{%- set wg = wireguard_device -%}
[Interface]
# Interface: {{ wg.interface.name }}
PrivateKey = {{ wg.interface.keypair.private }}
# We use a /30 to ensure only adajacent pairs of IPs are used.
Address = {{ wg.interface.address }}/30
#DNS = 1.1.1.1, 1.0.0.1
{% if wg.interface.listenport -%}
ListenPort = {{ wg.interface.listenport }}
{%- endif %}

{% if services|length > 0 -%}
# Ensure that only the requested ports are permitted in. Any other
# traffic from the wg interface will be dropped.For example, 443/TCP:
#
# PostUp = iptables -A INPUT -i %i -m tcp -p tcp --dport 443 -j ACCEPT
# PostUp = iptables -A INPUT -i %i -j DROP
# PostDown = iptables -D INPUT -i %i -m tcp -p tcp --dport 443 -j ACCEPT
# PostDown = iptables -D INPUT -i %i -j DROP
#
# Also allow pinging between interfaces, for healthchecks.
{% for s in services -%}
{%- if s.protocol | upper == "TCP" %}
PostUp = iptables -A INPUT -i %i -m {{ s.protocol | lower }} -p {{ s.protocol | lower }} --dport {{ s.local_port }} -j ACCEPT
{% endif -%}
{%- endfor %}
PostUp = iptables -A INPUT -i %i -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -A INPUT -i %i -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -A INPUT -i %i -j DROP

{% for s in services -%}
{%- if s.protocol | upper == "TCP" %}
PostDown = iptables -D INPUT -i %i -m {{ s.protocol | lower }} -p {{ s.protocol | lower }} --dport {{ s.local_port }} -j ACCEPT
{% endif -%}
{%- endfor %}
PostDown = iptables -D INPUT -i %i -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D INPUT -i %i -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D INPUT -i %i -j DROP
{%- endif %}

[Peer]
# Peer: {{ wg.peer.name }}
PublicKey = {{ wg.peer.keypair.public }}
{% if wg.peer.endpoint %}
Endpoint = {{ wg.peer.endpoint }}:{{ wg.peer.listenport }}
{% endif %}
PersistentKeepalive = 25
AllowedIPs = {{ wg.peer.address }}/32