---
# WireGuard Server Role - Default Variables

# WireGuard interface configuration
wg_interface: wg0
wg_port: 51820
wg_network: "10.100.0.0/24"
wg_server_ip: "10.100.0.1"

# DNS servers for VPN clients
wg_dns_servers:
  - "1.1.1.1"
  - "1.0.0.1"

# WireGuard users/peers
# Format:
# wg_peers:
#   - name: user1
#     ip: 10.100.0.10
#   - name: user2
#     ip: 10.100.0.11
wg_peers: []

# Automatic peer IP allocation
wg_auto_allocate_ips: true
wg_ip_start: 10  # Start allocating from 10.100.0.10

# Key management
wg_keys_dir: "/etc/wireguard/keys"
wg_config_dir: "/etc/wireguard"
wg_client_configs_dir: "/root/wireguard-client-configs"

# Post-up and post-down rules for NAT
wg_postup: "iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE"
wg_postdown: "iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE"

# Keepalive
wg_persistent_keepalive: 25

# MTU
wg_mtu: 1420