15 changed files with 130 additions and 415 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,59 +1,6 @@
 Changelog
 ---------
 **6.3.1**
 - Support Openstack Debian images (contribution by @pallinger)
 **6.3.0**
 - Support Raspbian (contribution by @penguineer)
 **6.2.0**
 - Support Ubuntu 20.04 (Focal Fossa)
 - Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specifiy individual Ubuntu package cache settings. Default values are the same as before.
 - As kernel >= 5.6 (and kernel 5.4 in Ubuntu 20.04) now have `wireguard` module included `wireguard-dkms` package is no longer needed in that case. That's why WireGuard package installation is now part of the includes for the specific OS to make it easier to handle various cases.
 **6.1.0**
 - Archlinux: Linux kernel >= 5.6 contains `wireguard` module now. No need to install `wireguard-dkms` anymore in this case. Installations with LTS kernel installs `wireguard-lts` package now instead of `wireguard-dkms`. Installations with kernel <= 5.6 will still install `wireguard-dkms` package.
 **6.0.4**
 - Use the buster-backports repository on Debian Buster (or older), use package standard repositories on sid/bullseye.
  standard repositories on sid/bullseye.
  The role no longer adds the unstable _repo_ nor the _apt preference_ for that repo. There is no need to clean the preference and unstable repository, since packages from your release have a higher priority.
  If you remove the apt preference (`/etc/apt/preferences.d/limit-unstable`) updates from `unstable` are accepted by apt. This likely is not what you want and may lead to an unstable state.
  If you want to clean up:
    * remove `/etc/apt/preferences.d/limit-unstable` and
    * remove `deb http://deb.debian.org/debian/ unstable main` from `/etc/apt/sources.list.d/deb_debian_org_debian.list`.
  The backports repository has a lower priority and does not need an apt preference.
 **6.0.3**
 - If `wg syncconf` command is not available do stop/start service instead of restart (contribution by @cristichiru)
 **6.0.2**
 - Debian: install `gnupg` package instead of `gpg`. (contribution by @zinefer)
 **6.0.1**
 - add shell options to syncconf handler to fail fast in case of error
 **6.0.0**
 - Newer versions of WireGuard (around November 2019) introduced `wg syncconf` subcommand. This has the advantage that changes to the WireGuard configuration can be applied without disturbing existing connections. With this change this role tries to use `wg syncconf` subcommand when available. This even works if you have hosts with older and newer WireGuard versions.
 **5.0.0**
 - `wireguard_(preup|postdown|preup|predown)` settings are now a list. If more `iptables` commands needs to be specified e.g. then this changes makes it more readable. The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8). Also see README for more examples. (contribution by @Madic-)
 **4.2.0**
 - Add support for Fedora (contribution by @ties)
--- a/README.md
+++ b/README.md
@ -1,5 +1,3 @@
 # Fork of https://github.com/githubixx/ansible-role-wireguard.git with some minor tweaks to ensure PiFrameFleet can be provisioned properly
 ansible-role-wireguard
 ======================
@ -9,7 +7,7 @@ I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a whil
 In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/).
-This role is tested with Ubuntu 18.04 (Bionic Beaver), Ubuntu 20 (Focal Fossa) and Archlinux. Ubuntu 16.04 (Xenial Xerus), Debian 9 (Stretch), Debian 10 (Buster), Fedora 31 (or later) and CentOS 7 might also work or other distributions but haven't tested it (code for this operating systems was submitted by other contributors). If someone tested it let me please know if it works or send a pull request to make it work ;-)
+This role was tested with Ubuntu 18.04 (Bionic Beaver), Debian 9 (Stretch) and Archlinux. It might also work with Ubuntu 16.04 (Xenial Xerus) but haven't tested it. If someone tested it let me please know if it works ;-)
 Versions
 --------
@ -19,7 +17,7 @@ I tag every release and try to stay with [semantic versioning](http://semver.org
 Requirements
 ------------
-By default port `51820` (protocol UDP) should be accessable from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward `. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere. You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things. Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down.
+By default port `51820` (protocol UDP) should be accessable from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward `. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere. You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things.
 Changelog
 ---------
@ -88,34 +86,13 @@ wireguard_dns: "1.1.1.1"
 wireguard_fwmark: "1234"
 wireguard_mtu: "1492"
 wireguard_table: "5000"
-wireguard_preup:
+wireguard_preup: "..."
-  - ...
+wireguard_predown: "..."
-wireguard_predown:
+wireguard_postup: "..."
-  - ...
+wireguard_postdown: "..."
 wireguard_postup:
  - ...
 wireguard_postdown:
  - ...
 wireguard_save_config: "true"
 ```
 `wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples:
 ```
 wireguard_postup:
  - iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE
  - iptables -A FORWARD -i %i -j ACCEPT
  - iptables -A FORWARD -o %i -j ACCEPT
 ```
 ```
 wireguard_preup:
  - echo 1 > /proc/sys/net/ipv4/ip_forward
  - ufw allow 51820/udp
 ```
 The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8).
 `wireguard_address` is required as already mentioned. It's the IP of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs a unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).
 Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already) mentioned I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
@ -268,10 +245,10 @@ Example Playbook
    - wireguard
 ```
-Example Inventory using two different WireGuard interfaces on host "multi"
+Example Inventory using 2 different WireGuard interfaces on host multi
--------------------------------------------------------------------------
+----------------------------------------------------------------------
-This is a complex example using yaml inventory format:
+This is a complex example using yaml inventory format
 ```
 vpn1:
@ -296,13 +273,10 @@ vpn1:
 vpn2:
  hosts:
-    # Use a different name, and define ansible_host, to avoid mixing of vars without
+    multi-wg1: # use a different name, and define ansible_host, to avoid mixing of vars without needing to prefix vars with interface name
    # needing to prefix vars with interface name.
    multi-wg1:
      ansible_host: multi
      wireguard_interface: wg1
-      # when using several interface on one host, we must use different ports
+      wireguard_port: 51821 # when using several interface on one host, we must use different ports
      wireguard_port: 51821
      wireguard_address: 10.9.1.1/32
      wireguard_endpoint: multi.exemple.com
    another:
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,8 +1,4 @@
 ---
 #######################################
 # General settings
 #######################################
 # Directory to store WireGuard configuration on the remote hosts
 wireguard_remote_directory: "/etc/wireguard"
@ -11,17 +7,3 @@ wireguard_port: "51820"
 # The default interface name that wireguard should use if not specified otherwise.
 wireguard_interface: "wg0"
 # Whether or not WireGuard is running in a container
 wireguard_containerized: false
 #######################################
 # Settings only relevant for Ubuntu
 #######################################
 # Set to "false" if package cache should not be updated
 wireguard_ubuntu_update_cache: "true"
 # Set package cache valid time
 wireguard_ubuntu_cache_valid_time: "3600"
--- a/files/debian/etc/apt/preferences.d/limit-unstable
+++ b/files/debian/etc/apt/preferences.d/limit-unstable
@ -0,0 +1,3 @@
 Package: *
 Pin: release a=unstable
 Pin-Priority: 90
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -2,27 +2,4 @@
 - name: restart wireguard
  service:
    name: "wg-quick@{{ wireguard_interface }}"
-    state: "{{ item }}"
+    state: restarted
  loop:
  - stopped
  - started
  when: not wg_syncconf and not wireguard_containerized
  listen: "reconfigure wireguard"
 - name: syncconf wireguard
  shell: |
      set -o errexit
      set -o pipefail
      set -o nounset
      systemctl is-active wg-quick@wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
      wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
      exit 0
  args:
    executable: "/bin/bash"
  when: wg_syncconf and not wireguard_containerized
  listen: "reconfigure wireguard"
 - name: restart wireguard (container)
  command: /usr/bin/s6-svc -r /var/run/s6/services/wireguard
  when: wireguard_containerized
  listen: "reconfigure wireguard"
--- a/meta/main.yml
+++ b/meta/main.yml
@ -8,11 +8,9 @@ galaxy_info:
  - name: Ubuntu
    versions:
    - bionic
    - focal
  - name: Debian
    versions:
    - stretch
    - buster
  - name: EL
    versions:
    - 7
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -3,7 +3,17 @@
  setup:
 - include_tasks: "setup-{{ ansible_distribution|lower }}.yml"
-  when: not wireguard_containerized
+
 - name: Install WireGuard
  package:
    name: "{{ packages }}"
    state: present
  vars:
    packages:
    - wireguard-dkms
    - wireguard-tools
  tags:
    - wg-install
 - name: Enable WireGuard kernel module
  modprobe:
@ -29,29 +39,10 @@
    - wg-generate-keys
    - wg-config
 - name: Get wg subcommands
  command: "wg --help"
  register: wg_subcommands
  changed_when: false
 - name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available)
  set_fact:
    wg_syncconf: false
 - name: Check if wg syncconf subcommand is available
  set_fact:
    wg_syncconf: true
  when: wg_subcommands.stdout | regex_search('syncconf:')
 - name: Show syncconf subcommand status
  debug:
    var: wg_syncconf
 - block:
  - name: Generate WireGuard private key
-    command: "wg genkey"
+    shell: "wg genkey"
    register: wg_private_key_result
    changed_when: false
    tags:
      - wg-generate-keys
@ -108,7 +99,7 @@
  tags:
    - wg-config
  notify:
-    - reconfigure wireguard
+    - restart wireguard
 - name: Check if reload-module-on-update is set
  stat:
@ -130,4 +121,3 @@
    name: "wg-quick@{{ wireguard_interface }}"
    state: started
    enabled: yes
  when: not wireguard_containerized
--- a/tasks/setup-archlinux.yml
+++ b/tasks/setup-archlinux.yml
@ -1,32 +1,11 @@
 ---
- name: (Archlinux) Install wireguard-lts package
+- name: Install required packages
  pacman:
-    name: "{{ item.name }}"
+    name: "{{ packages }}"
    state: "{{ item.state }}"
  with_items:
    - { name: wireguard-dkms, state: absent }
    - { name: wireguard-lts, state: present }
  become: yes
  tags:
    - wg-install
  when:
    - ansible_kernel is match(".*-lts$")
    - ansible_kernel is version('5.6', '<')
 - name: (Archlinux) Install wireguard-dkms package
  pacman:
    name: wireguard-dkms
    state: present
  become: yes
-  tags:
+  vars:
-    - wg-install
+    packages:
-  when:
+      - linux-headers
    - not ansible_kernel is match(".*-lts$")
    - ansible_kernel is version('5.6', '<')
 - name: (Archlinux) Install wireguard-tools package
  pacman:
    name: wireguard-tools
    state: present
  tags:
    - wg-install
--- a/tasks/setup-centos.yml
+++ b/tasks/setup-centos.yml
@ -1,19 +1,11 @@
 ---
- name: (CentOS) Add WireGuard repository
+
 - name: Add WireGuard repository
  get_url:
    url: https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
    dest: /etc/yum.repos.d/wireguard.repo
- name: (CentOS) Install EPEL repository
+- name: Install EPEL repository
  yum:
    name: epel-release
    update_cache: yes
 - name: (CentOS) Install wireguard packages
  yum:
    name:
      - "wireguard-dkms"
      - "wireguard-tools"
    state: present
  tags:
    - wg-install
--- a/tasks/setup-debian-raspbian.yml
+++ b/tasks/setup-debian-raspbian.yml
@ -1,93 +0,0 @@
 ---
 - name: (Raspbian) Install GPG - required to add wireguard key
  apt:
    name: gnupg
    state: present
 - name: (Raspbian) Add Debian repository key
  apt_key:
    keyserver: "keyserver.ubuntu.com"
    id: "04EE7237B7D453EC"
    state: present
  when: ansible_lsb.id == "Raspbian"
  tags:
    - wg-install
 - name: (Raspbian) Add Debian Unstable repository for WireGuard
  apt_repository:
    repo: "deb http://deb.debian.org/debian unstable main"
    state: present
    update_cache: yes
  tags:
    - wg-install
 - name: (Raspbian) Install latest kernel
  apt:
    name:
    - "raspberrypi-kernel"
    state: latest
  register: kernel_update
  tags:
    - wg-install
 - name: (Raspbian) Reboot after kernel update (Ansible >= 2.8)
  reboot:
    search_paths: ['/lib/molly-guard', '/usr/sbin']
  when:
    - ansible_version.full is version('2.8.0', '>=')
    - kernel_update is changed
  tags:
    - wg-install
 - name: (Raspbian) Check if molly-guard is installed (Ansible < 2.8)
  stat:
    path: /lib/molly-guard/
  register: molly_guard
 - name: (Raspbian) Reboot after kernel update (Ansible < 2.8, no molly-guard)
  reboot:
  when:
    - ansible_version.full is version('2.8.0', '<')
    - kernel_update is changed
    - not molly_guard.stat.exists
  tags:
    - wg-install
 - name: (Raspbian) Reboot after kernel update (Ansible < 2.8, with molly-guard)
  command: /lib/molly-guard/shutdown -r now
  async: 1
  poll: 0
  ignore_unreachable: yes
  when:
    - ansible_version.full is version('2.8.0', '<')
    - kernel_update is changed
    - molly_guard.stat.exists
  tags:
    - wg-install
 - name: (Raspbian) Waiting for host to be available (Ansible < 2.8, with molly-guard)
  wait_for_connection:
  when:
    - ansible_version.full is version('2.8.0', '<')
    - kernel_update is changed
    - molly_guard.stat.exists
  tags:
    - wg-install
 - name: (Raspbian) Install latest kernel headers to compile Wireguard with DKMS
  apt:
    name:
    - "raspberrypi-kernel-headers"
    state: latest
  tags:
    - wg-install
 - name: (Raspbian) Install wireguard packages
  apt:
    name:
      - "wireguard-dkms"
      - "wireguard-tools"
    state: present
  tags:
    - wg-install
--- a/tasks/setup-debian-vanilla.yml
+++ b/tasks/setup-debian-vanilla.yml
@ -1,37 +0,0 @@
 ---
 - name: (Debian) Install GPG - required to add wireguard key
  apt:
    name: gnupg
    state: present
 - name: (Debian) Add WireGuard repository on buster or earlier
  apt_repository:
    repo: "deb http://deb.debian.org/debian buster-backports main"
    state: present
    update_cache: yes
  when: ansible_distribution_version | int <= 10
  tags:
    - wg-install
 - name: (Debian) Get architecture
  command: "dpkg --print-architecture"
  register: dpkg_arch
  changed_when: False
 - set_fact:
    kernel_header_version: "{{ ('-cloud-' in ansible_kernel) | ternary(ansible_kernel,dpkg_arch.stdout) }}"
 - name: (Debian) Install kernel headers to compile Wireguard with DKMS
  apt:
    name:
      - "linux-headers-{{ kernel_header_version }}"
    state: present
 - name: (Debian) Install wireguard packages
  apt:
    name:
      - "wireguard-dkms"
      - "wireguard-tools"
    state: present
  tags:
    - wg-install
--- a/tasks/setup-debian.yml
+++ b/tasks/setup-debian.yml
@ -1,8 +1,42 @@
 ---
 - name: Setup WireGuard preference
  copy:
    src: debian/etc/apt/preferences.d/limit-unstable
    dest: /etc/apt/preferences.d/limit-unstable
    owner: root
    group: root
    mode: 0644
  tags:
    - wg-install
- include_tasks: "setup-debian-raspbian.yml"
+- name: Install GPG - required to add wireguard key
-  when: ansible_lsb.id == "Raspbian"
+  apt:
-  register: raspbian_setup
+    name: gpg
    state: present
- include_tasks: "setup-debian-vanilla.yml"
+- name: Add WireGuard key
-  when: raspbian_setup is skipped
+  apt_key:
    keyserver: "keyserver.ubuntu.com"
    id: "8B48AD6246925553"
    state: present
  tags:
    - wg-install
 - name: Add WireGuard repository
  apt_repository:
    repo: "deb http://deb.debian.org/debian/ unstable main"
    state: present
    update_cache: yes
  tags:
    - wg-install
 - name: Get architecture
  shell: dpkg --print-architecture
  register: dpkg_arch
  changed_when: False
 - name: Install kernel headers to compile wireguard with DKMS
  apt:
    name:
      - "linux-headers-{{ dpkg_arch.stdout }}"
    state: present
--- a/tasks/setup-fedora.yml
+++ b/tasks/setup-fedora.yml
@ -1,17 +1,8 @@
 ---
- name: (Fedora) Add wireguard COPR
+  - name: Add wireguard COPR
-  yum_repository:
+    yum_repository:
-    name: "jdoss-wireguard"
+      name: "jdoss-wireguard"
-    description: "Copr repo for wireguard owned by jdoss"
+      description: "Copr repo for wireguard owned by jdoss"
-    baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/fedora-$releasever-$basearch/"
+      baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/fedora-$releasever-$basearch/"
-    gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg"
+      gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg"
-    gpgcheck: yes
+      gpgcheck: yes
 - name: (Fedora) Install wireguard packages
  yum:
    name:
      - "wireguard-dkms"
      - "wireguard-tools"
    state: present
  tags:
    - wg-install
--- a/tasks/setup-ubuntu.yml
+++ b/tasks/setup-ubuntu.yml
@ -1,48 +1,26 @@
 ---
- name: (Ubuntu) Update APT package cache
+- name: Update APT package cache
  apt:
-    update_cache: "{{ wireguard_ubuntu_update_cache }}"
+    update_cache: true
-    cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}"
+    cache_valid_time: 3600
  tags:
    - wg-install
- block:
+- name: Install required packages
-  - name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10)
+  package:
-    package:
+    name: "{{ packages }}"
-      name: "{{ packages }}"
+    state: present
-      state: present
+  vars:
-    vars:
+    packages:
-      packages:
+    - software-properties-common
-      - software-properties-common
+    - linux-headers-{{ ansible_kernel }}
-      - linux-headers-{{ ansible_kernel }}
+  tags:
-    tags:
+    - wg-install
      - wg-install
-  - name: (Ubuntu) Add WireGuard repository (for Ubuntu < 19.10)
+- name: Add WireGuard repository
-    apt_repository:
+  apt_repository:
-      repo: "ppa:wireguard/wireguard"
+    repo: "ppa:wireguard/wireguard"
-      state: present
+    state: present
-      update_cache: yes
+    update_cache: yes
-    tags:
+  tags:
-      - wg-install
+    - wg-install
  - name: (Ubuntu) Install wireguard packages (for Ubuntu < 19.10)
    apt:
      name:
        - "wireguard-dkms"
        - "wireguard-tools"
      state: present
    tags:
      - wg-install
  when:
    - ansible_lsb.major_release is version('19.10', '<')
 - block:
  - name: (Ubuntu) Install wireguard-tools package (for Ubuntu > 19.04)
    apt:
      name: "wireguard-tools"
      state: present
    tags:
      - wg-install
  when:
    - ansible_lsb.major_release is version('19.04', '>')
--- a/templates/wg.conf.j2
+++ b/templates/wg.conf.j2
@ -39,32 +39,32 @@ PostDown = {{ wg_postdown }}
 {% if hostvars[inventory_hostname].wireguard_save_config is defined %}
 SaveConfig = true
 {% endif %}
-{% for host in ansible_play_hosts_all %}
+{% for host in ansible_play_hosts %}
-{% if host != inventory_hostname %}
+  {% if host != inventory_hostname %}
-
+  
-[Peer]
+    [Peer]
-# {{ host }}
+    # {{ host }}
-PublicKey = {{hostvars[host].public_key}}
+    PublicKey = {{hostvars[host].public_key}}
-{% if hostvars[host].wireguard_allowed_ips is defined %}
+    {% if hostvars[host].wireguard_allowed_ips is defined %}
-AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
+    AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
-{% else %}
+    {% else %}
-AllowedIPs = {{hostvars[host].wireguard_ip}}/32
+    AllowedIPs = {{hostvars[host].wireguard_ip}}/32
-{% endif %}
+    {% endif %}
-{% if hostvars[host].wireguard_persistent_keepalive is defined %}
+    {% if hostvars[host].wireguard_persistent_keepalive is defined %}
-PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
+    PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
-{% endif %}
+    {% endif %}
-{% if hostvars[host].wireguard_port is defined and hostvars[host].wireguard_port is number %}
+    {% if hostvars[host].wireguard_port is defined and hostvars[host].wireguard_port is number %}
-{% if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
+      {% if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
-Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}
+    Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}
-{% else %}
+      {% else %}
-Endpoint = {{host}}:{{hostvars[host].wireguard_port}}
+    Endpoint = {{host}}:{{hostvars[host].wireguard_port}}
-{% endif %}
+      {% endif %}
-{% elif hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
+    {% elif hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
-Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
+    Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
-{% elif hostvars[host].wireguard_endpoint == "" %}
+    {% elif hostvars[host].wireguard_endpoint == "" %}
-# No endpoint defined for this peer
+    # No endpoint defined for this peer
-{% else %}
+    {% else %}
-Endpoint = {{host}}:{{wireguard_port}}
+    Endpoint = {{host}}:{{wireguard_port}}
-{% endif %}
+    {% endif %}
-{% endif %}
+  {% endif %}
 {% endfor %}