bundles/wireguard: move iptables rules to metadata reactor

2021-03-21 15:26:29 +01:00 · 2021-03-21 15:26:29 +01:00 · 6a6198c9b9
parent 559f743ce2
commit 6a6198c9b9
2 changed files with 18 additions and 1 deletions
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -1,3 +1,5 @@
+from bundlewrap.metadata import atomic
+
 defaults = {
    'apt': {
        'packages': {
@ -15,7 +17,6 @@ defaults = {
    'iptables': {
        'bundle_rules': {
            'wireguard': [
-                'iptables_both -A INPUT -p udp --dport 51820 -j ACCEPT',
                'iptables_both -A FORWARD -i wg0 -j ACCEPT',
                'iptables_both -A FORWARD -o wg0 -j ACCEPT',
            ],
@ -102,3 +103,16 @@ def icinga2(metadata):
            },
        },
    }
+
+
+@metadata_reactor.provides(
+    'iptables/port_rules',
+)
+def iptables(metadata):
+    return {
+        'iptables': {
+            'port_rules': {
+                '51820/udp': atomic(metadata.get('wireguard/restrict-to', set(metadata.get('wireguard/peers', {}).keys()))),
+            },
+        },
+    }
--- a/nodes/ovh/wireguard.py
+++ b/nodes/ovh/wireguard.py
@ -37,6 +37,9 @@ nodes['ovh.wireguard'] = {
                    'exclude_from_monitoring': True,
                },
            },
+            'restrict-to': {
+                '*',
+            },
        },
    },
 }