S37: WireGuard mesh config template
- SHA
1e8c8b7ecc966207fe2b20ad6105533df882d0ed- Parents
-
9a4c42b - Tree
95a7a99
tenseleyflow/shithub
/
1e8c8b7
Browse files
1 changed file
| Status | File | + | - |
|---|---|---|---|
| A |
deploy/wireguard/wg0.conf.j2
|
30 | 0 |
deploy/wireguard/wg0.conf.j2added@@ -0,0 +1,30 @@ | ||
| 1 | +## Managed by Ansible. WireGuard mesh used for monitoring traffic | |
| 2 | +## (Prometheus scraping, Loki pushes) so the metrics ports never | |
| 3 | +## have to be exposed on the public interface. The app listens on | |
| 4 | +## 127.0.0.1; the wg0 interface gives the monitoring host a private | |
| 5 | +## route to it. | |
| 6 | +## | |
| 7 | +## One peer per host. Add new hosts by appending a [Peer] block here | |
| 8 | +## and rerunning the role; the address is allocated from 10.50.0.0/24. | |
| 9 | + | |
| 10 | +[Interface] | |
| 11 | +PrivateKey = {{ wireguard_private_key }} | |
| 12 | +Address = {{ wireguard_address }}/24 | |
| 13 | +ListenPort = 51820 | |
| 14 | +SaveConfig = false | |
| 15 | + | |
| 16 | +# Lock the routing table down — only mesh traffic uses wg0. | |
| 17 | +PostUp = iptables -A INPUT -i wg0 -j ACCEPT | |
| 18 | +PostDown = iptables -D INPUT -i wg0 -j ACCEPT | |
| 19 | + | |
| 20 | +{% for peer in wireguard_peers %} | |
| 21 | +[Peer] | |
| 22 | +# {{ peer.hostname }} | |
| 23 | +PublicKey = {{ peer.public_key }} | |
| 24 | +AllowedIPs = {{ peer.address }}/32 | |
| 25 | +{% if peer.endpoint is defined %} | |
| 26 | +Endpoint = {{ peer.endpoint }}:51820 | |
| 27 | +PersistentKeepalive = 25 | |
| 28 | +{% endif %} | |
| 29 | + | |
| 30 | +{% endfor %} | |