ifupdown2: improve wireguard support

- add prio to ensure idempotency when reloading the iface
- add proto to ease route filtering in bird

roles/ifupdown2/defaults/main.yml

@@ -2,4 +2,6 @@
 ifupdown2__interfaces: {}
 ifupdown2__wireguard: {}
 ifupdown2__wireguard_keepalive: 0
+ifupdown2__wireguard_proto: boot
+ifupdown2__prio_base: 100
 ...

roles/ifupdown2/templates/interfaces.j2

@@ -1,6 +1,9 @@
 {{ ansible_managed | comment }}
 
-{% macro iface_common(iface) %}
+auto lo
+iface lo
+
+{% macro iface_common(iface, index=None) %}
 {% for address in iface.addresses | default([]) %}
 address {{ address | ipaddr }}
 {% endfor %}
@@ -12,10 +15,11 @@ ip-forward yes
 ip6-forward yes
 {% endif %}
 {% if iface.goto_table is defined %}
-pre-up ip rule add iif $IFACE table {{ iface.goto_table }}
-pre-up ip rule add iif $IFACE blackhole
-post-down ip rule del iif $IFACE table {{ iface.goto_table }}
-post-down ip rule del iif $IFACE blackhole
+{% set prio = ifupdown2__prio_base + 2 * index %}
+pre-up ip rule add prio {{ prio }} iif $IFACE table {{ iface.goto_table }}
+pre-up ip rule add prio {{ prio + 1 }} iif $IFACE blackhole
+post-down ip rule del prio {{ prio }} iif $IFACE table {{ iface.goto_table }}
+post-down ip rule del prio {{ prio + 1 }} iif $IFACE blackhole
 {% endif %}
 {% if iface.ipv6_addrgen is defined %}
 ipv6-addrgen {{ iface.ipv6_addrgen
@@ -50,14 +54,14 @@ iface {{ name }}
 
 {% endfor %}
 
-{% for name, iface in ifupdown2__wireguard.items() %}
+{% for name, iface in ifupdown2__wireguard.items() | sort(attribute="0") %}
 auto {{ name }}
 iface {{ name }}
     link-type wireguard
-    {{ iface_common(iface) | indent(4) }}
+    {{ iface_common(iface, index=loop.index) | indent(4) }}
     pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
 {% for address in iface.peer_allowed_addresses | default([]) %}
-    post-up ip route add {{ address }} dev $IFACE
+    post-up ip route add {{ address }} proto {{ ifupdown2__wireguard_proto }} dev $IFACE
 {% endfor %}
 
 {% endfor %}