Enable wireguard support on all machines that support it

author Tom Hughes <tom@compton.nu>

Wed, 16 Sep 2020 15:54:26 +0000 (16:54 +0100)

committer Tom Hughes <tom@compton.nu>

Wed, 16 Sep 2020 15:54:26 +0000 (16:54 +0100)
author Tom Hughes <tom@compton.nu>
Wed, 16 Sep 2020 15:54:26 +0000 (16:54 +0100)
committer Tom Hughes <tom@compton.nu>
Wed, 16 Sep 2020 15:54:26 +0000 (16:54 +0100)
diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb

index 8d30dd17cc1f23d6826d37ce433fd6e15f1e9900..3872a516516f0a481a10f96ea6419bddf87525ba 100644 (file)
--- a/cookbooks/networking/attributes/default.rb
+++ b/cookbooks/networking/attributes/default.rb
@@ -12,6 +12,6 @@ default[:networking][:nameservers] = []
  default[:networking][:search] = []
  default[:networking][:dnssec] = "allow-downgrade"
  default[:networking][:hostname] = node.name
  default[:networking][:search] = []
  default[:networking][:dnssec] = "allow-downgrade"
  default[:networking][:hostname] = node.name
-default[:networking][:wireguard][:enabled] = false
+default[:networking][:wireguard][:enabled] = true
  default[:networking][:wireguard][:keepalive] = false
  default[:networking][:wireguard][:peers] = []
  default[:networking][:wireguard][:keepalive] = false
  default[:networking][:wireguard][:peers] = []
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb

index 116d90c726d19a769757871734bdcaf1212106f0..4fc08a61bf8d043fc818b64f0883d4c99c4475dd 100644 (file)
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -460,9 +460,15 @@ firewall_rule "limit-icmp-echo" do
  end
  
  if node[:networking][:wireguard][:enabled]
  end
  
  if node[:networking][:wireguard][:enabled]
+  wireguard_source = if node[:roles].include?("gateway")
+                       "net"
+                     else
+                       "osm"
+                     end
+
    firewall_rule "accept-wireguard" do
      action :accept
    firewall_rule "accept-wireguard" do
      action :accept
-    source "net"
+    source wireguard_source
      dest "fw"
      proto "udp"
      dest_ports "51820"
      dest "fw"
      proto "udp"
      dest_ports "51820"
diff --git a/roles/gateway.rb b/roles/gateway.rb

index 80ae347a5c414f585e8ca8f643952d774b62e80e..b9007b86ece3163425243dcf5c324e6b4d810659 100644 (file)
--- a/roles/gateway.rb
+++ b/roles/gateway.rb
@@ -2,9 +2,6 @@ name "gateway"
  description "Role applied to all network gateways"
  
  default_attributes(
  description "Role applied to all network gateways"
  
  default_attributes(
-  :networking => {
-    :wireguard => { :enabled => true }
-  },
    :sysctl => {
      :network_forwarding => {
        :comment => "Enable forwarding",
    :sysctl => {
      :network_forwarding => {
        :comment => "Enable forwarding",
diff --git a/roles/glaedr.rb b/roles/glaedr.rb

index 19025b698e388b3f1b6379c343487a6f269f9811..e468331d97eb66df31f962eeb8246a97676af3ac 100644 (file)
--- a/roles/glaedr.rb
+++ b/roles/glaedr.rb
@@ -23,6 +23,9 @@ default_attributes(
          :prefix => "125",
          :gateway => "2800:1e0:a01:a006::69"
        }
          :prefix => "125",
          :gateway => "2800:1e0:a01:a006::69"
        }
+    },
+    :wireguard => {
+      :enabled => false
      }
    },
    :squid => {
      }
    },
    :squid => {
diff --git a/roles/gorwen.rb b/roles/gorwen.rb

index 773e389cefb8c4f4628a44430a559dc6a3849e26..18ca17ae73125e903f953dc512a92f9756c117b5 100644 (file)
--- a/roles/gorwen.rb
+++ b/roles/gorwen.rb
@@ -23,6 +23,9 @@ default_attributes(
          :prefix => "125",
          :gateway => "2800:1e0:a01:a006::69"
        }
          :prefix => "125",
          :gateway => "2800:1e0:a01:a006::69"
        }
+    },
+    :wireguard => {
+      :enabled => false
      }
    },
    :squid => {
      }
    },
    :squid => {
diff --git a/roles/jakelong.rb b/roles/jakelong.rb

index 945bdd52fcb17a55eb64deee7d7898ec524da4aa..b8a7314e08288e618e81d290728041bec99e8f4f 100644 (file)
--- a/roles/jakelong.rb
+++ b/roles/jakelong.rb
@@ -23,6 +23,9 @@ default_attributes(
          :prefix => "64",
          :gateway => "2605:2700:0:17::1"
        }
          :prefix => "64",
          :gateway => "2605:2700:0:17::1"
        }
+    },
+    :wireguard => {
+      :enabled => false
      }
    },
    :squid => {
      }
    },
    :squid => {
diff --git a/roles/kokosnuss.rb b/roles/kokosnuss.rb

index 809601fd741daa16fca79beaab261f4f99bb2651..cebe596df82de9f5f59af0bfd658c70c202c3d13 100644 (file)
--- a/roles/kokosnuss.rb
+++ b/roles/kokosnuss.rb
@@ -15,6 +15,9 @@ default_attributes(
          :prefix => "32",
          :gateway => "85.214.255.86"
        }
          :prefix => "32",
          :gateway => "85.214.255.86"
        }
+    },
+    :wireguard => {
+      :enabled => false
      }
    },
    :squid => {
      }
    },
    :squid => {
diff --git a/roles/konqi.rb b/roles/konqi.rb

index 8b529781dae7c659f3de7c4e7a418398cb679585..6744ee3ceb335a4f80cae41bea98b0957395b418 100644 (file)
--- a/roles/konqi.rb
+++ b/roles/konqi.rb
@@ -23,6 +23,9 @@ default_attributes(
          :prefix => "64",
          :gateway => "2a02:180:1:1::1"
        }
          :prefix => "64",
          :gateway => "2a02:180:1:1::1"
        }
+    },
+    :wireguard => {
+      :enabled => false
      }
    },
    :squid => {
      }
    },
    :squid => {
diff --git a/roles/rimfaxe.rb b/roles/rimfaxe.rb

index 383f754900a059f1d7c8d2b45ba1472a95fd5f6f..f130d03e4d73195bb2baaf39d3d227d0af04eb41 100644 (file)
--- a/roles/rimfaxe.rb
+++ b/roles/rimfaxe.rb
@@ -23,6 +23,9 @@ default_attributes(
          :prefix => "64",
          :gateway => "2001:878:346::97"
        }
          :prefix => "64",
          :gateway => "2001:878:346::97"
        }
+    },
+    :wireguard => {
+      :enabled => false
      }
    },
    :squid => {
      }
    },
    :squid => {
diff --git a/roles/simurgh.rb b/roles/simurgh.rb

index d1a0289da8719cf758992868f7c8f4d89607ab24..011afdce444811aa267f5f5610f3d4296e86733c 100644 (file)
--- a/roles/simurgh.rb
+++ b/roles/simurgh.rb
@@ -15,6 +15,9 @@ default_attributes(
          :prefix => "24",
          :gateway => "94.20.20.1"
        }
          :prefix => "24",
          :gateway => "94.20.20.1"
        }
+    },
+    :wireguard => {
+      :enabled => false
      }
    },
    :squid => {
      }
    },
    :squid => {
author	Tom Hughes <tom@compton.nu>
	Wed, 16 Sep 2020 15:54:26 +0000 (16:54 +0100)
committer	Tom Hughes <tom@compton.nu>
	Wed, 16 Sep 2020 15:54:26 +0000 (16:54 +0100)
cookbooks/networking/attributes/default.rb		patch \| blob \| history
cookbooks/networking/recipes/default.rb		patch \| blob \| history
roles/gateway.rb		patch \| blob \| history
roles/glaedr.rb		patch \| blob \| history
roles/gorwen.rb		patch \| blob \| history
roles/jakelong.rb		patch \| blob \| history
roles/kokosnuss.rb		patch \| blob \| history
roles/konqi.rb		patch \| blob \| history
roles/rimfaxe.rb		patch \| blob \| history
roles/simurgh.rb		patch \| blob \| history