From 6a6198c9b9ac4930e64774cc4f1037ae40aa9021 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 21 Mar 2021 15:26:29 +0100
Subject: [PATCH] bundles/wireguard: move iptables rules to metadata reactor

---
 bundles/wireguard/metadata.py | 16 +++++++++++++++-
 nodes/ovh/wireguard.py        |  3 +++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py
index d771613..d861865 100644
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@@ -1,3 +1,5 @@
+from bundlewrap.metadata import atomic
+
 defaults = {
     'apt': {
         'packages': {
@@ -15,7 +17,6 @@ defaults = {
     'iptables': {
         'bundle_rules': {
             'wireguard': [
-                'iptables_both -A INPUT -p udp --dport 51820 -j ACCEPT',
                 'iptables_both -A FORWARD -i wg0 -j ACCEPT',
                 'iptables_both -A FORWARD -o wg0 -j ACCEPT',
             ],
@@ -102,3 +103,16 @@ def icinga2(metadata):
             },
         },
     }
+
+
+@metadata_reactor.provides(
+    'iptables/port_rules',
+)
+def iptables(metadata):
+    return {
+        'iptables': {
+            'port_rules': {
+                '51820/udp': atomic(metadata.get('wireguard/restrict-to', set(metadata.get('wireguard/peers', {}).keys()))),
+            },
+        },
+    }
diff --git a/nodes/ovh/wireguard.py b/nodes/ovh/wireguard.py
index b1c9e12..2d6efba 100644
--- a/nodes/ovh/wireguard.py
+++ b/nodes/ovh/wireguard.py
@@ -37,6 +37,9 @@ nodes['ovh.wireguard'] = {
                     'exclude_from_monitoring': True,
                 },
             },
+            'restrict-to': {
+                '*',
+            },
         },
     },
 }