From: Tom Hughes <tom@compton.nu>
Date: Fri, 18 Sep 2020 18:20:13 +0000 (+0100)
Subject: Estabish tunnels between shenron and gateway machines
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/7ed52aa26?hp=9a419c479230792efda72004042df8dd45151cc3

Estabish tunnels between shenron and gateway machines
---

diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb
index 6234aa964..994e9454b 100644
--- a/cookbooks/exim/recipes/default.rb
+++ b/cookbooks/exim/recipes/default.rb
@@ -76,6 +76,18 @@ end
 relay_from_hosts = node[:exim][:relay_from_hosts]
 
 if node[:exim][:smarthost_name]
+  search(:node, "roles:gateway") do |gateway|
+    allowed_ips = gateway.interfaces(:role => :internal).map do |interface|
+      "#{interface[:network]}/#{interface[:prefix]}"
+    end
+
+    node.default[:networking][:wireguard][:peers] << {
+      :public_key => gateway[:networking][:wireguard][:public_key],
+      :allowed_ips => allowed_ips,
+      :endpoint => "#{gateway.name}:51820"
+    }
+  end
+
   search(:node, "exim_smarthost_via:#{node[:exim][:smarthost_name]}\\:*").each do |host|
     relay_from_hosts |= host.ipaddresses(:role => :external)
   end
diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb
index 4fc08a61b..0989d8d11 100644
--- a/cookbooks/networking/recipes/default.rb
+++ b/cookbooks/networking/recipes/default.rb
@@ -236,6 +236,22 @@ if node[:networking][:wireguard][:enabled]
       }
     end
 
+    search(:node, "roles:mail") do |server|
+      allowed_ips = server.interfaces(:role => :internal).map do |interface|
+        "#{interface[:network]}/#{interface[:prefix]}"
+      end
+
+      if server[:networking][:private_address]
+        allowed_ips << "#{server[:networking][:private_address]}/32"
+      end
+
+      node.default[:networking][:wireguard][:peers] << {
+        :public_key => server[:networking][:wireguard][:public_key],
+        :allowed_ips => allowed_ips,
+        :endpoint => "#{server.name}:51820"
+      }
+    end
+
     node.default[:networking][:wireguard][:peers] << {
       :public_key => "7Oj9ufNlgidyH/xDc+aHQKMjJPqTmD/ab13agMh6AxA=",
       :allowed_ips => "10.0.16.1/32",
diff --git a/cookbooks/networking/templates/default/wireguard.network.erb b/cookbooks/networking/templates/default/wireguard.network.erb
index 2d3469cf1..5e215b184 100644
--- a/cookbooks/networking/templates/default/wireguard.network.erb
+++ b/cookbooks/networking/templates/default/wireguard.network.erb
@@ -5,6 +5,9 @@ Name=wg0
 <% if node.internal_ipaddress -%>
 Address=<%= node.internal_ipaddress %>/32
 <% end -%>
+<% if node[:networking][:private_address] -%>
+Address=<%= node[:networking][:private_address] %>/32
+<% end -%>
 Address=<%= node[:networking][:wireguard][:address] %>/128
 
 [Route]
diff --git a/roles/shenron.rb b/roles/shenron.rb
index 1caa61018..e614a3326 100644
--- a/roles/shenron.rb
+++ b/roles/shenron.rb
@@ -39,7 +39,8 @@ override_attributes(
         :gateway => "fe80::1"
       }
     },
-    :nameservers => ["89.16.162.20", "2001:41c9:2:d6::20"]
+    :nameservers => ["89.16.162.20", "2001:41c9:2:d6::20"],
+    :private_address => "10.0.16.100"
   }
 )