change to inventory variables per host

tasks/configure.yml

@@ -36,7 +36,7 @@
 - name: Ensure UFW firewall rule exists
   ufw:
     rule: allow
-    port: "{{ vpnes_port }}"
+    port: "{{ listenport }}"
     comment: 'Wireguard client listener'
     proto: udp
   notify:

tasks/configure_router.yml

@@ -0,0 +1,19 @@
+---
+- name: Ensure IPv4 forwarding works
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: yes
+
+- name: Ensure IPv6 forwarding works
+  sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_set: yes
+
+- name: Ensure routing from wireguard network
+  community.general.ufw:
+    interface_in: "{{ interface_name }}"
+    rule: allow
+    log: true
+    route: true

tasks/main.yml

@@ -1,5 +1,10 @@
 ---
-- name: Ensure installation
+- name: Ensure installation of Wireguard software
   include_tasks: install.yml
-- name: Ensure configuration
-  include_tasks: configure.yml
+
+- name: Ensure configuration of Wireguard
+  include_tasks: configure.yml
+
+- name: Ensure configuration of Wireguard router
+  include_tasks: configure_router.yml
+  when: ansible_host in groups['wireguard_routers']

templates/wireguard_client.conf

@@ -1,11 +1,10 @@
 [Interface]
-Address = {% for item in wireguard_peers %}{% if item['name'] == inventory_hostname %}{{ item['AllowedIPs'] }}
-{% endif %}{% endfor %}
+Address = {{ wg_address }}
 PrivateKey = {{ private_key }}
 ListenPort = {{ listenport }}
-DNS = {% if vpn_dns is defined %}{{ vpn_dns }}{% else %}{{ server_address }}{% endif %}
+{% if vpn_dns is defined %}DNS = {{ vpn_dns }}{% endif %}
 
-{% for item in wireguard_peers %}{% if item['name'] != inventory_hostname and 'PublicKey' in item and 'AllowedIPs' in item %}
+{% for item in groups['wireguard_clients'] %}{% if item['name'] != inventory_hostname and 'PublicKey' in item and 'AllowedIPs' in item %}
 
 # Peer name: {{ item.name }}
 [Peer]