[Interface]
Address = {{ vpn_ip }}/32
PrivateKey = {{ wireguard_secret.servers[inventory_hostname].priv }}
ListenPort = {{ wireguard.ip.port }}

{% if "bastion" in group_names %}
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ net_interface }} -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ net_interface }} -j MASQUERADE
{% endif %}
SaveConfig = false

{% for server_peer in wireguard_secret.servers %}
{% if not server_peer == inventory_hostname %}
[Peer]
PublicKey = {{ wireguard_secret.servers[server_peer].pub }}
AllowedIPs = {{ hostvars[server_peer]["vpn_ip"] }}
Endpoint = {{ hostvars[server_peer]["local_ip"] }}:{{ wireguard.ip.port }}
{% endif %}
{% endfor %}

{% if "bastion" in group_names %}
{% for peer in wireguard_secret.clients %}
[Peer]
PublicKey = {{ peer.pub_key }}
AllowedIPs = {{ peer.addr }}
{% endfor %}
{% endif %}