homelab/ansible/inventory/full/group_vars/vpn/main.yml

# Directory to store WireGuard configuration on the remote hosts
wireguard_remote_directory: /etc/wireguard

wireguard_interface_restart: false
wireguard_service_enabled: true
wireguard_service_state: started

# We need to keep the NAT mapping open:
# https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
# I've tested 25 seconds, which seems to be too low. The mapping still seems
# to be broken every once in a while.
# Or, it might be because PersistentKeepalive is actually also needed on the
# server but it's being omitted currently. See the issue I opened:
# https://github.com/githubixx/ansible-role-wireguard/issues/217#issue-2871281915
wireguard_persistent_keepalive: 25

wireguard_ipv6_subnet: "fde0:fb5b:2593::/64"
wireguard_ipv4_subnet: "10.4.4.0/24"
# Setting this here doesn't seem to work. We set it during runtime later
# public_ipv6_subnet: "{{ hostvars[groups['embassy'][0]].ipv6_subnet }}"

# We can generate this dynamically, but it really doesn't seem like it's worth
# the work.
nat_map:
  moirai-clotho.local:
    vpn_ipv6: "{{ wireguard_ipv6_subnet | ansible.utils.ipaddr('16') }}"
    vpn_ipv4: "{{ wireguard_ipv4_subnet | ansible.utils.ipaddr('16') }}"
    vps_ipv6: "{{ public_ipv6_subnet | ansible.utils.ipaddr('16') }}"
    vps_ipv4: "{{ ansible_default_ipv4.address }}"
    port_mappings:
      - external_port: 20050
        internal_port: 20050

  moirai-lachesis.local:
    vpn_ipv6: "{{ wireguard_ipv6_subnet | ansible.utils.ipaddr('17') }}"
    vpn_ipv4: "{{ wireguard_ipv4_subnet | ansible.utils.ipaddr('17') }}"
    vps_ipv6: "{{ public_ipv6_subnet | ansible.utils.ipaddr('17') }}"
    vps_ipv4: "{{ ansible_default_ipv4.address }}"

  moirai-atropos.local:
    vpn_ipv6: "{{ wireguard_ipv6_subnet | ansible.utils.ipaddr('18') }}"
    vpn_ipv4: "{{ wireguard_ipv4_subnet | ansible.utils.ipaddr('18') }}"
    vps_ipv6: "{{ public_ipv6_subnet | ansible.utils.ipaddr('18') }}"
    vps_ipv4: "{{ ansible_default_ipv4.address }}"