public_key] = %x(wg pubkey < /var/lib/systemd/wireguard/private.key).chomp
+
+ file "/var/lib/systemd/wireguard/preshared.key" do
+ action :create_if_missing
+ owner "root"
+ group "systemd-network"
+ mode "640"
+ content keys["wireguard"]
+ end
+
+ if node[:roles].include?("gateway")
+ search(:node, "roles:gateway") do |gateway|
+ next if gateway.name == node.name
+ next unless gateway[:networking][:wireguard] && gateway[:networking][:wireguard][:enabled]
+
+ allowed_ips = gateway.ipaddresses(:role => :internal).map(&:subnet)
+
+ node.default[:networking][:wireguard][:peers] << {
+ :public_key => gateway[:networking][:wireguard][:public_key],
+ :allowed_ips => allowed_ips,
+ :endpoint => "#{gateway.name}:51820"
+ }
+ end
+
+ search(:node, "roles:prometheus") do |server|
+ allowed_ips = server.ipaddresses(:role => :internal).map(&:subnet)
+
+ if server[:networking][:private_address]
+ allowed_ips << "#{server[:networking][:private_address]}/32"