wireguard: clean up

- make variables less clunky
- make docker-compose run after wireguard (this seems janky right now)

group_vars/all/50-vars.yml

@@ -45,4 +45,6 @@ escalation_method: doas
 enable_connection: yes
 
 # use a wireguard network between bastion and fleet host for the reverse proxy
+# see roles/wireguard/defaults/main.yml for further config settings
 wireguard_services: true
+wireguard_interface: "wg0"

roles/containers/templates/docker-compose.service.j2

@@ -1,7 +1,12 @@
 [Unit]
 Description=Services manager with docker-compose
+{% if wireguard_services %}
+Requires=docker.service wg-quick@{{ wireguard_interface }}.service
+After=docker.service wg-quick@{{ wireguard_interface }}.service
+{% else %}
 Requires=docker.service
 After=docker.service
+{% endif %}
 
 [Service]
 User=docker

roles/wireguard/defaults/main.yml

@@ -6,10 +6,13 @@
 
 # also see group_vars/all/00-secret-template.yml
 
+# this key is defined in group_vars/all/50-vars.yml
+# it's duplicated here just in case
+wireguard_interface: "wg0"
+
 wireguard:
   dns_servers:
     - "{{ dns_forward }}"
-  interface: "wg0"
   ip:
     # cidr range in tunnel
     cidr: "10.66.77.0/24"

roles/wireguard/handlers/main.yml

@@ -2,7 +2,7 @@
 
 - name: Start wireguard
   systemd:
-    name: "wg-quick@{{ wireguard.interface }}.service"
+    name: "wg-quick@{{ wireguard_interface }}.service"
     enabled: yes
     daemon_reload: yes
     state: restarted

roles/wireguard/tasks/main.yml

@@ -28,7 +28,7 @@
 - name: Deploy wireguard server config
   template:
     src: server.conf.j2
-    dest: "/etc/wireguard/{{ wireguard.interface }}.conf"
+    dest: "/etc/wireguard/{{ wireguard_interface }}.conf"
     owner: root
     group: root
     mode: 0600

roles/wireguard/templates/server.conf.j2

@@ -1,5 +1,5 @@
 [Interface]
-Address = {{ hostvars[inventory_hostname]["vpn_ip"] }}/32
+Address = {{ vpn_ip }}/32
 PrivateKey = {{ wireguard_secret.servers[inventory_hostname].priv }}
 ListenPort = {{ wireguard.ip.port }}