infrastructure/ansible/roles/network/templates/wireguard.conf.j2

[Interface]
Address = {{ vpn_ip }}
PostUp = wg set %i private-key <(cat /etc/wireguard/privkey)
ListenPort = 51820

{% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %}
[Peer]
PublicKey = {{ hostvars[selected_host].wireguard_pubkey.stdout }}
Endpoint = {{ hostvars[selected_host].public_ip }}:{{ hostvars[selected_host].public_vpn_port }}
AllowedIPs = {{ hostvars[selected_host].vpn_ip }}/32
PersistentKeepalive = 25
{% endfor %}

{% for host in other_vpn_nodes %}
[Peer]
PublicKey = {{ host.pubkey }}
Endpoint = {{ host.public_ip }}:{{ host.public_vpn_port }}
AllowedIPs = {{ host.vpn_ip }}/32
PersistentKeepalive = 25
{% endfor %}
Set up wireguard in dev cluster 2020-05-21 13:27:09 +00:00			`[Interface]`
			`Address = {{ vpn_ip }}`
don't retrieve wireguard privkeys in ansible 2020-05-23 15:16:25 +00:00			`PostUp = wg set %i private-key <(cat /etc/wireguard/privkey)`
Set up wireguard in dev cluster 2020-05-21 13:27:09 +00:00			`ListenPort = 51820`

			`{% for selected_host in groups['cluster_nodes']\|difference([inventory_hostname]) %}`
			`[Peer]`
			`PublicKey = {{ hostvars[selected_host].wireguard_pubkey.stdout }}`
			`Endpoint = {{ hostvars[selected_host].public_ip }}:{{ hostvars[selected_host].public_vpn_port }}`
			`AllowedIPs = {{ hostvars[selected_host].vpn_ip }}/32`
			`PersistentKeepalive = 25`
			`{% endfor %}`
Allow external VPN nodes, make multi-DC deployment work 2020-05-21 21:41:39 +00:00
			`{% for host in other_vpn_nodes %}`
			`[Peer]`
			`PublicKey = {{ host.pubkey }}`
			`Endpoint = {{ host.public_ip }}:{{ host.public_vpn_port }}`
			`AllowedIPs = {{ host.vpn_ip }}/32`
			`PersistentKeepalive = 25`
			`{% endfor %}`