S37: WireGuard mesh config template
- SHA
1e8c8b7ecc966207fe2b20ad6105533df882d0ed- Parents
-
9a4c42b - Tree
95a7a99
tenseleyflow/shithub
/
1e8c8b7
Browse files
1 changed file
| Status | File | + | - |
|---|---|---|---|
| A |
deploy/wireguard/wg0.conf.j2
|
30 | 0 |
deploy/wireguard/wg0.conf.j2added@@ -0,0 +1,30 @@ | |||
| 1 | +## Managed by Ansible. WireGuard mesh used for monitoring traffic | ||
| 2 | +## (Prometheus scraping, Loki pushes) so the metrics ports never | ||
| 3 | +## have to be exposed on the public interface. The app listens on | ||
| 4 | +## 127.0.0.1; the wg0 interface gives the monitoring host a private | ||
| 5 | +## route to it. | ||
| 6 | +## | ||
| 7 | +## One peer per host. Add new hosts by appending a [Peer] block here | ||
| 8 | +## and rerunning the role; the address is allocated from 10.50.0.0/24. | ||
| 9 | + | ||
| 10 | +[Interface] | ||
| 11 | +PrivateKey = {{ wireguard_private_key }} | ||
| 12 | +Address = {{ wireguard_address }}/24 | ||
| 13 | +ListenPort = 51820 | ||
| 14 | +SaveConfig = false | ||
| 15 | + | ||
| 16 | +# Lock the routing table down — only mesh traffic uses wg0. | ||
| 17 | +PostUp = iptables -A INPUT -i wg0 -j ACCEPT | ||
| 18 | +PostDown = iptables -D INPUT -i wg0 -j ACCEPT | ||
| 19 | + | ||
| 20 | +{% for peer in wireguard_peers %} | ||
| 21 | +[Peer] | ||
| 22 | +# {{ peer.hostname }} | ||
| 23 | +PublicKey = {{ peer.public_key }} | ||
| 24 | +AllowedIPs = {{ peer.address }}/32 | ||
| 25 | +{% if peer.endpoint is defined %} | ||
| 26 | +Endpoint = {{ peer.endpoint }}:51820 | ||
| 27 | +PersistentKeepalive = 25 | ||
| 28 | +{% endif %} | ||
| 29 | + | ||
| 30 | +{% endfor %} | ||