bundles/wireguard: move iptables rules to metadata reactor
All checks were successful
bundlewrap/pipeline/head This commit looks good
All checks were successful
bundlewrap/pipeline/head This commit looks good
This commit is contained in:
parent
559f743ce2
commit
6a6198c9b9
GPG key ID:
12E3D2136B818350
2 changed files with 18 additions and 1 deletions
|
|
@ -1,3 +1,5 @@
|
||||||
|
from bundlewrap.metadata import atomic
|
||||||
|
|
||||||
defaults = {
|
defaults = {
|
||||||
'apt': {
|
'apt': {
|
||||||
'packages': {
|
'packages': {
|
||||||
|
|
@ -15,7 +17,6 @@ defaults = {
|
||||||
'iptables': {
|
'iptables': {
|
||||||
'bundle_rules': {
|
'bundle_rules': {
|
||||||
'wireguard': [
|
'wireguard': [
|
||||||
'iptables_both -A INPUT -p udp --dport 51820 -j ACCEPT',
|
|
||||||
'iptables_both -A FORWARD -i wg0 -j ACCEPT',
|
'iptables_both -A FORWARD -i wg0 -j ACCEPT',
|
||||||
'iptables_both -A FORWARD -o wg0 -j ACCEPT',
|
'iptables_both -A FORWARD -o wg0 -j ACCEPT',
|
||||||
],
|
],
|
||||||
|
|
@ -102,3 +103,16 @@ def icinga2(metadata):
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@metadata_reactor.provides(
|
||||||
|
'iptables/port_rules',
|
||||||
|
)
|
||||||
|
def iptables(metadata):
|
||||||
|
return {
|
||||||
|
'iptables': {
|
||||||
|
'port_rules': {
|
||||||
|
'51820/udp': atomic(metadata.get('wireguard/restrict-to', set(metadata.get('wireguard/peers', {}).keys()))),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -37,6 +37,9 @@ nodes['ovh.wireguard'] = {
|
||||||
'exclude_from_monitoring': True,
|
'exclude_from_monitoring': True,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
'restrict-to': {
|
||||||
|
'*',
|
||||||
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue