firewall: ensure wireguard egress traffic uses the anycast source IP

Before we relied on the IP being first in the interfaces file, which is less than optimal. Now we use nftables to ensure the correct source IP is set only for the (fwmarked) wireguard traffic. Also remove iface hints from interfaces configuration as they are not needed with ifupdown-ng.
2025-07-18 18:35:36 +02:00 · 2025-07-18 18:35:36 +02:00 · 6840838978
commit 6840838978
parent 9b03b002f7
3 changed files with 20 additions and 5 deletions
--- a/roles/firewall/templates/interfaces.j2
+++ b/roles/firewall/templates/interfaces.j2
@ -1,10 +1,9 @@
 {% set addrs = interfaces | selectattr('name', '==', 'lo') | map(attribute='ip_addresses') | first -%}

-source-directory /etc/network/interfaces.d
-
 auto lo
-iface lo inet loopback
-    address {{ wg_ip }}
+iface lo
 {% for address in addrs %}
    address {{ address.address }}
 {% endfor %}
+
+source-directory /etc/network/interfaces.d