kpfleming.systemd_networkd.wireguard role – Manages systemd-networkd WireGuard tunnel virtual network devices.

Note

This role is part of the kpfleming.systemd_networkd collection (version 25.9.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it use: ansible-galaxy collection install kpfleming.systemd_networkd.

To use it in a playbook, specify: kpfleming.systemd_networkd.wireguard.

Entry point main – Manages systemd-networkd WireGuard tunnel virtual network devices.

Synopsis

  • This role will create (or update) three items in /etc/systemd/network for each specified tunnel: 1) A drop-in directory for the underlying network 2) A .netdev file for the tunnel device 3) A .conf file in the drop-in directory connecting the tunnel device to the underlying network

  • Detailed descriptions of parameters and their behavior can be found in ‘man systemd.netdev’.

  • Sets fact named ‘systemd_networkd_wireguard_changed’ to either true or false to indicate whether any changes were made.

Parameters

Parameter

Comments

suppress_reload

boolean

Suppress the reloading of systemd-networkd if changes are made.

Choices:

  • false ← (default)

  • true

suppress_restart

boolean

Suppress the restarting of systemd-networkd if changes are made to the netdev configuration.

Choices:

  • false ← (default)

  • true

systemd_root

string

Root path of filesystem containing systemd-networkd configuration files.

Default: ""

wireguards

list / elements=dictionary / required

Attributes of the interfaces to be managed.

match

dictionary

Matching attributes of the network device.

system

dictionary

System-specific attributes to be matched.

architecture

string

Match system architecture.

credential

string

Match service credential.

firmware

string

Match system firmware.

host

string

Match hostname or machine ID.

kernel_command_line

string

Match kernel command line option presence.

kernel_version

string

Match kernel version expression.

virtualization

string

Match virtualization type.

name

string / required

Name of the WireGuard device.

netdev

dictionary

Attributes of the WireGuard network device.

mac_address

string

MAC address to use on the device.

mtu_bytes

string

The MTU for the device.

peers

list / elements=dictionary / required

Attributes of the peers for the tunnel.

allowed_ips

list / elements=string / required

Addresses, with optional netmasks, which the peer is allowed to use for sending traffic, and for which traffic will be sent to the peer.

endpoint

string

Initial address and port to be used for traffic to this peer.

name

string

Name of the peer (will only be used as a comment in the configuration file).

persistent_keepalive

integer

Interval, in seconds, to send empty-but-authenticated packets to this peer.

preshared_key

string

Base64-encoded preshared key with the peer.

preshared_key_file

path

Path to file containing a base64-encoded preshared key with the peer.

public_key

string / required

Base64-encoded public key of the peer.

route_metric

integer

Metric value for routes added when route_table is specified. Overrides the setting from the tunnel, if specified.

route_table

string

Route table name (from networkd.conf), number, or predefined name (“default”, “main”, or “local”). Overrides the setting from the tunnel, if specified.

wireguard

dictionary

Attributes of the WireGuard device.

firewall_mark

integer

Mark to be set on outgoing packets from this interface.

listen_port

integer

UDP port to listen for incoming traffic. If not specified, a port will be chosen based on the interface name.

private_key

string

Base64-encoded private key.

private_key_file

path

Path to file containing a base64-encoded private key.

route_metric

integer

Metric value for routes added when route_table is specified.

route_table

string

Route table name (from networkd.conf), number, or predefined name (“default”, “main”, or “local”).