Variable wireguard interface name

vpn/wireguard/files/pre-down-wg0-inet.nft

@@ -1,4 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-flush table inet wg0_inet
-delete table inet wg0_inet

vpn/wireguard/files/pre-down-wg0-ipv4.nft

@@ -1,4 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-flush table ip wg0_ipv4
-delete table ip wg0_ipv4

vpn/wireguard/meta/argument_specs.yml

@@ -6,6 +6,9 @@ argument_specs:
         interface:
           type: "str"
           required: true
+      vpn_wireguard_iface:
+        type: "str"
+        required: true
       vpn_wireguard_role:
         type: "str"
         required: true

vpn/wireguard/tasks/main.yml

@@ -5,60 +5,61 @@
 
 - name: "configure wireguard"
   ansible.builtin.template:
-    src: "./wg0.conf"
+    src: "./IFACE.conf"
-    dest: "/etc/wireguard/wg0.conf"
+    dest: "/etc/wireguard/{{ vpn_wireguard_iface }}.conf"
     mode: 0600
   register: vpn_wireguard_conf
 
 - name: "post-up nftables inet script"
   ansible.builtin.template:
-    src: "./post-up-wg0-inet.nft"
+    src: "./post-up-IFACE-inet.nft"
-    dest: "/usr/local/sbin/post-up-wg0-inet.nft"
+    dest: "/usr/local/sbin/post-up-{{ vpn_wireguard_iface }}-inet.nft"
     mode: 0755
-  register: vpn_wireguard_post_up_wg0_inet_nft
+  register: vpn_wireguard_post_up_iface_inet_nft
 
 - name: "post-up nftables ipv4 script"
   ansible.builtin.template:
-    src: "./post-up-wg0-ipv4.nft"
+    src: "./post-up-IFACE-ipv4.nft"
-    dest: "/usr/local/sbin/post-up-wg0-ipv4.nft"
+    dest: "/usr/local/sbin/post-up-{{ vpn_wireguard_iface }}-ipv4.nft"
     mode: 0755
-  register: vpn_wireguard_post_up_wg0_ipv4_nft
+  register: vpn_wireguard_post_up_iface_ipv4_nft
 
 - name: "configure interface"
   ansible.builtin.template:
-    src: "./wg0"
+    src: "./IFACE"
-    dest: "/etc/network/interfaces.d/wg0"
+    dest: "/etc/network/interfaces.d/{{ vpn_wireguard_iface }}"
     mode: 0644
     validate: >
       bash -c
-      'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ;
+      'if ! diff %s /etc/network/interfaces.d/{{ vpn_wireguard_iface }} &&
+          ip link show dev {{ vpn_wireguard_iface }} ;
        then
-           ifdown wg0 ;
+           ifdown {{ vpn_wireguard_iface }} ;
        fi'
   register: vpn_wireguard_intf
 
 - name: "restart interface"
   ansible.builtin.shell: |
-    if ip link show dev wg0
+    if ip link show dev {{ vpn_wireguard_iface }}
     then
-        ifdown wg0 && ifup wg0
+        ifdown {{ vpn_wireguard_iface }} && ifup {{ vpn_wireguard_iface }}
     else
-        ifup wg0
+        ifup {{ vpn_wireguard_iface }}
     fi
   when:
     vpn_wireguard_conf.changed or
-    vpn_wireguard_post_up_wg0_inet_nft.changed or
+    vpn_wireguard_post_up_iface_inet_nft.changed or
-    vpn_wireguard_post_up_wg0_ipv4_nft.changed or
+    vpn_wireguard_post_up_iface_ipv4_nft.changed or
     vpn_wireguard_intf.changed
 
 - name: "pre-down nftables inet script"
-  ansible.builtin.copy:
+  ansible.builtin.template:
-    src: "./pre-down-wg0-inet.nft"
+    src: "./pre-down-IFACE-inet.nft"
-    dest: "/usr/local/sbin/pre-down-wg0-inet.nft"
+    dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-inet.nft"
     mode: 0755
 
 - name: "pre-down nftables ipv4 script"
-  ansible.builtin.copy:
+  ansible.builtin.template:
-    src: "./pre-down-wg0-ipv4.nft"
+    src: "./pre-down-IFACE-ipv4.nft"
-    dest: "/usr/local/sbin/pre-down-wg0-ipv4.nft"
+    dest: "/usr/local/sbin/pre-down-{{ vpn_wireguard_iface }}-ipv4.nft"
     mode: 0755

vpn/wireguard/templates/IFACE

@@ -1,5 +1,5 @@
-auto wg0
+auto {{ vpn_wireguard_iface }}
-iface wg0 inet static
+iface {{ vpn_wireguard_iface }} inet static
     pre-up /usr/local/sbin/ip-link-add.sh $IFACE type wireguard
     pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
     pre-up ip link set mtu 1420 dev $IFACE

vpn/wireguard/templates/post-up-IFACE-inet.nft

@@ -0,0 +1,9 @@
+#!/usr/bin/env -S nft -f
+
+table inet {{ vpn_wireguard_iface }}_inet {
+        chain forward {
+                type filter hook forward priority 0;
+                iif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu;
+                oif {{ vpn_wireguard_iface }} tcp flags syn tcp option maxseg size set rt mtu;
+        }
+}

vpn/wireguard/templates/post-up-IFACE-ipv4.nft

@@ -1,11 +1,11 @@
 #!/usr/bin/env -S nft -f
 
-table ip wg0_ipv4 {
+table ip {{ vpn_wireguard_iface }}_ipv4 {
 
 {% if vpn_wireguard_role == "server" %}
         chain postrouting {
                 type nat hook postrouting priority 100;
-                iif wg0 oif {{ ansible_default_ipv4.interface }} masquerade;
+                iif {{ vpn_wireguard_iface }} oif {{ ansible_default_ipv4.interface }} masquerade;
         }
 
 {% endif %}

vpn/wireguard/templates/post-up-wg0-inet.nft

@@ -1,9 +0,0 @@
-#!/usr/bin/env -S nft -f
-
-table inet wg0_inet {
-        chain forward {
-                type filter hook forward priority 0;
-                iif wg0 tcp flags syn tcp option maxseg size set rt mtu;
-                oif wg0 tcp flags syn tcp option maxseg size set rt mtu;
-        }
-}

vpn/wireguard/templates/pre-down-IFACE-inet.nft

@@ -0,0 +1,4 @@
+#!/usr/bin/env -S nft -f
+
+flush table inet {{ vpn_wireguard_iface }}_inet
+delete table inet {{ vpn_wireguard_iface }}_inet

vpn/wireguard/templates/pre-down-IFACE-ipv4.nft

@@ -0,0 +1,4 @@
+#!/usr/bin/env -S nft -f
+
+flush table ip {{ vpn_wireguard_iface }}_ipv4
+delete table ip {{ vpn_wireguard_iface }}_ipv4