From 205fda69c5ba1547a1b77795e7a3c49d8e404a6d Mon Sep 17 00:00:00 2001
From: "Antonio J. Delgado" <ad@susurrando.com>
Date: Thu, 5 Oct 2023 10:41:23 +0300
Subject: [PATCH] change to inventory variables per host

---
 tasks/configure.yml             |  2 +-
 tasks/configure_router.yml      | 19 +++++++++++++++++++
 tasks/main.yml                  | 11 ++++++++---
 templates/wireguard_client.conf |  7 +++----
 4 files changed, 31 insertions(+), 8 deletions(-)
 create mode 100644 tasks/configure_router.yml

diff --git a/tasks/configure.yml b/tasks/configure.yml
index 13eeb5d..b621c94 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -36,7 +36,7 @@
 - name: Ensure UFW firewall rule exists
   ufw:
     rule: allow
-    port: "{{ vpnes_port }}"
+    port: "{{ listenport }}"
     comment: 'Wireguard client listener'
     proto: udp
   notify:
diff --git a/tasks/configure_router.yml b/tasks/configure_router.yml
new file mode 100644
index 0000000..03a6ab2
--- /dev/null
+++ b/tasks/configure_router.yml
@@ -0,0 +1,19 @@
+---
+- name: Ensure IPv4 forwarding works
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: yes
+
+- name: Ensure IPv6 forwarding works
+  sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: '1'
+    sysctl_set: yes
+
+- name: Ensure routing from wireguard network
+  community.general.ufw:
+    interface_in: "{{ interface_name }}"
+    rule: allow
+    log: true
+    route: true
diff --git a/tasks/main.yml b/tasks/main.yml
index cbe813e..7a40103 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,5 +1,10 @@
 ---
-- name: Ensure installation
+- name: Ensure installation of Wireguard software
   include_tasks: install.yml
-- name: Ensure configuration
-  include_tasks: configure.yml
\ No newline at end of file
+
+- name: Ensure configuration of Wireguard
+  include_tasks: configure.yml
+
+- name: Ensure configuration of Wireguard router
+  include_tasks: configure_router.yml
+  when: ansible_host in groups['wireguard_routers']
diff --git a/templates/wireguard_client.conf b/templates/wireguard_client.conf
index 243d0ca..4dcec74 100644
--- a/templates/wireguard_client.conf
+++ b/templates/wireguard_client.conf
@@ -1,11 +1,10 @@
 [Interface]
-Address = {% for item in wireguard_peers %}{% if item['name'] == inventory_hostname %}{{ item['AllowedIPs'] }}
-{% endif %}{% endfor %}
+Address = {{ wg_address }}
 PrivateKey = {{ private_key }}
 ListenPort = {{ listenport }}
-DNS = {% if vpn_dns is defined %}{{ vpn_dns }}{% else %}{{ server_address }}{% endif %}
+{% if vpn_dns is defined %}DNS = {{ vpn_dns }}{% endif %}
 
-{% for item in wireguard_peers %}{% if item['name'] != inventory_hostname and 'PublicKey' in item and 'AllowedIPs' in item %}
+{% for item in groups['wireguard_clients'] %}{% if item['name'] != inventory_hostname and 'PublicKey' in item and 'AllowedIPs' in item %}
 
 # Peer name: {{ item.name }}
 [Peer]