Fix template variable and undefined job variable bugs

- Fix client.conf.j2 to use `item` instead of `item.1` to match modern
  loop syntax (loop with index_var instead of with_indexed_items)
- Fix server.yml _vpn_jobs to use `| default({})` for job variables
  that may be undefined when running with tags (e.g., IPsec-only)
- Update test_template_rendering.py to pass item as string instead of
  tuple, matching the new loop behavior

Fixes CI failures from PR #14891 that were correctly identified by the
Claude Code bot review.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: dguido

roles/wireguard/templates/client.conf.j2

@@ -1,13 +1,13 @@
 [Interface]
-PrivateKey = {{ lookup('file', wireguard_pki_path + '/private/' + item.1) }}
+PrivateKey = {{ lookup('file', wireguard_pki_path + '/private/' + item) }}
 Address = {{ wireguard_client_ip }}
 DNS = {{ wireguard_dns_servers }}
 {% if reduce_mtu | int > 0 %}MTU = {{ 1420 - reduce_mtu | int }}
 {% endif %}
 
 [Peer]
 PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + IP_subject_alt_name) }}
-PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + item.1) }}
+PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + item) }}
 AllowedIPs = 0.0.0.0/0,::/0
 Endpoint = {% if ':' in IP_subject_alt_name %}[{{ IP_subject_alt_name }}]:{{ wireguard_port }}{% else %}{{ IP_subject_alt_name }}:{{ wireguard_port }}{% endif %}
 {{ 'PersistentKeepalive = ' + wireguard_PersistentKeepalive | string if wireguard_PersistentKeepalive > 0 else '' }}

server.yml

@@ -88,10 +88,10 @@
             - name: Build async job list
               set_fact:
                 _vpn_jobs:
-                  - {name: dns, job: "{{ dns_job }}", tag: dns}
-                  - {name: wireguard, job: "{{ wireguard_job }}", tag: wireguard}
-                  - {name: strongswan, job: "{{ strongswan_job }}", tag: ipsec}
-                  - {name: ssh_tunneling, job: "{{ ssh_tunneling_job }}", tag: ssh_tunneling}
+                  - {name: dns, job: "{{ dns_job | default({}) }}"}
+                  - {name: wireguard, job: "{{ wireguard_job | default({}) }}"}
+                  - {name: strongswan, job: "{{ strongswan_job | default({}) }}"}
+                  - {name: ssh_tunneling, job: "{{ ssh_tunneling_job | default({}) }}"}
 
             - name: Wait for VPN services to complete
               async_status:

tests/unit/test_template_rendering.py

@@ -131,8 +131,9 @@ def test_critical_templates():
             template = env.get_template(template_name)
 
             # Add item context for templates that use loops
+            # With modern loop syntax, item is the username string directly
             if "client" in template_name:
-                test_vars["item"] = ("test-user", "test-user")
+                test_vars["item"] = "test-user"
 
             # Try to render
             output = template.render(**test_vars)
@@ -211,7 +212,8 @@ def test_wireguard_ipv6_endpoints():
         try:
             # Set up test variables
             test_vars = {**base_vars, **test_case}
-            test_vars["item"] = ("test-user", "test-user")
+            # With modern loop syntax, item is the username string directly
+            test_vars["item"] = "test-user"
 
             # Render template
             env = Environment(loader=FileSystemLoader("roles/wireguard/templates"), undefined=StrictUndefined)