From c5164ff8f9c6e835e2ea95586a4a07f5e75a1964 Mon Sep 17 00:00:00 2001 From: vincent Date: Tue, 13 Sep 2022 18:03:09 +0200 Subject: [PATCH 1/3] add by host custom allowed ips --- README.md | 4 ++++ templates/etc/wireguard/wg.conf.j2 | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ae64207b..4368b42a 100644 --- a/README.md +++ b/README.md @@ -243,6 +243,9 @@ You can specify further optional settings (they don't have a default and won't b ```yaml wireguard_allowed_ips: "" +wireguard_byhost_allowed_ips: + host1: 10.0.0.2,192.168.1.41,192.168.1.0/24 + wireguard_endpoint: "host1.domain.tld" wireguard_persistent_keepalive: "30" wireguard_dns: "1.1.1.1" @@ -288,6 +291,7 @@ One of `wireguard_address` (deprecated) or `wireguard_addresses` (recommended) i Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role. +with `wireguard_byhost_allowed_ips` you can provide a dict with inventory name in key to custom allowed ip by host First, here is a part of my Ansible `hosts` file: ```ini diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2 index bf9681a5..9e259959 100644 --- a/templates/etc/wireguard/wg.conf.j2 +++ b/templates/etc/wireguard/wg.conf.j2 @@ -57,7 +57,9 @@ SaveConfig = {{ wireguard_save_config }} [Peer] # {{ host }} PublicKey = {{hostvars[host].wireguard__fact_public_key}} -{% if hostvars[host].wireguard_allowed_ips is defined %} +{% if hostvars[host].wireguard_byhost_allowed_ips[inventory_hostname] is defined%} +AllowedIPs = {{hostvars[host].wireguard_byhost_allowed_ips[inventory_hostname]}} +{% elif hostvars[host].wireguard_allowed_ips is defined %} AllowedIPs = {{hostvars[host].wireguard_allowed_ips}} {% else %} {% if wireguard_address is defined %} From e81eefd88383f124111082ecadf83055d2054b0f Mon Sep 17 00:00:00 2001 From: vincent Date: Sat, 23 Dec 2023 10:33:21 +0100 Subject: [PATCH 2/3] chore: add .galaxy_install_info to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index df7a7f76..d8034f1c 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ # SPDX-License-Identifier: GPL-3.0-or-later molecule/kvm/.vagrant +meta/.galaxy_install_info From 4c34029c8203c697eec6bfdf409f15616fcd072b Mon Sep 17 00:00:00 2001 From: vincent Date: Tue, 30 Dec 2025 17:23:27 +0100 Subject: [PATCH 3/3] fix: ansible compatibility --- handlers/main.yml | 2 +- templates/etc/wireguard/wg.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 84dca6d8..7a843bb9 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -10,7 +10,7 @@ - stopped - started when: - - wireguard__restart_interface + - wireguard__restart_interface != none - not ansible_os_family == 'Darwin' - wireguard_service_enabled == "yes" listen: "reconfigure wireguard" diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2 index 9e259959..7a1ff9b2 100644 --- a/templates/etc/wireguard/wg.conf.j2 +++ b/templates/etc/wireguard/wg.conf.j2 @@ -1,4 +1,4 @@ -#jinja2: lstrip_blocks:"True",trim_blocks:"True" +#jinja2: lstrip_blocks:True,trim_blocks:True {# Copyright (C) 2018-2022 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later #}