1 files changed, 35 insertions, 0 deletions

diff --git a/roles/wireguard/templates/wg0.conf.j2 b/roles/wireguard/templates/wg0.conf.j2
new file mode 100644
index 0000000..fca9a0b
--- /dev/null
+++ b/roles/wireguard/templates/wg0.conf.j2
@@ -0,0 +1,35 @@
+{{ ansible_managed | comment }}
+
+[Interface]
+PrivateKey = {{ wg_private_key }}
+Address = {{ wg_addr4 }}, {{ wg_addr6 }}
+ListenPort = {{ wg_listen_port }}
+SaveConfig = false
+
+{% if wg_firewall %}
+PostUp = iptables -t nat -A POSTROUTING -s {{ wg_addr4 }} -m policy --pol none --dir out -j MASQUERADE
+PostUp = iptables -A FORWARD -s {{ wg_addr4 }} -j ACCEPT
+PostUp = ip6tables -t nat -A POSTROUTING -s {{ wg_addr6 }} -m policy --pol none --dir out -j MASQUERADE
+PostUp = ip6tables -A FORWARD -s {{ wg_addr6 }} -j ACCEPT
+PostDown = iptables -t nat -D POSTROUTING -s {{ wg_addr4 }} -m policy --pol none --dir out -j MASQUERADE
+PostDown = iptables -D FORWARD -s {{ wg_addr4 }} -j ACCEPT
+PostDown = ip6tables -t nat -A POSTROUTING -s {{ wg_addr6 }} -m policy --pol none --dir out -j MASQUERADE
+PostDown = ip6tables -D FORWARD -s {{ wg_addr6 }} -j ACCEPT
+{% endif %}
+{% if wg_peers is defined %}
+{% for peer in wg_peers %}
+
+[Peer]
+PublicKey = {{ peer.public_key }}
+{% if peer.preshared_key is defined %}
+PresharedKey = {{ peer.preshared_key }}
+{% endif %}
+AllowedIPs = {{ peer.allowed_ips }}
+{% if peer.endpoint is defined %}
+Endpoint = {{ peer.endpoint }}
+{% endif %}
+{% if peer.persistent_keepalive is defined and peer.persistent_keepalive %}
+PersistentKeepalive = 25
+{% endif %}
+{% endfor %}
+{% endif %}