From 8d3db69172a6c8df05662b65b5270301e162b811 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20D=C3=A9siles?=
 <1536672+cdesiles@users.noreply.github.com>
Date: Sun, 18 Jan 2026 13:21:37 +0100
Subject: [PATCH] fix: wireguard config failfast

---
 roles/wireguard/defaults/main.yml |  4 ++--
 roles/wireguard/tasks/main.yml    | 12 ++++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml
index 6ffaa7a..388ba43 100644
--- a/roles/wireguard/defaults/main.yml
+++ b/roles/wireguard/defaults/main.yml
@@ -4,6 +4,6 @@ wireguard_port: 51820 # static port to receive input connections
 wireguard_server_mode: true # enables NAT and open port
 wireguard_interface: wg0
 wireguard_config_base_path: /etc/wireguard
-wireguard_address: 192.168.27.1/27
-wireguard_dns: 192.168.27.1
+# wireguard_address: 192.168.27.1/27  # Intentionally undefined - role will fail if not set
+# wireguard_dns: 192.168.27.1          # Intentionally undefined - role will fail if not set
 wireguard_peers: []
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index f59c8c6..7b8644a 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -1,4 +1,16 @@
 ---
+- name: Validate required variables are set
+  ansible.builtin.assert:
+    that:
+      - wireguard_address is defined
+      - wireguard_address | length > 0
+      - wireguard_dns is defined
+      - wireguard_dns | length > 0
+    fail_msg: |
+      wireguard_address and wireguard_dns are required.
+      See roles/wireguard/defaults/main.yml for configuration instructions.
+    success_msg: "Variable validation passed"
+
 - name: Install wireguard
   ansible.builtin.package:
     name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('wireguard-tools', 'wireguard') }}"