roles/firewall/handlers/main.yml

@@ -2,6 +2,10 @@
   command: ifup --auto
   when: "'handler' not in ansible_skip_tags"
 
+- name: mkinitfs
+  command: mkinitfs
+  when: "'handler' not in ansible_skip_tags"
+
 - name: reboot
   reboot:
   when: "'handler' not in ansible_skip_tags"

roles/firewall/tasks/main.yml

@@ -7,6 +7,13 @@
     name: bash,bonding,iproute2
     state: latest
 
+- name: Tell mdev to rename network interfaces
+  lineinfile:
+    path: /etc/mdev.conf
+    line: '-net/.* root:root 600 @/sbin/nameif -s'
+    insertafter: '^# net devices'
+  notify: mkinitfs
+
 - name: Tell ifupdown to also rename network interfaces
   copy:
     dest: /etc/network/if-pre-up.d/nameif

roles/firewall/templates/interfaces.j2

@@ -1,9 +1,10 @@
 {% set addrs = interfaces | selectattr('name', '==', 'lo') | map(attribute='ip_addresses') | first -%}
 
+source-directory /etc/network/interfaces.d
+
 auto lo
-iface lo
+iface lo inet loopback
+    address {{ wg_ip }}
 {% for address in addrs %}
     address {{ address.address }}
 {% endfor %}
-
-source-directory /etc/network/interfaces.d

roles/firewall/templates/nftables.nft.j2

@@ -146,19 +146,6 @@ table inet filter {
     }
 }
 
-table inet wireguard {
-    chain input {
-        type filter hook prerouting priority raw; policy accept
-        udp dport 51820 notrack \
-        comment "Disable connection tracking for wireguard"
-    }
-    chain output {
-        type route hook output priority raw; policy accept
-        meta mark 51820 meta nfproto ipv4 ip saddr set {{ wg_ip | ipaddr('address') }} notrack \
-        comment "Disable connection tracking and set anycast source IP for wireguard"
-    }
-}
-
 table ip nat {
     include "/etc/nftables.d/interfaces.nft"
     include "/etc/nftables.d/networks.nft"

roles/firewall/templates/wg.intf.j2

@@ -1,8 +1,5 @@
-iface lo
-    address {{ wg_ip }}
-
 auto wg
-iface wg
+iface wg inet static
     use wireguard
 {% if wg_net is defined %}
     address {{ wg_net }}