githubixx · vincentDcmps · Sep 13, 2022 · Dec 23, 2023 · Dec 30, 2025
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,4 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 molecule/kvm/.vagrant
+meta/.galaxy_install_info
diff --git a/README.md b/README.md
@@ -243,6 +243,9 @@ You can specify further optional settings (they don't have a default and won't b
 
 ```yaml
 wireguard_allowed_ips: ""
+wireguard_byhost_allowed_ips:
+  host1: 10.0.0.2,192.168.1.41,192.168.1.0/24
+
 wireguard_endpoint: "host1.domain.tld"
 wireguard_persistent_keepalive: "30"
 wireguard_dns: "1.1.1.1"
@@ -288,6 +291,7 @@ One of `wireguard_address` (deprecated) or `wireguard_addresses` (recommended) i
 
 Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
 
+with `wireguard_byhost_allowed_ips` you can provide a dict with inventory name in key to custom allowed ip by host
 First, here is a part of my Ansible `hosts` file:
 
 ```ini

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -10,7 +10,7 @@
     - stopped
     - started
   when:
-    - wireguard__restart_interface
+    - wireguard__restart_interface != none
     - not ansible_os_family == 'Darwin'
     - wireguard_service_enabled == "yes"
   listen: "reconfigure wireguard"

diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2
@@ -1,4 +1,4 @@
-#jinja2: lstrip_blocks:"True",trim_blocks:"True"
+#jinja2: lstrip_blocks:True,trim_blocks:True
 {# Copyright (C) 2018-2022 Robert Wimmer
  # SPDX-License-Identifier: GPL-3.0-or-later
  #}
@@ -57,7 +57,9 @@ SaveConfig = {{ wireguard_save_config }}
 [Peer]
 # {{ host }}
 PublicKey = {{hostvars[host].wireguard__fact_public_key}}
-{%     if hostvars[host].wireguard_allowed_ips is defined %}
+{%     if hostvars[host].wireguard_byhost_allowed_ips[inventory_hostname] is defined%}
+AllowedIPs = {{hostvars[host].wireguard_byhost_allowed_ips[inventory_hostname]}}
+{%     elif hostvars[host].wireguard_allowed_ips is defined %}
 AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
 {%     else %}
 {%      if wireguard_address is defined %}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,3 +2,4 @@
		# SPDX-License-Identifier: GPL-3.0-or-later

		molecule/kvm/.vagrant
		meta/.galaxy_install_info