ansible-role-wireguard/templates/etc/wireguard/wg.conf.j2

#jinja2: lstrip_blocks:"True",trim_blocks:"True"
{# Copyright (C) 2018-2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 #}
# {{ ansible_managed }}

[Interface]
# {{ inventory_hostname }}
Address = {{ wireguard_address }}
PrivateKey = {{ wireguard_private_key }}
ListenPort = {{ wireguard_port }}
{% if wireguard_dns is defined %}
DNS = {{ wireguard_dns }}
{% endif %}
{% if wireguard_fwmark is defined %}
FwMark = {{ wireguard_fwmark }}
{% endif %}
{% if wireguard_mtu is defined %}
MTU = {{ wireguard_mtu }}
{% endif %}
{% if wireguard_table is defined %}
Table = {{ wireguard_table }}
{% endif %}
{% if wireguard_preup is defined %}
{% for wg_preup in wireguard_preup %}
PreUp = {{ wg_preup }}
{% endfor %}
{% endif %}
{% if wireguard_postup is defined %}
{% for wg_postup in wireguard_postup %}
PostUp = {{ wg_postup }}
{% endfor %}
{% endif %}
{% if wireguard_predown is defined %}
{% for wg_predown in wireguard_predown %}
PreDown = {{ wg_predown }}
{% endfor %}
{% endif %}
{% if wireguard_postdown is defined %}
{% for wg_postdown in wireguard_postdown %}
PostDown = {{ wg_postdown }}
{% endfor %}
{% endif %}
{% if wireguard_save_config is defined %}
SaveConfig = {{ wireguard_save_config }}
{% endif %}
{% for host in ansible_play_hosts %}
{%   if host != inventory_hostname %}

[Peer]
# {{ host }}
PublicKey = {{hostvars[host].wireguard__fact_public_key}}
{%     if hostvars[host].wireguard_allowed_ips is defined %}
AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
{%     else %}
AllowedIPs = {{ hostvars[host].wireguard_address.split('/')[0] }}/32
{%     endif %}
{%     if hostvars[host].wireguard_persistent_keepalive is defined %}
PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
{%     endif %}
{%     if (
         hostvars[host].wireguard_dc is defined and
         wireguard_dc is defined and
         wireguard_dc['name'] != hostvars[host].wireguard_dc['name']
       )
%}
Endpoint = {{hostvars[host].wireguard_dc['endpoint']}}:{{hostvars[host].wireguard_dc['port']}}
{%     elif hostvars[host].wireguard_port is defined %}
{%       if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}
{%       else %}
Endpoint = {{host}}:{{hostvars[host].wireguard_port}}
{%       endif %}
{%     elif hostvars[host].wireguard_endpoint is defined %}
{%       if hostvars[host].wireguard_endpoint != "" %}
Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
{%       else %}
# No endpoint defined for this peer
{%       endif %}
{%     else %}
Endpoint = {{host}}:{{wireguard_port}}
{%     endif %}
{%   endif %}
{% endfor %}
{% if wireguard_unmanaged_peers is defined %}

# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
{% for peer in wireguard_unmanaged_peers.keys() %}
[Peer]
# {{ peer }}
PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
{%     if wireguard_unmanaged_peers[peer].preshared_key is defined %}
PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
{%     endif %}
{%     if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
{%     endif %}
{%     if wireguard_unmanaged_peers[peer].endpoint is defined %}
Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
{%     endif %}
{%     if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
{%     endif %}
{%   endfor %}
{% endif %}
Inital implementation (#1) * initial implementation - part 1 * first working version * add handler * separate includes for Debian based and Archlinux OS * refactor * update * add meta tag * added ArchLinux to galaxy meta info * rename file / add more Wiregurad config options * fix typo * update README * update README * fixed typos * update README / variable rename: wireguard_ip -> wireguard_address 2018-08-12 22:21:45 +02:00			`#jinja2: lstrip_blocks:"True",trim_blocks:"True"`
Change restart handling / add very basic unit test (#156) * move register if config/private key handling out of wg subcommands block * allow user to specify WireGuard interface restart behavior * update README * numeric values in meta/main.yml should be strings * update Copyright * fix indentation in tasks/setup-debian.yml * update Copyright * update Copyright * truthy values should be lowercase * add namespace key again to meta/main.yml * add molecule/kvm/verify.yml with a very basic unit test 2022-05-05 00:03:25 +02:00			`{# Copyright (C) 2018-2022 Robert Wimmer`
REUSE Specification v3.0 and other minor stuff (#76) * Add editor fold sections * Remove trailing whitespace * Make the repo compliant with REUSE Specification v3.0 Closes: #71 Email addresses have all been removed from this commit as requested by githubixx. * Use common namespace "wireguard" for role facts * Fix typo * Explicitly state that GPL-3.0-or-later applies Closes: #72 2020-10-11 23:04:28 +02:00			`# SPDX-License-Identifier: GPL-3.0-or-later`
			`#}`
Add ansible_managed header to templates files 2020-09-13 23:02:57 +02:00			`# {{ ansible_managed }}`

Inital implementation (#1) * initial implementation - part 1 * first working version * add handler * separate includes for Debian based and Archlinux OS * refactor * update * add meta tag * added ArchLinux to galaxy meta info * rename file / add more Wiregurad config options * fix typo * update README * update README * fixed typos * update README / variable rename: wireguard_ip -> wireguard_address 2018-08-12 22:21:45 +02:00			`[Interface]`
Add interface options (#30) * add missing options for WG interface definition * fix typo * add host comments to WG config file * remove IP forwarding again * fix README 2019-11-05 22:55:04 +01:00			`# {{ inventory_hostname }}`
Consistent use of spaces in Jinja2 print expressions 2020-09-19 21:37:33 +02:00			`Address = {{ wireguard_address }}`
Add wireguard_private_key variable (#69) * Fix check mode for Debian * Add wireguard_private_key variable * Release 7.6.0 * Fix undefined `wg_syncconf` when using tags 2020-10-12 23:07:02 +02:00			`PrivateKey = {{ wireguard_private_key }}`
Use common namespace "wireguard" for role facts 2020-09-13 23:00:10 +02:00			`ListenPort = {{ wireguard_port }}`
Drop redundant use of `hostvars[inventory_hostname].` prefix Those variables are directly in the namespace. Using the long form is uncommon. A case could have been made if the later section of the config (which uses `hostvars[host]`) has similar semantics but that is not the case as those are peer sections. 2020-09-19 21:31:11 +02:00			`{% if wireguard_dns is defined %}`
Consistent use of spaces in Jinja2 print expressions 2020-09-19 21:37:33 +02:00			`DNS = {{ wireguard_dns }}`
Inital implementation (#1) * initial implementation - part 1 * first working version * add handler * separate includes for Debian based and Archlinux OS * refactor * update * add meta tag * added ArchLinux to galaxy meta info * rename file / add more Wiregurad config options * fix typo * update README * update README * fixed typos * update README / variable rename: wireguard_ip -> wireguard_address 2018-08-12 22:21:45 +02:00			`{% endif %}`
Drop redundant use of `hostvars[inventory_hostname].` prefix Those variables are directly in the namespace. Using the long form is uncommon. A case could have been made if the later section of the config (which uses `hostvars[host]`) has similar semantics but that is not the case as those are peer sections. 2020-09-19 21:31:11 +02:00			`{% if wireguard_fwmark is defined %}`
Consistent use of spaces in Jinja2 print expressions 2020-09-19 21:37:33 +02:00			`FwMark = {{ wireguard_fwmark }}`
Add interface options (#30) * add missing options for WG interface definition * fix typo * add host comments to WG config file * remove IP forwarding again * fix README 2019-11-05 22:55:04 +01:00			`{% endif %}`
Drop redundant use of `hostvars[inventory_hostname].` prefix Those variables are directly in the namespace. Using the long form is uncommon. A case could have been made if the later section of the config (which uses `hostvars[host]`) has similar semantics but that is not the case as those are peer sections. 2020-09-19 21:31:11 +02:00			`{% if wireguard_mtu is defined %}`
Consistent use of spaces in Jinja2 print expressions 2020-09-19 21:37:33 +02:00			`MTU = {{ wireguard_mtu }}`
Add interface options (#30) * add missing options for WG interface definition * fix typo * add host comments to WG config file * remove IP forwarding again * fix README 2019-11-05 22:55:04 +01:00			`{% endif %}`
Drop redundant use of `hostvars[inventory_hostname].` prefix Those variables are directly in the namespace. Using the long form is uncommon. A case could have been made if the later section of the config (which uses `hostvars[host]`) has similar semantics but that is not the case as those are peer sections. 2020-09-19 21:31:11 +02:00			`{% if wireguard_table is defined %}`
Consistent use of spaces in Jinja2 print expressions 2020-09-19 21:37:33 +02:00			`Table = {{ wireguard_table }}`
Add interface options (#30) * add missing options for WG interface definition * fix typo * add host comments to WG config file * remove IP forwarding again * fix README 2019-11-05 22:55:04 +01:00			`{% endif %}`
Drop redundant use of `hostvars[inventory_hostname].` prefix Those variables are directly in the namespace. Using the long form is uncommon. A case could have been made if the later section of the config (which uses `hostvars[host]`) has similar semantics but that is not the case as those are peer sections. 2020-09-19 21:31:11 +02:00			`{% if wireguard_preup is defined %}`
			`{% for wg_preup in wireguard_preup %}`
Ability to create multiple postup/postdown/preup/predown commands (#35) * Allow multiple PreUp, PreDown, PostUp and PostDown commands * Added example for multiple postup/postdown commands 2020-01-20 21:07:08 +01:00			`PreUp = {{ wg_preup }}`
			`{% endfor %}`
Add interface options (#30) * add missing options for WG interface definition * fix typo * add host comments to WG config file * remove IP forwarding again * fix README 2019-11-05 22:55:04 +01:00			`{% endif %}`
Drop redundant use of `hostvars[inventory_hostname].` prefix Those variables are directly in the namespace. Using the long form is uncommon. A case could have been made if the later section of the config (which uses `hostvars[host]`) has similar semantics but that is not the case as those are peer sections. 2020-09-19 21:31:11 +02:00			`{% if wireguard_postup is defined %}`
			`{% for wg_postup in wireguard_postup %}`
Ability to create multiple postup/postdown/preup/predown commands (#35) * Allow multiple PreUp, PreDown, PostUp and PostDown commands * Added example for multiple postup/postdown commands 2020-01-20 21:07:08 +01:00			`PostUp = {{ wg_postup }}`
			`{% endfor %}`
Inital implementation (#1) * initial implementation - part 1 * first working version * add handler * separate includes for Debian based and Archlinux OS * refactor * update * add meta tag * added ArchLinux to galaxy meta info * rename file / add more Wiregurad config options * fix typo * update README * update README * fixed typos * update README / variable rename: wireguard_ip -> wireguard_address 2018-08-12 22:21:45 +02:00			`{% endif %}`
General improvements (#138) * Rearrange hooks to match lifecycle order * Fully qualify module names BREAKING CHANGE: To use FQCNs at least Ansible 2.9 is required [2]. From the commonly presented note in the Ansible documentation, e. g. of Ansible's builtin debug module [1]: [...] we recommend you use the FQCN for easy linking to the module documentation and to avoid conflicting with other collections that may have the same module name. [1]: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/debug_module.html [2]: https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#where-did-all-the-modules-go * Update changelog 2022-01-14 23:43:04 +01:00			`{% if wireguard_predown is defined %}`
			`{% for wg_predown in wireguard_predown %}`
			`PreDown = {{ wg_predown }}`
			`{% endfor %}`
			`{% endif %}`
Drop redundant use of `hostvars[inventory_hostname].` prefix Those variables are directly in the namespace. Using the long form is uncommon. A case could have been made if the later section of the config (which uses `hostvars[host]`) has similar semantics but that is not the case as those are peer sections. 2020-09-19 21:31:11 +02:00			`{% if wireguard_postdown is defined %}`
			`{% for wg_postdown in wireguard_postdown %}`
Ability to create multiple postup/postdown/preup/predown commands (#35) * Allow multiple PreUp, PreDown, PostUp and PostDown commands * Added example for multiple postup/postdown commands 2020-01-20 21:07:08 +01:00			`PostDown = {{ wg_postdown }}`
			`{% endfor %}`
Inital implementation (#1) * initial implementation - part 1 * first working version * add handler * separate includes for Debian based and Archlinux OS * refactor * update * add meta tag * added ArchLinux to galaxy meta info * rename file / add more Wiregurad config options * fix typo * update README * update README * fixed typos * update README / variable rename: wireguard_ip -> wireguard_address 2018-08-12 22:21:45 +02:00			`{% endif %}`
Drop redundant use of `hostvars[inventory_hostname].` prefix Those variables are directly in the namespace. Using the long form is uncommon. A case could have been made if the later section of the config (which uses `hostvars[host]`) has similar semantics but that is not the case as those are peer sections. 2020-09-19 21:31:11 +02:00			`{% if wireguard_save_config is defined %}`
honor wireguard_save_config value (#149) * honor wireguard_save_config value * update CHANGELOG 2022-02-17 22:55:25 +01:00			`SaveConfig = {{ wireguard_save_config }}`
Inital implementation (#1) * initial implementation - part 1 * first working version * add handler * separate includes for Debian based and Archlinux OS * refactor * update * add meta tag * added ArchLinux to galaxy meta info * rename file / add more Wiregurad config options * fix typo * update README * update README * fixed typos * update README / variable rename: wireguard_ip -> wireguard_address 2018-08-12 22:21:45 +02:00			`{% endif %}`
Merge stateless idea with no local storage of public and private keys, support multiple interface per hosts using several groups (#29) * merge stateless with no storage of local priv key * Delete locally stored private key * add reload module on update config file * privatekey template is not used anymore * remove all local keys priv and public * use ansible_play_hosts instead of hardcoded vpn grp should use the group in the play calling the role. works fine when hosts bellong to several groups * Clean tasks names * add tag, and cleanup * fix private key creation * Support for mutliple wireguard vpn on same host add inventory exemple in readme * fix typo, add some comment on inventory * add wg-config tag to Check config: allow run with -t - wg-config * Update tasks/main.yml Co-Authored-By: Robert Wimmer <2039811+githubixx@users.noreply.github.com> * remove trailing whitespace * Update templates/wg.conf.j2 Co-Authored-By: Robert Wimmer <2039811+githubixx@users.noreply.github.com> * Update templates/wg.conf.j2 Co-Authored-By: Robert Wimmer <2039811+githubixx@users.noreply.github.com> * changes after githubixx code review * readd new line to separate peers in config 2019-11-02 20:39:47 +01:00			`{% for host in ansible_play_hosts %}`
proper formatting of WireGuard config file / add wireguard_dc variable (#74) 2020-09-22 23:37:00 +02:00			`{% if host != inventory_hostname %}`
REUSE Specification v3.0 and other minor stuff (#76) * Add editor fold sections * Remove trailing whitespace * Make the repo compliant with REUSE Specification v3.0 Closes: #71 Email addresses have all been removed from this commit as requested by githubixx. * Use common namespace "wireguard" for role facts * Fix typo * Explicitly state that GPL-3.0-or-later applies Closes: #72 2020-10-11 23:04:28 +02:00
proper formatting of WireGuard config file / add wireguard_dc variable (#74) 2020-09-22 23:37:00 +02:00			`[Peer]`
			`# {{ host }}`
Use common namespace "wireguard" for role facts 2020-09-13 23:00:10 +02:00			`PublicKey = {{hostvars[host].wireguard__fact_public_key}}`
proper formatting of WireGuard config file / add wireguard_dc variable (#74) 2020-09-22 23:37:00 +02:00			`{% if hostvars[host].wireguard_allowed_ips is defined %}`
			`AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}`
			`{% else %}`
Move wireguard_ip template code to template where it belongs Instead of redundant set_fact task. 2020-09-20 00:39:14 +02:00			`AllowedIPs = {{ hostvars[host].wireguard_address.split('/')[0] }}/32`
proper formatting of WireGuard config file / add wireguard_dc variable (#74) 2020-09-22 23:37:00 +02:00			`{% endif %}`
			`{% if hostvars[host].wireguard_persistent_keepalive is defined %}`
			`PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}`
			`{% endif %}`
			`{% if (`
			`hostvars[host].wireguard_dc is defined and`
Drop redundant use of `hostvars[inventory_hostname].` prefix Those variables are directly in the namespace. Using the long form is uncommon. A case could have been made if the later section of the config (which uses `hostvars[host]`) has similar semantics but that is not the case as those are peer sections. 2020-09-19 21:31:11 +02:00			`wireguard_dc is defined and`
			`wireguard_dc['name'] != hostvars[host].wireguard_dc['name']`
proper formatting of WireGuard config file / add wireguard_dc variable (#74) 2020-09-22 23:37:00 +02:00			`)`
			`%}`
			`Endpoint = {{hostvars[host].wireguard_dc['endpoint']}}:{{hostvars[host].wireguard_dc['port']}}`
Remove unnecessary and buggy check preventing proper port from being set in peers (#112) 2022-01-16 14:53:58 -05:00			`{% elif hostvars[host].wireguard_port is defined %}`
proper formatting of WireGuard config file / add wireguard_dc variable (#74) 2020-09-22 23:37:00 +02:00			`{% if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}`
			`Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}`
			`{% else %}`
			`Endpoint = {{host}}:{{hostvars[host].wireguard_port}}`
			`{% endif %}`
Check if wireguard_endpoint exists before checking if it is empty (#92) 2021-04-08 15:18:05 -06:00			`{% elif hostvars[host].wireguard_endpoint is defined %}`
			`{% if hostvars[host].wireguard_endpoint != "" %}`
proper formatting of WireGuard config file / add wireguard_dc variable (#74) 2020-09-22 23:37:00 +02:00			`Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}`
Check if wireguard_endpoint exists before checking if it is empty (#92) 2021-04-08 15:18:05 -06:00			`{% else %}`
proper formatting of WireGuard config file / add wireguard_dc variable (#74) 2020-09-22 23:37:00 +02:00			`# No endpoint defined for this peer`
Check if wireguard_endpoint exists before checking if it is empty (#92) 2021-04-08 15:18:05 -06:00			`{% endif %}`
proper formatting of WireGuard config file / add wireguard_dc variable (#74) 2020-09-22 23:37:00 +02:00			`{% else %}`
			`Endpoint = {{host}}:{{wireguard_port}}`
			`{% endif %}`
			`{% endif %}`
Inital implementation (#1) * initial implementation - part 1 * first working version * add handler * separate includes for Debian based and Archlinux OS * refactor * update * add meta tag * added ArchLinux to galaxy meta info * rename file / add more Wiregurad config options * fix typo * update README * update README * fixed typos * update README / variable rename: wireguard_ip -> wireguard_address 2018-08-12 22:21:45 +02:00			`{% endfor %}`
Add support for unmanaged WireGuard peers (#63) * Add support for unmanaged WireGuard peers Add variable wireguard_extra_peer_config that is raw WireGuard configuration appended to the peers section. Value is a string containing arbitrary wg-quick syntax. This closes #41, and closes #45. * update CHANGELOG (#63) * Change unmanaged peers to dictionary instead of string Based on review comment by @j8r in #63. * README: update preshared_key example Update wireguard_unmanaged_peers example for preshared_key. Make it a comment to highlight it is optional and should probably be handled like other secrets. * Clean up jinja2 syntax Based on review comments. * Remove unneeded if of required public_key The public_key is required for a wireguard peer so remove the if from wireguard_unmanaged_peers public_key. The effect is that it is a syntax error from Ansible rather than failing config validation when the config has already been written and fails to load. 2020-09-15 22:58:04 +03:00			`{% if wireguard_unmanaged_peers is defined %}`

proper formatting of WireGuard config file / add wireguard_dc variable (#74) 2020-09-22 23:37:00 +02:00			`# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable`
			`{% for peer in wireguard_unmanaged_peers.keys() %}`
			`[Peer]`
			`# {{ peer }}`
			`PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}`
			`{% if wireguard_unmanaged_peers[peer].preshared_key is defined %}`
			`PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}`
			`{% endif %}`
			`{% if wireguard_unmanaged_peers[peer].allowed_ips is defined %}`
			`AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}`
			`{% endif %}`
			`{% if wireguard_unmanaged_peers[peer].endpoint is defined %}`
			`Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}`
			`{% endif %}`
			`{% if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}`
			`PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}`
			`{% endif %}`
			`{% endfor %}`
Add support for unmanaged WireGuard peers (#63) * Add support for unmanaged WireGuard peers Add variable wireguard_extra_peer_config that is raw WireGuard configuration appended to the peers section. Value is a string containing arbitrary wg-quick syntax. This closes #41, and closes #45. * update CHANGELOG (#63) * Change unmanaged peers to dictionary instead of string Based on review comment by @j8r in #63. * README: update preshared_key example Update wireguard_unmanaged_peers example for preshared_key. Make it a comment to highlight it is optional and should probably be handled like other secrets. * Clean up jinja2 syntax Based on review comments. * Remove unneeded if of required public_key The public_key is required for a wireguard peer so remove the if from wireguard_unmanaged_peers public_key. The effect is that it is a syntax error from Ansible rather than failing config validation when the config has already been written and fails to load. 2020-09-15 22:58:04 +03:00			`{% endif %}`