From: Tom Hughes Date: Wed, 16 Sep 2020 15:54:26 +0000 (+0100) Subject: Enable wireguard support on all machines that support it X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/c30bf38a3bc31371fd5a9da3ebc383bd6236b4d3?ds=sidebyside Enable wireguard support on all machines that support it --- diff --git a/cookbooks/networking/attributes/default.rb b/cookbooks/networking/attributes/default.rb index 8d30dd17c..3872a5165 100644 --- a/cookbooks/networking/attributes/default.rb +++ b/cookbooks/networking/attributes/default.rb @@ -12,6 +12,6 @@ default[:networking][:nameservers] = [] default[:networking][:search] = [] default[:networking][:dnssec] = "allow-downgrade" default[:networking][:hostname] = node.name -default[:networking][:wireguard][:enabled] = false +default[:networking][:wireguard][:enabled] = true default[:networking][:wireguard][:keepalive] = false default[:networking][:wireguard][:peers] = [] diff --git a/cookbooks/networking/recipes/default.rb b/cookbooks/networking/recipes/default.rb index 116d90c72..4fc08a61b 100644 --- a/cookbooks/networking/recipes/default.rb +++ b/cookbooks/networking/recipes/default.rb @@ -460,9 +460,15 @@ firewall_rule "limit-icmp-echo" do end if node[:networking][:wireguard][:enabled] + wireguard_source = if node[:roles].include?("gateway") + "net" + else + "osm" + end + firewall_rule "accept-wireguard" do action :accept - source "net" + source wireguard_source dest "fw" proto "udp" dest_ports "51820" diff --git a/roles/gateway.rb b/roles/gateway.rb index 80ae347a5..b9007b86e 100644 --- a/roles/gateway.rb +++ b/roles/gateway.rb @@ -2,9 +2,6 @@ name "gateway" description "Role applied to all network gateways" default_attributes( - :networking => { - :wireguard => { :enabled => true } - }, :sysctl => { :network_forwarding => { :comment => "Enable forwarding", diff --git a/roles/glaedr.rb b/roles/glaedr.rb index 19025b698..e468331d9 100644 --- a/roles/glaedr.rb +++ b/roles/glaedr.rb @@ -23,6 +23,9 @@ default_attributes( :prefix => "125", :gateway => "2800:1e0:a01:a006::69" } + }, + :wireguard => { + :enabled => false } }, :squid => { diff --git a/roles/gorwen.rb b/roles/gorwen.rb index 773e389ce..18ca17ae7 100644 --- a/roles/gorwen.rb +++ b/roles/gorwen.rb @@ -23,6 +23,9 @@ default_attributes( :prefix => "125", :gateway => "2800:1e0:a01:a006::69" } + }, + :wireguard => { + :enabled => false } }, :squid => { diff --git a/roles/jakelong.rb b/roles/jakelong.rb index 945bdd52f..b8a7314e0 100644 --- a/roles/jakelong.rb +++ b/roles/jakelong.rb @@ -23,6 +23,9 @@ default_attributes( :prefix => "64", :gateway => "2605:2700:0:17::1" } + }, + :wireguard => { + :enabled => false } }, :squid => { diff --git a/roles/kokosnuss.rb b/roles/kokosnuss.rb index 809601fd7..cebe596df 100644 --- a/roles/kokosnuss.rb +++ b/roles/kokosnuss.rb @@ -15,6 +15,9 @@ default_attributes( :prefix => "32", :gateway => "85.214.255.86" } + }, + :wireguard => { + :enabled => false } }, :squid => { diff --git a/roles/konqi.rb b/roles/konqi.rb index 8b529781d..6744ee3ce 100644 --- a/roles/konqi.rb +++ b/roles/konqi.rb @@ -23,6 +23,9 @@ default_attributes( :prefix => "64", :gateway => "2a02:180:1:1::1" } + }, + :wireguard => { + :enabled => false } }, :squid => { diff --git a/roles/rimfaxe.rb b/roles/rimfaxe.rb index 383f75490..f130d03e4 100644 --- a/roles/rimfaxe.rb +++ b/roles/rimfaxe.rb @@ -23,6 +23,9 @@ default_attributes( :prefix => "64", :gateway => "2001:878:346::97" } + }, + :wireguard => { + :enabled => false } }, :squid => { diff --git a/roles/simurgh.rb b/roles/simurgh.rb index d1a0289da..011afdce4 100644 --- a/roles/simurgh.rb +++ b/roles/simurgh.rb @@ -15,6 +15,9 @@ default_attributes( :prefix => "24", :gateway => "94.20.20.1" } + }, + :wireguard => { + :enabled => false } }, :squid => {