cluster: fix wg1.conf generator

Signed-off-by: Nagy Károly Gábriel <k@jpi.io>

pkg/cluster/rings.go

@@ -6,6 +6,7 @@ import (
 	"net/netip"
 	"strconv"
 
+	"darvaza.org/core"
 	"git.jpi.io/amery/jpictl/pkg/rings"
 	"git.jpi.io/amery/jpictl/pkg/wireguard"
 )
@@ -225,17 +226,28 @@ func (r *Ring) setRingZeroAllowedIPs(rp *RingPeer) {
 	rp.AllowCIDR(rp.Address, 32)
 }
 
+// revive:disable:cognitive-complexity
 func (r *Ring) setRingOneGatewayAllowedIPs(rp *RingPeer) {
+	// revive:enable:cognitive-complexity
 	regionID, zoneID, _, _ := r.Decode(rp.Address)
 
 	// peer
 	rp.AllowCIDR(rp.Address, 32)
 
 	// ring1 gateways connect to all other ring1 networks
-	r.ForEachZone(func(z *Zone) bool {
-		if !z.Is(regionID, zoneID) {
-			subnet := z.RingOnePrefix()
-			rp.AllowSubnet(subnet)
+	m, ok := r.ZoneIterator.(RegionIterator)
+	if !ok {
+		panic("Cannot iterate Region from Zone")
+	}
+	m.ForEachRegion(func(r2 *Region) bool {
+		if r2.IsPrimary() {
+			r.ForEachZone(func(z *Zone) bool {
+				if !z.Is(regionID, zoneID) {
+					subnet := z.RingOnePrefix()
+					rp.AllowSubnet(subnet)
+				}
+				return false
+			})
 		}
 		return false
 	})
@@ -316,7 +328,9 @@ func (rp *RingPeer) AllowCIDR(addr netip.Addr, bits int) {
 
 // AllowSubnet allows an IP range via this peer
 func (rp *RingPeer) AllowSubnet(subnet netip.Prefix) {
-	rp.PeerConfig.AllowedIPs = append(rp.PeerConfig.AllowedIPs, subnet)
+	if !core.SliceContains(rp.PeerConfig.AllowedIPs, subnet) {
+		rp.PeerConfig.AllowedIPs = append(rp.PeerConfig.AllowedIPs, subnet)
+	}
 }
 
 // NewRing composes a new Ring for Wireguard setup