Limit NAT to IPv4 interfaces

[chef.git] / roles / ucl.rb

diff --git a/roles/ucl.rb b/roles/ucl.rb
index eb3dfd1cd10034b74db6d419192cb1aa64f27c09..1bfa54c201c09383158ef85796f8bb7f98f1d5b5 100644 (file)
--- a/roles/ucl.rb
+++ b/roles/ucl.rb
@@ -4,11 +4,17 @@ description "Role applied to all servers at UCL"
 default_attributes(
   :location => "Slough, England",
   :networking => {
+    :firewall => {
+      :engine => "nftables"
+    },
     :roles => {
       :internal => {
         :inet => {
           :prefix => "20",
-          :gateway => "10.0.0.3"
+          :gateway => "10.0.0.3",
+          :routes => {
+            "10.0.0.0/8" => { :via => "10.0.0.3" }
+          }
         }
       },
       :external => {
@@ -18,15 +24,9 @@ default_attributes(
           :gateway => "193.60.236.254"
         }
       }
-    }
-  },
-  :sysctl => {
-    :blackhole => {
-      :comment => "Force TCP level MTU probing because of known ICMP blackhole at UCL",
-      :parameters => {
-        "net.ipv4.tcp_mtu_probing" => "2",
-        "net.ipv4.tcp_base_mss" => "1024"
-      }
+    },
+    :wireguard => {
+      :keepalive => 180
     }
   }
 )