From: Tom Hughes <tom@compton.nu>
Date: Sat, 24 Sep 2022 11:32:35 +0000 (+0100)
Subject: Limit wireguard special casing to shenron
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/4320650b9a9b95fe45992f59255d6f81f3c7e75f

Limit wireguard special casing to shenron

In 7ed52aa26 special support was added to make shenron establish
tunnels to the gateway nodes but it is keyed off the mail role so
would apply to all mail servers. This breaks that link and makes it
only apply to shenron.
---

diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb
index 8a1fd5efb..f8a50f9c9 100644
--- a/cookbooks/exim/recipes/default.rb
+++ b/cookbooks/exim/recipes/default.rb
@@ -77,18 +77,6 @@ end
 relay_from_hosts = node[:exim][:relay_from_hosts]
 
 if node[:exim][:smarthost_name]
-  search(:node, "roles:gateway") do |gateway|
-    allowed_ips = gateway.interfaces(:role => :internal).map do |interface|
-      "#{interface[:network]}/#{interface[:prefix]}"
-    end
-
-    node.default[:networking][:wireguard][:peers] << {
-      :public_key => gateway[:networking][:wireguard][:public_key],
-      :allowed_ips => allowed_ips,
-      :endpoint => "#{gateway.name}:51820"
-    }
-  end
-
   search(:node, "exim_smarthost_via:#{node[:exim][:smarthost_name]}\\:*").each do |host|
     relay_from_hosts |= host.ipaddresses(:role => :external)
   end
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 81437acc0..0ae4a12fb 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -240,7 +240,7 @@ if node[:networking][:wireguard][:enabled]
       }
     end
 
-    search(:node, "roles:mail OR roles:prometheus") do |server|
+    search(:node, "roles:shenron OR roles:prometheus") do |server|
       allowed_ips = server.interfaces(:role => :internal).map do |interface|
         "#{interface[:network]}/#{interface[:prefix]}"
       end
@@ -275,6 +275,18 @@ if node[:networking][:wireguard][:enabled]
       :allowed_ips => "10.89.123.1/32",
       :endpoint => "roaming.firefishy.com:51820"
     }
+  elsif node[:roles].include?("shenron")
+    search(:node, "roles:gateway") do |gateway|
+      allowed_ips = gateway.interfaces(:role => :internal).map do |interface|
+        "#{interface[:network]}/#{interface[:prefix]}"
+      end
+
+      node.default[:networking][:wireguard][:peers] << {
+        :public_key => gateway[:networking][:wireguard][:public_key],
+        :allowed_ips => allowed_ips,
+        :endpoint => "#{gateway.name}:51820"
+      }
+    end
   end
 
   template "/etc/systemd/network/wireguard.netdev" do