feat: wireguard role allow multiple endpoints

inventory/host_vars/example.yml

@@ -14,10 +14,6 @@ network_interfaces:
   - name: lan1
     type: ethernet
     mac_address: 0a:3f:5b:1c:d2:e4
-  - name: podman-gw
-    type: bridge
-    ipv4:
-      address: "{{ podman_gw_gateway }}/10"
 
 # Unbound DNS resolver configuration
 # ----------------------------------
@@ -151,24 +147,24 @@ nfs_bind_addresses:
 
 # Podman configuration
 # --------------------
-podman_gw_gateway: 100.64.0.1
-podman_gw_subnet: 100.64.0.0/10
+# Address inside containers that maps to the host's loopback (via pasta
+# --map-host-loopback). Containers reach host services bound to 127.0.0.1
+# by connecting to this address. Defined in roles/podman/defaults/main.yml.
+# podman_gw_gateway: 100.64.0.1
 
 # PostgreSQL configuration
 # ------------------------
 postgres_admin_password: "{{ vault_postgres_admin_password }}"
-postgres_bind: "127.0.0.1,{{ podman_gw_gateway }}" # Comma-separated for PostgreSQL
+postgres_bind: "127.0.0.1"
 postgres_firewall_allowed_sources:
   - 127.0.0.0/8
-  - "{{ podman_gw_subnet }}"
 
 # Valkey configuration
 # --------------------
 valkey_admin_password: "{{ vault_valkey_admin_password }}"
-valkey_bind: "127.0.0.1 {{ podman_gw_gateway }}" # Space-separated for Valkey
+valkey_bind: "127.0.0.1"
 valkey_firewall_allowed_sources:
   - 127.0.0.0/8
-  - "{{ podman_gw_subnet }}"
 
 # Valkey ACL users
 valkey_acl_users:

roles/dhcpd/templates/dhcpd4@.service.j2

@@ -2,8 +2,8 @@
 
 [Unit]
 Description=IPv4 DHCP server on %I
-After=sys-subsystem-net-devices-%i.device network-online.target
-Wants=network-online.target
+After=sys-subsystem-net-devices-%i.device network-online.target systemd-networkd-wait-online@%i.service
+Wants=network-online.target systemd-networkd-wait-online@%i.service
 BindsTo=sys-subsystem-net-devices-%i.device
 
 [Service]

roles/net_persist/tasks/main.yml

@@ -7,7 +7,7 @@
 - name: Process ethernet interface persistence
   when: interface.type is not defined or interface.type == 'ethernet'
   block:
-    - name: "Check interface rule for {{ interface.name }} ({{ interface.mac_address }})"
+    - name: "Check interface rule for {{ interface.name }} ({{ interface.mac_address | default('N/A') }})"
       ansible.builtin.set_fact:
         interface_original_name: "{{ ansible_facts.interfaces | select('in', ansible_facts) | map('extract', ansible_facts) | selectattr('pciid', 'defined') | selectattr('macaddress', 'equalto', interface.mac_address) | map(attribute='device') | first }}"
 

roles/networking/tasks/main.yml

@@ -20,6 +20,29 @@
     interface: "{{ item }}"
   loop: "{{ hostvars[inventory_hostname].network_interfaces | default([]) }}"
 
+- name: Remove stale podman-gw systemd-networkd configuration
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/systemd/network/10-podman-gw.netdev
+    - /etc/systemd/network/20-podman-gw.network
+  register: stale_podman_gw
+
+- name: Mark networkd reload required after podman-gw cleanup
+  ansible.builtin.set_fact:
+    network_reload_required: true
+  when: stale_podman_gw is changed
+
+- name: Tear down podman-gw bridge interface if present
+  ansible.builtin.command: ip link delete podman-gw
+  register: podman_gw_link_del
+  changed_when: podman_gw_link_del.rc == 0
+  failed_when:
+    - podman_gw_link_del.rc != 0
+    - "'Cannot find device' not in podman_gw_link_del.stderr"
+    - "'does not exist' not in podman_gw_link_del.stderr"
+
 - name: Reload networkd and resolved
   ansible.builtin.systemd:
     name: "{{ item }}"

roles/postgres/templates/pg_hba.conf.j2

@@ -4,25 +4,27 @@
 # This file controls: which hosts are allowed to connect, how clients
 # are authenticated, which PostgreSQL user names they can use, which
 # databases they can access.
+#
+# Authentication policy:
+# - Unix socket: trust (admin access via `become_user: postgres`, e.g. Ansible)
+# - All TCP connections: scram-sha-256 (passwords required, including loopback)
+#   This is required because pasta forwards rootless container traffic via
+#   host loopback, so containers appear as source 127.0.0.1.
 
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 # "local" is for Unix domain socket connections only
 local   all             all                                     trust
 
-# IPv4 local connections:
+# IPv4 connections (all require password, even loopback):
 {% for source in postgres_firewall_allowed_sources %}
-{% if source.startswith('127.0.0.') %}
-host    all             all             {{ source }}            trust
-{% else %}
 host    all             all             {{ source }}            scram-sha-256
-{% endif %}
 {% endfor %}
 
 # IPv6 local connections:
-host    all             all             ::1/128                 trust
+host    all             all             ::1/128                 scram-sha-256
 
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 local   replication     all                                     trust
-host    replication     all             127.0.0.1/32            trust
-host    replication     all             ::1/128                 trust
+host    replication     all             127.0.0.1/32            scram-sha-256
+host    replication     all             ::1/128                 scram-sha-256

roles/wireguard/defaults/main.yml

@@ -1,9 +1,17 @@
 ---
 wireguard_primary_interface: "{{ network_interfaces.0.name }}"
-wireguard_port: 51820
-wireguard_interface: wg0
 wireguard_config_base_path: /etc/wireguard
-wireguard_server_mode: true # enables NAT and open port
-# wireguard_address: 192.168.27.1/27  # Intentionally undefined - role will fail if not set
-# wireguard_dns: 192.168.27.1          # Intentionally undefined - role will fail if not set
-wireguard_peers: []
+# wireguard_tunnels:
+#   - interface: wg0          # required: maps to wgN interface name and config filename
+#     address: 10.0.0.1/24   # required: CIDR address for [Interface] Address
+#     port: 51820             # optional: ListenPort (required in server_mode)
+#     dns: 10.0.0.1           # optional: DNS= line; omit to suppress
+#     server_mode: true       # optional (default: false): enables NAT masquerade + UFW rule
+#     primary_interface: eth0 # optional: overrides wireguard_primary_interface for this tunnel
+#     peers:                   # optional: list of [Peer] entries
+#       - name: peer_name               # required: comment label
+#         public_key: ...               # required: peer's public key
+#         allowed_ips: [10.0.0.0/24]    # required: list of CIDRs
+#         endpoint: host:port           # optional: peer's public endpoint
+#         persistent_keepalive: 25      # optional: keepalive interval (seconds)
+wireguard_tunnels: []

roles/wireguard/handlers/main.yml

@@ -2,3 +2,7 @@
 - name: Reload systemd
   ansible.builtin.systemd:
     daemon_reload: true
+
+- name: Apply sysctl
+  ansible.builtin.command: sysctl --system
+  changed_when: true

roles/wireguard/tasks/main.yml

@@ -1,15 +1,13 @@
 ---
-- name: Validate required variables are set
+- name: Validate wireguard_tunnels is defined and non-empty
   ansible.builtin.assert:
     that:
-      - wireguard_address is defined
-      - wireguard_address | length > 0
-      - wireguard_dns is defined
-      - wireguard_dns | length > 0
+      - wireguard_tunnels is defined
+      - wireguard_tunnels | length > 0
     fail_msg: |
-      wireguard_address and wireguard_dns are required.
+      wireguard_tunnels must be defined with at least one tunnel.
       See roles/wireguard/defaults/main.yml for configuration instructions.
-    success_msg: "Variable validation passed"
+    success_msg: "wireguard_tunnels validation passed"
 
 - name: Install wireguard
   ansible.builtin.package:
@@ -39,63 +37,8 @@
     mode: "0700"
     recurse: true
 
-- name: Check if private key exists
-  ansible.builtin.stat:
-    path: "{{ wireguard_config_base_path }}/privatekey"
-  register: pkey_file
-
-- name: Generate wireguard keys if not present
-  ansible.builtin.shell: wg genkey | tee {{ wireguard_config_base_path }}/privatekey | wg pubkey > {{ wireguard_config_base_path }}/publickey
-  when: not pkey_file.stat.exists
-
-- name: Retrieve wireguard private key from file
-  ansible.builtin.slurp:
-    src: "{{ wireguard_config_base_path }}/privatekey"
-  register: private_key
-
-- name: Set wireguard private key
-  ansible.builtin.set_fact:
-    wireguard_private_key: "{{ private_key['content'] | b64decode }}"
-
-- name: Disable "dns=" instruction if unbound is used to avoid race conditions at startup
-  ansible.builtin.set_fact:
-    wireguard_dns:
-  when: unbound_custom_lan_records is defined
-
-- name: Install wireguard config
-  ansible.builtin.template:
-    src: wireguard.conf.j2
-    dest: /etc/wireguard/{{ wireguard_interface }}.conf
-
-- name: Create systemd override directory for wg-quick
-  ansible.builtin.file:
-    path: /etc/systemd/system/wg-quick@{{ wireguard_interface }}.service.d
-    state: directory
-    mode: "0755"
-
-- name: Deploy systemd override for network dependency
-  ansible.builtin.template:
-    src: systemd-override.conf.j2
-    dest: /etc/systemd/system/wg-quick@{{ wireguard_interface }}.service.d/network-dependency.conf
-    mode: "0644"
-  notify: Reload systemd
-
-- name: Configure the firewall for wireguard
-  community.general.ufw:
-    rule: allow
-    port: "{{ wireguard_port }}"
-    proto: udp
-    direction: in
-    comment: Wireguard VPN
-  retries: 5
-  delay: 2
-  register: ufw_result
-  until: ufw_result is succeeded
-  when: wireguard_server_mode | default(false)
-
-- name: Start and enable service
-  ansible.builtin.service:
-    name: wg-quick@{{ wireguard_interface }}
-    state: started
-    enabled: true
-    daemon_reload: true
+- name: Configure tunnel
+  ansible.builtin.include_tasks: tunnel.yml
+  loop: "{{ wireguard_tunnels }}"
+  loop_control:
+    loop_var: _tunnel

roles/wireguard/templates/wireguard.conf.j2

@@ -1,16 +1,25 @@
 [Interface]
-Address = {{ wireguard_address }}
-{% if wireguard_dns %}DNS = {{ wireguard_dns }}
+Address = {{ _tunnel.address }}
+{% if _tunnel_effective_dns %}DNS = {{ _tunnel_effective_dns }}
 {% endif %}
-PrivateKey = {{ wireguard_private_key }}
-{% if wireguard_server_mode %}PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ wireguard_primary_interface }} -j MASQUERADE
-PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ wireguard_primary_interface }} -j MASQUERADE
-ListenPort = {{ wireguard_port }}
+PrivateKey = {{ _tunnel_private_key }}
+{% if _tunnel.server_mode | default(false) %}
+{% if ansible_facts['os_family'] == 'Archlinux' %}
+PostUp = nft add table inet wireguard_%i; nft add chain inet wireguard_%i forward '{ type filter hook forward priority 0; policy accept; }'; nft add rule inet wireguard_%i forward iifname %i accept; nft add chain inet wireguard_%i postrouting '{ type nat hook postrouting priority 100; }'; nft add rule inet wireguard_%i postrouting oifname {{ _tunnel.primary_interface | default(wireguard_primary_interface) }} masquerade
+PostDown = nft delete table inet wireguard_%i
+{% else %}
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ _tunnel.primary_interface | default(wireguard_primary_interface) }} -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ _tunnel.primary_interface | default(wireguard_primary_interface) }} -j MASQUERADE
+{% endif %}
+ListenPort = {{ _tunnel.port }}
 {% endif %}
 
-{% for peer in wireguard_peers %}# {{ peer.name }}
+{% for peer in _tunnel.peers | default([]) %}# {{ peer.name }}
 [Peer]
 PublicKey = {{ peer.public_key }}
 AllowedIPs = {{ peer.allowed_ips | join(',') }}
-{% if peer.endpoint is defined %}Endpoint = {{ peer.endpoint }}{% endif %}
+{% if peer.endpoint is defined %}Endpoint = {{ peer.endpoint }}
+{% endif %}
+{% if peer.persistent_keepalive is defined %}PersistentKeepalive = {{ peer.persistent_keepalive }}
+{% endif %}
 {% endfor %}