ansible-edda/plays/vpn/roles/bridge/templates/wg0/wg0.j2

auto wg0
iface wg0 inet static
    pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
    pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
    pre-up ip link set mtu 1420 dev $IFACE

    post-up /usr/local/sbin/post-up-$IFACE-inet.nft
    post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
{% if vpn_bridge_role == "client" %}
    post-up ip route add default dev $IFACE table {{ vpn_bridge_routing_table }}
{% elif vpn_bridge_role == "server" %}
{% for client in vpn_bridge_wg0_clients %}
    post-up ip route add {{ client.subnet }} dev $IFACE
{% endfor %}
{% endif %}

{% if vpn_bridge_role == "server" %}
{% for client in vpn_bridge_wg0_clients %}
    pre-down ip route del {{ client.subnet }} dev $IFACE
{% endfor %}
{% elif vpn_bridge_role == "client" %}
    pre-down ip route del default dev $IFACE table {{ vpn_bridge_routing_table }}
{% endif %}
    pre-down /usr/local/sbin/pre-down-$IFACE-ipv4.nft
    pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft

    address {{ vpn_bridge_wg0_address }}
    netmask {{ vpn_bridge_wg0_netmask }}