Add role

templates/ndppd.conf.j2

@@ -0,0 +1,9 @@
+proxy {{ ansible_default_ipv6.interface }}{
+{% for peer in wireguard_peers %}
+{% for ip6_addr in peer.allowedips | ipv6 %}
+  rule {{ ip6_addr }} {
+    static
+  }
+{% endfor %}
+{% endfor %}
+}

templates/nftables.conf.j2

@@ -0,0 +1,37 @@
+#!/usr/sbin/nft -f
+
+# {{ ansible_managed }}
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop
+    iif lo accept
+    ct state established,related accept
+    ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
+    ip protocol icmp icmp type echo-request accept
+    tcp dport { ssh } ct state new accept
+    udp dport { {{ wireguard_listenport }} } ct state new accept
+    counter drop
+  }
+  chain forward {
+    type filter hook forward priority 0; policy drop
+    ct state established,related accept
+    ip6 nexthdr ipv6-icmp icmpv6 type { echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+    ip protocol icmp icmp type echo-request accept
+    iifname "{{ wireguard_if }}" ct state new accept
+    counter drop
+  }
+  chain output {
+    type filter hook output priority 0;
+  }
+
+}
+table ip nat {
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		oifname "{{ wireguard_ext_if }}" masquerade
+	}
+}
+

templates/wg.conf.j2

@@ -0,0 +1,16 @@
+[Interface]
+PrivateKey = {{ priv_key.stdout }}
+ListenPort = {{ wireguard_listenport }}
+
+{% for peer in wireguard_peers %}
+[Peer]
+PublicKey = {{ peer.publickey }}
+{% if peer.presharedkey is defined %}
+PresharedKey = {{ peer.presharedkey }}
+{% endif %}
+{% if peer.endpoint is defined -%}
+Endpoint = {{ peer.endpoint }}
+{%- endif %}
+AllowedIPs = {{ peer.allowedips | join(', ') }}
+
+{% endfor %}