|
|
|
---
|
|
|
|
# Copyright (C) 2018-2022 Robert Wimmer
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
# General settings
|
|
|
|
#######################################
|
|
|
|
|
|
|
|
# Directory to store WireGuard configuration on the remote hosts
|
|
|
|
wireguard_remote_directory: "{{ '/etc/wireguard' if not ansible_os_family == 'Darwin' else '/opt/local/etc/wireguard' }}"
|
|
|
|
|
|
|
|
# The default port WireGuard will listen if not specified otherwise.
|
|
|
|
wireguard_port: "51820"
|
|
|
|
|
|
|
|
# The default interface name that WireGuard should use if not specified otherwise.
|
|
|
|
wireguard_interface: "wg0"
|
|
|
|
|
|
|
|
# The default owner of the wg.conf file
|
|
|
|
wireguard_conf_owner: root
|
|
|
|
|
|
|
|
# The default group of the wg.conf file
|
|
|
|
wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'wheel' }}"
|
|
|
|
|
|
|
|
# The default mode of the wg.conf file
|
|
|
|
wireguard_conf_mode: 0600
|
|
|
|
|
|
|
|
# The default state of the wireguard service
|
|
|
|
wireguard_service_enabled: "yes"
|
|
|
|
wireguard_service_state: "started"
|
|
|
|
|
|
|
|
# By default "wg syncconf" is used to apply WireGuard interface settings if
|
|
|
|
# they've changed. Older WireGuard tools doesn't provide this option. In that
|
|
|
|
# case as a fallback the WireGuard interface will be restarted. This causes a
|
|
|
|
# short interruption of network connections.
|
|
|
|
#
|
|
|
|
# So even if "false" is the default, the role figures out if the "syncconf"
|
|
|
|
# option of the "wg" utility is available and if not falls back to "true"
|
|
|
|
# (which means interface will be restarted as this is the only possible option
|
|
|
|
# in this case).
|
|
|
|
#
|
|
|
|
# Possible options:
|
|
|
|
# - false (default)
|
|
|
|
# - true
|
|
|
|
#
|
|
|
|
# Both options have their pros and cons. The default "false" option (do not
|
|
|
|
# restart interface)
|
|
|
|
# - does not need to restart the WireGuard interface to apply changes
|
|
|
|
# - does not cause a short VPN connection interruption when changes are applied
|
|
|
|
# - might cause network routes are not properly reloaded
|
|
|
|
#
|
|
|
|
# Setting the option value to "true" will
|
|
|
|
# - restart the WireGuard interface as the name suggests in case of changes
|
|
|
|
# - cause a short VPN connection interruption when changes are applied
|
|
|
|
# - make sure that network routes are properly reloaded
|
|
|
|
#
|
|
|
|
# So it depends a little bit on your setup which option works best. If you
|
|
|
|
# don't have an overly complicated routing that changes very often or at all
|
|
|
|
# using "false" here is most properly good enough for you. E.g. if you just
|
|
|
|
# want to connect a few servers via VPN and it normally stays this way.
|
|
|
|
#
|
|
|
|
# If you have a more dynamic routing setup then setting this to "true" might be
|
|
|
|
# the safest way to go. Also if you want to avoid the possibility creating some
|
|
|
|
# hard to detect side effects this option should be considered.
|
|
|
|
wireguard_interface_restart: false
|
|
|
|
|
|
|
|
# This is sensitive: encrypt it with a tool like Ansible Vault.
|
|
|
|
# If not set, a new one is generated on a blank configuration.
|
|
|
|
# wireguard_private_key:
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
# Settings only relevant for:
|
|
|
|
# - Ubuntu
|
|
|
|
# - elementary OS
|
|
|
|
#######################################
|
|
|
|
|
|
|
|
# Set to "false" if package cache should not be updated
|
|
|
|
wireguard_ubuntu_update_cache: "true"
|
|
|
|
|
|
|
|
# Set package cache valid time
|
|
|
|
wireguard_ubuntu_cache_valid_time: "3600"
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
# Settings only relevant for CentOS 7
|
|
|
|
#######################################
|
|
|
|
|
|
|
|
# Set wireguard_centos7_installation_method to "kernel-plus"
|
|
|
|
# to use the kernel-plus kernel, which includes a built-in,
|
|
|
|
# signed WireGuard module.
|
|
|
|
#
|
|
|
|
# The default of "standard" will use the standard kernel and
|
|
|
|
# the ELRepo module for WireGuard.
|
|
|
|
wireguard_centos7_installation_method: "standard"
|
|
|
|
|
|
|
|
# Reboot host if necessary if the "kernel-plus" kernel is in use
|
|
|
|
wireguard_centos7_kernel_plus_reboot: true
|
|
|
|
|
|
|
|
# The default seconds to wait for machine to reboot and respond
|
|
|
|
# if "kernel-plus" is in use. Is only relevant if
|
|
|
|
# "wireguard_centos7_kernel_plus_reboot" is set to "true".
|
|
|
|
wireguard_centos7_kernel_plus_reboot_timeout: "600"
|
|
|
|
|
|
|
|
# Reboot host if necessary if the standard kernel is in use
|
|
|
|
wireguard_centos7_standard_reboot: true
|
|
|
|
|
|
|
|
# The default seconds to wait for machine to reboot and respond
|
|
|
|
# if "standard" kernel is in use. Is only relevant if
|
|
|
|
# "wireguard_centos7_standard_reboot" is set to "true".
|
|
|
|
wireguard_centos7_standard_reboot_timeout: "600"
|
|
|
|
|
|
|
|
#########################################
|
|
|
|
# Settings only relevant for RockyLinux 8
|
|
|
|
#########################################
|
|
|
|
|
|
|
|
# Set wireguard_rockylinux8_installation_method to "dkms"
|
|
|
|
# to build WireGuard module from source, with wireguard-dkms.
|
|
|
|
# This is required if you use a custom kernel and/or your arch
|
|
|
|
# is not x86_64.
|
|
|
|
#
|
|
|
|
# The default of "standard" will install the kernel module
|
|
|
|
# with kmod-wireguard from ELRepo.
|
|
|
|
wireguard_rockylinux8_installation_method: "standard"
|