{"id":31525767,"url":"https://github.com/fedlify/terraform-wireguard","last_synced_at":"2026-05-15T21:01:51.975Z","repository":{"id":316169826,"uuid":"1062213439","full_name":"fedlify/terraform-wireguard","owner":"fedlify","description":"Terraform module that renders WireGuard configs for hub-and-spoke or mesh topologies, with optional key generation and a Docker lab for integration testing.","archived":false,"fork":false,"pushed_at":"2025-09-23T03:22:17.000Z","size":12,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-10-03T18:54:56.704Z","etag":null,"topics":["infrastructure-as-code","mesh-networking","terraform-module","vpn","wireguard"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fedlify.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-23T00:59:44.000Z","updated_at":"2025-09-30T16:17:17.000Z","dependencies_parsed_at":"2025-09-23T05:40:56.808Z","dependency_job_id":"94793949-8f6e-4ce3-b30b-5f9357b49277","html_url":"https://github.com/fedlify/terraform-wireguard","commit_stats":null,"previous_names":["fedlify/terraform-wireguard"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/fedlify/terraform-wireguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fedlify%2Fterraform-wireguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fedlify%2Fterraform-wireguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fedlify%2Fterraform-wireguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fedlify%2Fterraform-wireguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fedlify","download_url":"https://codeload.github.com/fedlify/terraform-wireguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fedlify%2Fterraform-wireguard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33080349,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-15T20:25:35.270Z","status":"ssl_error","status_checked_at":"2026-05-15T20:25:34.732Z","response_time":103,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["infrastructure-as-code","mesh-networking","terraform-module","vpn","wireguard"],"created_at":"2025-10-03T18:51:44.580Z","updated_at":"2026-05-15T21:01:51.969Z","avatar_url":"https://github.com/fedlify.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform WireGuard Config Generator\n\nComposable Terraform module that produces WireGuard configuration files for distributed networks. Feed the module a set of node definitions and pick a topology (`hub-and-spoke` or `mesh`). The module resolves peer relationships, applies overrides, and outputs ready-to-use configs for every node.\n\n## Highlights\n\n- Supports `hub-and-spoke` (single hub with many spokes) and full `mesh` topologies\n- Generates consistent peer blocks with optional per-peer overrides and preshared keys\n- Optionally auto-generates WireGuard key pairs via the bundled script or a custom command\n- Applies shared defaults for listen ports, DNS servers, and persistent keepalive timers\n- Ships with hub-and-spoke and mesh examples plus `terraform test` suites for validation\n- Cloud agnostic: no providers or infrastructure resources required\n\n## Inputs at a glance\n\n| Name | Type | Default | Description |\n|------|------|---------|-------------|\n| `topology` | `string` | `\"mesh\"` | Network layout. One of `hub-and-spoke` or `mesh`. |\n| `hub` | `string` | `null` | Hub node name when `topology = \"hub-and-spoke\"`. |\n| `nodes` | `map(object)` | – | Node definitions keyed by name. Each object accepts `private_key`, `public_key`, `addresses`, optional `listen_port`, `endpoint`, `allowed_ips`, `dns`, `mtu`. |\n| `default_listen_port` | `number` | `null` | Port applied when a node omits `listen_port`. |\n| `default_dns` | `list(string)` | `[]` | DNS servers injected when a node omits `dns`. |\n| `default_persistent_keepalive` | `number` | `null` | PersistentKeepalive fallback (seconds). |\n| `preshared_keys` | `map(map(string))` | `{}` | Optional preshared keys, indexed `[local][remote]`. |\n| `peer_overrides` | `map(map(object))` | `{}` | Per-peer overrides for allowed IPs, endpoint, preshared key, and keepalive. |\n| `auto_generate_keys` | `bool` | `false` | Generate key pairs for nodes missing key material. Requires a keygen command. |\n| `keygen_command` | `string` | `null` | Override the default key generator; useful when `wg` is unavailable or you have custom tooling. |\n\nSee `variables.tf` for full type information.\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| `wireguard_configs` | Map of node name to rendered configuration string (sensitive). |\n| `peer_matrix` | Computed peer lists for every node. |\n| `nodes` | Normalised node settings after defaults are applied. |\n\n## Quick start\n\n```hcl\nmodule \"wireguard\" {\n  source   = \"github.com/fedlify/terraform-wireguard\"\n  topology = \"hub-and-spoke\"\n  hub      = \"hub\"\n\n  nodes = {\n    hub = {\n      private_key = var.hub_private_key\n      public_key  = var.hub_public_key\n      addresses   = [\"10.44.0.1/24\"]\n      endpoint    = \"vpn.example.com:51820\"\n      allowed_ips = [\"10.44.0.0/24\"]\n      dns         = [\"10.44.0.1\"]\n    }\n\n    laptop = {\n      private_key = var.laptop_private_key\n      public_key  = var.laptop_public_key\n      addresses   = [\"10.44.0.2/32\"]\n    }\n\n    phone = {\n      private_key = var.phone_private_key\n      public_key  = var.phone_public_key\n      addresses   = [\"10.44.0.3/32\"]\n    }\n  }\n\n  peer_overrides = {\n    laptop = {\n      hub = {\n        persistent_keepalive = 25\n      }\n    }\n  }\n\n  default_listen_port = 51820\n}\n\noutput \"hub_config\" {\n  value     = module.wireguard.wireguard_configs[\"hub\"]\n  sensitive = true\n}\n```\n\nAfter `terraform apply`, export configs:\n\n```shell\nterraform output -raw hub_config \u003e hub.conf\n```\n\n## Key generation\n\n- Enable `auto_generate_keys` when you prefer the module to mint key pairs for any node missing `private_key`/`public_key`.\n- By default the module runs `${path.module}/scripts/generate-keys.sh`, which shells out to `wg genkey`; ensure the WireGuard tools are installed on the Terraform runner.\n- Supply `keygen_command` to point at your own executable (for example, a wrapper around an HSM or a deterministic generator used in tests).\n\n## Examples and tests\n\n- `examples/hub-and-spoke` – simple hub with two spokes\n- `examples/mesh` – three-node mesh with shared defaults\n- `lab/docker-two-node` – docker-compose lab that boots two peers end-to-end\n\nRun the automated tests (Terraform \u003e= 1.6 required):\n\n```shell\nterraform test\n```\n\n## Implementation notes\n\n- `allowed_ips` defaults to the node's `addresses` when omitted, which suits many client peers. Override it for routing larger CIDR ranges.\n- Provide keys in WireGuard's standard Base64 format (`wg genkey`, `wg pubkey`) when not using `auto_generate_keys`.\n- Use `peer_overrides` or `preshared_keys` when a single pair deviates from the computed defaults.\n\nWireGuard (R) is a registered trademark of Jason A. Donenfeld. This project is not affiliated with or endorsed by WireGuard.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffedlify%2Fterraform-wireguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffedlify%2Fterraform-wireguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffedlify%2Fterraform-wireguard/lists"}