You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
ansible-role-wireguard/defaults/main.yml

122 lines
4.6 KiB
YAML

---
# Copyright (C) 2018-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
#######################################
# General settings
#######################################
# Directory to store WireGuard configuration on the remote hosts
wireguard_remote_directory: "{{ '/etc/wireguard' if not ansible_os_family == 'Darwin' else '/opt/local/etc/wireguard' }}"
# The default port WireGuard will listen if not specified otherwise.
wireguard_port: "51820"
# The default interface name that WireGuard should use if not specified otherwise.
wireguard_interface: "wg0"
# The default owner of the wg.conf file
wireguard_conf_owner: root
# The default group of the wg.conf file
wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'wheel' }}"
# The default mode of the wg.conf file
wireguard_conf_mode: 0600
# The default state of the wireguard service
wireguard_service_enabled: "yes"
wireguard_service_state: "started"
# By default "wg syncconf" is used to apply WireGuard interface settings if
# they've changed. Older WireGuard tools doesn't provide this option. In that
# case as a fallback the WireGuard interface will be restarted. This causes a
# short interruption of network connections.
#
# So even if "false" is the default, the role figures out if the "syncconf"
# option of the "wg" utility is available and if not falls back to "true"
# (which means interface will be restarted as this is the only possible option
# in this case).
#
# Possible options:
# - false (default)
# - true
#
# Both options have their pros and cons. The default "false" option (do not
# restart interface)
# - does not need to restart the WireGuard interface to apply changes
# - does not cause a short VPN connection interruption when changes are applied
# - might cause network routes are not properly reloaded
#
# Setting the option value to "true" will
# - restart the WireGuard interface as the name suggests in case of changes
# - cause a short VPN connection interruption when changes are applied
# - make sure that network routes are properly reloaded
#
# So it depends a little bit on your setup which option works best. If you
# don't have an overly complicated routing that changes very often or at all
# using "false" here is most properly good enough for you. E.g. if you just
# want to connect a few servers via VPN and it normally stays this way.
#
# If you have a more dynamic routing setup then setting this to "true" might be
# the safest way to go. Also if you want to avoid the possibility creating some
# hard to detect side effects this option should be considered.
wireguard_interface_restart: false
# This is sensitive: encrypt it with a tool like Ansible Vault.
# If not set, a new one is generated on a blank configuration.
# wireguard_private_key:
#######################################
# Settings only relevant for:
# - Ubuntu
# - elementary OS
#######################################
# Set to "false" if package cache should not be updated
wireguard_ubuntu_update_cache: "true"
# Set package cache valid time
wireguard_ubuntu_cache_valid_time: "3600"
#######################################
# Settings only relevant for CentOS 7
#######################################
# Set wireguard_centos7_installation_method to "kernel-plus"
# to use the kernel-plus kernel, which includes a built-in,
# signed WireGuard module.
#
# The default of "standard" will use the standard kernel and
# the ELRepo module for WireGuard.
wireguard_centos7_installation_method: "standard"
# Reboot host if necessary if the "kernel-plus" kernel is in use
wireguard_centos7_kernel_plus_reboot: true
# The default seconds to wait for machine to reboot and respond
# if "kernel-plus" is in use. Is only relevant if
# "wireguard_centos7_kernel_plus_reboot" is set to "true".
wireguard_centos7_kernel_plus_reboot_timeout: "600"
# Reboot host if necessary if the standard kernel is in use
wireguard_centos7_standard_reboot: true
# The default seconds to wait for machine to reboot and respond
# if "standard" kernel is in use. Is only relevant if
# "wireguard_centos7_standard_reboot" is set to "true".
wireguard_centos7_standard_reboot_timeout: "600"
#########################################
# Settings only relevant for RockyLinux 8
#########################################
# Set wireguard_rockylinux8_installation_method to "dkms"
# to build WireGuard module from source, with wireguard-dkms.
# This is required if you use a custom kernel and/or your arch
# is not x86_64.
#
# The default of "standard" will install the kernel module
# with kmod-wireguard from ELRepo.
wireguard_rockylinux8_installation_method: "standard"