infra/roles/wireguard/templates/wg0.conf.j2

{% set wg = wg_clients[inventory_hostname] %}

## NEW

[Interface]
Address = {{ wg.ip }}/24
{% if wg.listen|default(false) %}
ListenPort = {{ wireguard_port }}
{% endif %}
PrivateKey = {{ lookup('file', 'private/wireguard/' + inventory_hostname ) }}
#SaveConfig = true
PostUp = /usr/local/bin/wg-post-up.sh
{% if wireguard_dns and wg.dns|default(true) -%}
DNS = {{ wireguard_dns_server | default(pihole_dns) }}
{% endif %}

{% if not wg.listen|default(false) %}
{% set endpoint = wg.endpoint|default(wg_endpoint) %}
## connect via: {{ endpoint }}

[Peer]
Endpoint = {{ wg.endpoint_addr|default(endpoint) }}:{{ wireguard_port }}
PublicKey = {{ lookup('file', 'private/wireguard/' + endpoint + '.pub' ) }}
{% if 'endpoint_allowed' in wg -%}
AllowedIPs = {{ wg.endpoint_allowed | join(", ") }}
{% else -%}
AllowedIPs = {{ wireguard_cidr }}, {{ s21_cidr }}, {{ ls54_cidr }}
{% endif %}
PersistentKeepalive = 25
{% else %}

## connections to other peers
  {% for peer_name, peer in wg_clients.items() %}
    {% if peer.listen|default(false) and peer_name != inventory_hostname %}

# {{ peer_name }}
[Peer]
{% if not peer.wg_is_primary_dns|default(false) -%}
Endpoint = {{ peer_name }}:{{ wireguard_port }}
{% endif %}
PublicKey = {{ lookup('file', 'private/wireguard/' + peer_name + '.pub' ) }}
{% if 'allowed' in peer %}
AllowedIPs = {{ peer.ip }}/32, {{ peer.allowed|join(", ") }}
{% else %}
AllowedIPs = {{ peer.ip }}/32
{% endif %}
PersistentKeepalive = 25

    {% endif %}
  {% endfor %}
{% endif %}


{% for peer_name in wg['clients'] | default([]) %}
{% set inbound_peer = wg_clients[peer_name] %}
# inbound peer: {{ peer_name }}
[Peer]
PublicKey = {{ lookup('file', 'private/wireguard/' + peer_name + '.pub' ) }}
{% if 'allowed' in inbound_peer %}
AllowedIPs = {{ inbound_peer.ip }}/32, {{ inbound_peer.allowed|join(", ") }}
{% else %}
AllowedIPs = {{ inbound_peer.ip }}/32
{% endif %}
PersistentKeepalive = {{ inbound_peer.persistent_keepalive|default('25') }}

{% endfor %}