]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/networking/recipes/default.rb
Install bundler 2.1.4 for rails
[chef.git] / cookbooks / networking / recipes / default.rb
index a6fcaf80fc4cfd4fb283132fe9a22a32403d7614..c195251e6803b7fdf3ff65492ada07020759ace8 100644 (file)
@@ -39,20 +39,20 @@ node[:networking][:interfaces].each do |name, interface|
   if interface[:interface]
     if interface[:role] && (role = node[:networking][:roles][interface[:role]])
       if role[interface[:family]]
-        node.normal[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
-        node.normal[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
-        node.normal[:networking][:interfaces][name][:routes] = role[interface[:family]][:routes]
+        node.default[:networking][:interfaces][name][:prefix] = role[interface[:family]][:prefix]
+        node.default[:networking][:interfaces][name][:gateway] = role[interface[:family]][:gateway]
+        node.default[:networking][:interfaces][name][:routes] = role[interface[:family]][:routes]
       end
 
-      node.normal[:networking][:interfaces][name][:metric] = role[:metric]
-      node.normal[:networking][:interfaces][name][:zone] = role[:zone]
+      node.default[:networking][:interfaces][name][:metric] = role[:metric]
+      node.default[:networking][:interfaces][name][:zone] = role[:zone]
     end
 
     if interface[:address]
       prefix = node[:networking][:interfaces][name][:prefix]
 
-      node.normal[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
-      node.normal[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
+      node.default[:networking][:interfaces][name][:netmask] = (~IPAddr.new(interface[:address]).mask(0)).mask(prefix)
+      node.default[:networking][:interfaces][name][:network] = IPAddr.new(interface[:address]).mask(prefix)
     end
 
     interface = node[:networking][:interfaces][name]
@@ -130,6 +130,44 @@ node[:networking][:interfaces].each do |name, interface|
           "scope" => "link"
         )
       end
+
+      if interface[:role] == "internal" && interface[:gateway] != interface[:address]
+        search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
+          next unless gateway[:openvpn]
+
+          gateway[:openvpn][:tunnels].each_value do |tunnel|
+            if tunnel[:peer][:address]
+              deviceplan["routes"].push(
+                "to" => "#{tunnel[:peer][:address]}/32",
+                "via" => interface[:gateway]
+              )
+
+              route tunnel[:peer][:address] do
+                netmask "255.255.255.255"
+                gateway interface[:gateway]
+                device interface[:interface]
+              end
+            end
+
+            next unless tunnel[:peer][:networks]
+
+            tunnel[:peer][:networks].each do |network|
+              prefix = IPAddr.new("#{network[:address]}/#{network[:netmask]}").prefix
+
+              deviceplan["routes"].push(
+                "to" => "#{network[:address]}/#{prefix}",
+                "via" => interface[:gateway]
+              )
+
+              route network[:address] do
+                netmask network[:netmask]
+                gateway interface[:gateway]
+                device interface[:interface]
+              end
+            end
+          end
+        end
+      end
     end
 
     if interface[:routes]
@@ -229,45 +267,6 @@ link "/etc/resolv.conf" do
   to "../run/systemd/resolve/stub-resolv.conf"
 end
 
-if node[:networking][:tcp_fastopen_key]
-  fastopen_keys = data_bag_item("networking", "fastopen")
-
-  node.normal[:sysctl][:tcp_fastopen] = {
-    :comment => "Set shared key for TCP fast open",
-    :parameters => {
-      "net.ipv4.tcp_fastopen_key" => fastopen_keys[node[:networking][:tcp_fastopen_key]]
-    }
-  }
-end
-
-node.interfaces(:role => :internal) do |interface|
-  if interface[:gateway] && interface[:gateway] != interface[:address]
-    search(:node, "networking_interfaces*address:#{interface[:gateway]}") do |gateway|
-      next unless gateway[:openvpn]
-
-      gateway[:openvpn][:tunnels].each_value do |tunnel|
-        if tunnel[:peer][:address]
-          route tunnel[:peer][:address] do
-            netmask "255.255.255.255"
-            gateway interface[:gateway]
-            device interface[:interface]
-          end
-        end
-
-        next unless tunnel[:peer][:networks]
-
-        tunnel[:peer][:networks].each do |network|
-          route network[:address] do
-            netmask network[:netmask]
-            gateway interface[:gateway]
-            device interface[:interface]
-          end
-        end
-      end
-    end
-  end
-end
-
 zones = {}
 
 search(:node, "networking:interfaces").collect do |n|
@@ -344,6 +343,7 @@ template "/etc/shorewall/policy" do
 end
 
 template "/etc/shorewall/rules" do
+  action :nothing
   source "shorewall-rules.erb"
   owner "root"
   group "root"
@@ -352,6 +352,11 @@ template "/etc/shorewall/rules" do
   notifies :restart, "service[shorewall]"
 end
 
+notify_group "shorewall-rules" do
+  action :run
+  notifies :create, "template[/etc/shorewall/rules]"
+end
+
 service "shorewall" do
   action [:enable, :start]
   supports :restart => true
@@ -465,6 +470,7 @@ unless node.interfaces(:family => :inet6).empty?
   end
 
   template "/etc/shorewall6/rules" do
+    action :nothing
     source "shorewall-rules.erb"
     owner "root"
     group "root"
@@ -473,6 +479,11 @@ unless node.interfaces(:family => :inet6).empty?
     notifies :restart, "service[shorewall6]"
   end
 
+  notify_group "shorewall6-rules" do
+    action :run
+    notifies :create, "template[/etc/shorewall6/rules]"
+  end
+
   service "shorewall6" do
     action [:enable, :start]
     supports :restart => true