v10.0.0 (#162)

* remove support for Fedora 35 / add support for Fedora 36 * remove Fedora 34 + add Fedora 36 to Molecule test * fix Jinja2 spacing * fix Jinja2 spacing * improve the task key order to: name, when, tags, block * handlers/main.yml: names should start with an uppercase letter * tasks/main.yml: names should start with an uppercase letter * add .yamllint * add Github release action to push new release to Ansible Galaxy * add Molecule setup for openSUSE 15.4 * molecule/kvm-single-server: add verify.yml / enable verifier * update CHANGELOG
2 years ago · 3821005839
parent fad7b1d7b0
commit 3821005839
14 changed files with 180 additions and 47 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,39 @@
+---
+# This workflow requires a GALAXY_API_KEY secret present in the GitHub
+# repository or organization.
+#
+# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
+# See: https://github.com/ansible/galaxy/issues/46
+
+name: Release
+on:
+  push:
+    tags:
+      - '*'
+
+defaults:
+  run:
+    working-directory: 'githubixx.ansible_role_wireguard'
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v2
+        with:
+          path: 'githubixx.ansible_role_wireguard'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Install Ansible.
+        run: pip3 install ansible-core
+
+      - name: Trigger a new import on Galaxy.
+        run: >-
+          ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}
+          $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)
--- a/.yamllint
+++ b/.yamllint
@ -0,0 +1,9 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 150
+    level: warning
+
+  comments-indentation: disable
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,18 @@ SPDX-License-Identifier: GPL-3.0-or-later

 # Changelog

+## 10.0.0
+
+- remove Fedora 34 + add Fedora 36 to Molecule test
+- remove support for Fedora 35 / add support for Fedora 36
+- add Molecule setup for openSUSE 15.4
+- add Github release action to push new release to Ansible Galaxy
+- add `.yamllint`
+- `tasks/main.yml`: names should start with an uppercase letter
+- `handlers/main.yml`: names should start with an uppercase letter
+- improve the task key order to: name, when, tags, block
+- fix Jinja2 spacing
+
 ## 9.3.0

 - add support for Ubuntu 22.04 (Jammy Jellyfish)
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -2,7 +2,7 @@
 # Copyright (C) 2018-2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later

- name: restart wireguard
+- name: Restart wireguard
  ansible.builtin.service:
    name: "wg-quick@{{ wireguard_interface }}"
    state: "{{ item }}"
@ -15,13 +15,13 @@
    - wireguard_service_enabled == "yes"
  listen: "reconfigure wireguard"

- name: syncconf wireguard
+- name: Syncconf wireguard
  ansible.builtin.shell: |
    set -o errexit
    set -o pipefail
    set -o nounset
-    systemctl is-active wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
-    wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
+    systemctl is-active wg-quick@{{ wireguard_interface | quote }} || systemctl start wg-quick@{{ wireguard_interface | quote }}
+    wg syncconf {{ wireguard_interface | quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface | quote }}.conf)
    exit 0
  args:
    executable: "/bin/bash"
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,3 +1,4 @@
+---
 # Copyright (C) 2018-2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later

@ -25,8 +26,8 @@ galaxy_info:
        - "8"
    - name: Fedora
      versions:
-        - "34"
        - "35"
+        - "36"
    - name: opensuse
      versions:
        - "15.3"
--- a/molecule/kvm-single-server/molecule.yml
+++ b/molecule/kvm-single-server/molecule.yml
@ -93,4 +93,3 @@ scenario:

 verifier:
  name: ansible
-  enabled: false
--- a/molecule/kvm-single-server/verify.yml
+++ b/molecule/kvm-single-server/verify.yml
@ -0,0 +1,33 @@
+---
+# Copyright (C) 2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Verify setup
+  hosts: all
+  vars:
+    hosts_count: "{{ groups['vpn'] | length }}"
+  tasks:
+    - name: Count WireGuard interfaces
+      ansible.builtin.shell: |
+        set -o errexit
+        set -o pipefail
+        set -o nounset
+        wg | grep "peer: " | wc -l
+        exit 0
+      args:
+        executable: "/bin/bash"
+      register: wireguard__interfaces_count
+      changed_when: false
+
+    - name: Print WireGuard interface count
+      ansible.builtin.debug:
+        var: wireguard__interfaces_count.stdout
+
+    - name: Print hosts count in vpn group
+      ansible.builtin.debug:
+        var: hosts_count
+
+    - name: There should be as much WireGuard interfaces as hosts in vpn group minus one
+      ansible.builtin.assert:
+        that:
+          - "hosts_count|int -1 == wireguard__interfaces_count.stdout|int"
--- a/molecule/kvm/molecule.yml
+++ b/molecule/kvm/molecule.yml
@ -11,13 +11,12 @@ driver:
  provider:
    name: libvirt
    type: libvirt
-    options:
-      memory: 192
-      cpus: 2

 platforms:
  - name: test-wg-ubuntu2004
    box: generic/ubuntu2004
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -28,6 +27,8 @@ platforms:
      - ubuntu
  - name: test-wg-ubuntu1804
    box: generic/ubuntu1804
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -38,6 +39,8 @@ platforms:
      - ubuntu
  - name: test-wg-debian10
    box: generic/debian10
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -46,8 +49,10 @@ platforms:
    groups:
      - vpn
      - debian
-  - name: test-wg-fedora34
-    box: generic/fedora34
+  - name: test-wg-fedora36
+    box: generic/fedora36
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -58,6 +63,8 @@ platforms:
      - fedora
  - name: test-wg-centos7
    box: generic/centos7
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -68,6 +75,8 @@ platforms:
      - el7
  - name: test-wg-arch
    box: archlinux/archlinux
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -78,6 +87,8 @@ platforms:
      - archlinux
  - name: test-wg-debian11
    box: generic/debian11
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -88,6 +99,8 @@ platforms:
      - debian
  - name: test-wg-rocky8
    box: generic/rocky8
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -98,6 +111,8 @@ platforms:
      - el8
  - name: test-wg-alma8
    box: generic/alma8
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -108,6 +123,8 @@ platforms:
      - el8
  - name: test-wg-centos7-kernel-plus
    box: generic/centos7
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -118,6 +135,8 @@ platforms:
      - el7
  - name: test-wg-opensuse-leap-15-3
    box: opensuse/Leap-15.3.x86_64
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -128,6 +147,8 @@ platforms:
      - opensuse
  - name: test-wg-fedora35
    box: generic/fedora35
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -138,6 +159,8 @@ platforms:
      - fedora
  - name: test-wg-rocky8-dkms
    box: generic/rocky8
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -148,7 +171,9 @@ platforms:
      - el8
      - el8dkms
  - name: test-wg-ubuntu2204
-    box: alvistack/ubuntu-22.04
+    box: generic/ubuntu2004
+    memory: 1024
+    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
@ -157,7 +182,18 @@ platforms:
    groups:
      - vpn
      - ubuntu
-
+  - name: test-wg-opensuse-leap-15-4
+    box: opensuse/Leap-15.4.x86_64
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.150
+    groups:
+      - vpn
+      - opensuse

 provisioner:
  name: ansible
@ -185,7 +221,7 @@ provisioner:
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.30"
        ansible_python_interpreter: "/usr/bin/python"
-      test-wg-fedora34:
+      test-wg-fedora36:
        wireguard_address: "10.10.10.40/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
@ -246,6 +282,11 @@ provisioner:
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.140"
+      test-wg-opensuse-leap-15-4:
+        wireguard_address: "10.10.10.150/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.150"

 scenario:
  name: kvm
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -12,11 +12,11 @@
      tags:
        - wg-install
  with_first_found:
-    - "setup-{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version }}.yml"
-    - "setup-{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml"
-    - "setup-{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
-    - "setup-{{ ansible_distribution|lower }}.yml"
-    - "setup-{{ ansible_os_family|lower }}.yml"
+    - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.yml"
+    - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}.yml"
+    - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_release }}.yml"
+    - "setup-{{ ansible_distribution | lower }}.yml"
+    - "setup-{{ ansible_os_family | lower }}.yml"
  tags:
    - wg-install

@ -43,6 +43,10 @@
      {%- endif %}

 - name: Make sure wg syncconf option is available
+  when:
+    - not wireguard_interface_restart
+  tags:
+    - wg-config
  block:
    - name: Get available wg subcommands
      ansible.builtin.command: "wg --help"
@ -54,19 +58,15 @@
      ansible.builtin.set_fact:
        wireguard__syncconf_avail: "{{ 'syncconf:' in wireguard__register_subcommands.stdout }}"

-    - name: wg syncconf subcommand available
+    - name: Wg syncconf subcommand available
      ansible.builtin.debug:
        var: wireguard__syncconf_avail

    - name: Fall back to interface restart if wg syncconf is not available
-      ansible.builtin.set_fact:
-        wireguard__restart_interface: true
      when:
        - not wireguard__syncconf_avail
-  when:
-    - not wireguard_interface_restart
-  tags:
-    - wg-config
+      ansible.builtin.set_fact:
+        wireguard__restart_interface: true

 - name: Final decision on WireGuard interface restart method
  ansible.builtin.debug:
@ -86,6 +86,9 @@
    - wg-config

 - name: WireGuard private key handling for new keys
+  when:
+    - not wireguard__register_config_file.stat.exists
+    - wireguard_private_key is not defined
  block:
    - name: Generate WireGuard private key
      ansible.builtin.command: "wg genkey"
@ -101,11 +104,11 @@
      no_log: '{{ ansible_verbosity < 3 }}'
      tags:
        - wg-generate-keys
-  when:
-    - not wireguard__register_config_file.stat.exists
-    - wireguard_private_key is not defined

 - name: WireGuard private key handling for existing keys
+  when:
+    - wireguard__register_config_file.stat.exists
+    - wireguard_private_key is not defined
  block:
    - name: Read WireGuard config file
      ansible.builtin.slurp:
@ -121,9 +124,6 @@
      no_log: '{{ ansible_verbosity < 3 }}'
      tags:
        - wg-config
-  when:
-    - wireguard__register_config_file.stat.exists
-    - wireguard_private_key is not defined

 - name: Derive WireGuard public key
  ansible.builtin.command: "wg pubkey"
--- a/tasks/setup-centos-7.yml
+++ b/tasks/setup-centos-7.yml
@ -3,6 +3,8 @@
 # SPDX-License-Identifier: GPL-3.0-or-later

 - name: (CentOS 7) Tasks for standard kernel
+  when:
+    - wireguard_centos7_installation_method == "standard"
  block:
    - name: (CentOS 7) Install EPEL & ELRepo repository
      ansible.builtin.yum:
@ -22,8 +24,6 @@
          - "kmod-wireguard"
          - "wireguard-tools"
        state: present
-  when:
-    - wireguard_centos7_installation_method == "standard"

 - name: (CentOS 7) Ensure WireGuard DKMS package is removed
  ansible.builtin.yum:
@ -32,6 +32,8 @@
    state: absent

 - name: (CentOS 7) Tasks for kernel-plus
+  when:
+    - wireguard_centos7_installation_method == "kernel-plus"
  block:
    - name: (CentOS 7) Install EPEL repository & yum utils
      ansible.builtin.yum:
@ -64,6 +66,3 @@
      when:
        - centos7_yum_updates.changes is defined
        - centos7_yum_updates.changes.installed|flatten|select('regex', '^kernel-plus$') is any
-
-  when:
-    - wireguard_centos7_installation_method == "kernel-plus"
--- a/tasks/setup-debian-vanilla.yml
+++ b/tasks/setup-debian-vanilla.yml
@ -4,6 +4,8 @@
 # SPDX-License-Identifier: GPL-3.0-or-later

 - name: (Debian) Tasks for Debian version <= 10
+  when:
+    - ansible_distribution_major_version is version('11', '<')
  block:
    - name: (Debian) Add WireGuard repository on buster
      ansible.builtin.apt_repository:
@ -30,8 +32,6 @@
        state: present
      when:
        - ('-cloud-' not in ansible_kernel)
-  when:
-    - ansible_distribution_major_version is version('11', '<')

 - name: (Debian) Install WireGuard packages
  ansible.builtin.apt:
--- a/tasks/setup-debian.yml
+++ b/tasks/setup-debian.yml
@ -16,6 +16,8 @@
  register: wireguard__register_raspbian_setup

 - name: Setup for Proxmox VE variants
+  when:
+    - ansible_kernel.find("pve") != -1
  block:
    - name: Setup Proxmox VE host
      ansible.builtin.include_tasks:
@ -36,8 +38,6 @@
      when:
        - ansible_virtualization_role == "guest"
      register: wireguard__register_pve_guest_variant_setup
-  when:
-    - ansible_kernel.find("pve") != -1

 - name: Setup for Debian
  ansible.builtin.include_tasks:
--- a/tasks/setup-rocky-8.yml
+++ b/tasks/setup-rocky-8.yml
@ -3,6 +3,8 @@
 # SPDX-License-Identifier: GPL-3.0-or-later

 - name: (Rocky Linux 8) Tasks for standard kernel
+  when:
+    - wireguard_rockylinux8_installation_method == "standard"
  block:
    - name: (Rocky Linux 8) Install EPEL & ELRepo repository
      ansible.builtin.yum:
@ -23,10 +25,10 @@
          - "kmod-wireguard"
          - "wireguard-tools"
        state: present
-  when:
-    - wireguard_rockylinux8_installation_method == "standard"

 - name: (Rocky Linux 8) Tasks for non-standard kernel
+  when:
+    - wireguard_rockylinux8_installation_method == "dkms"
  block:
    - name: (Rocky Linux 8) Install jdoss/wireguard COPR repository
      community.general.copr:
@ -52,5 +54,3 @@
          - "wireguard-dkms"
          - "wireguard-tools"
        state: present
-  when:
-    - wireguard_rockylinux8_installation_method == "dkms"
--- a/tasks/setup-ubuntu.yml
+++ b/tasks/setup-ubuntu.yml
@ -8,6 +8,8 @@
    cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}"

 - name: (Ubuntu) Tasks for Ubuntu < 19.10
+  when:
+    - ansible_lsb.major_release is version('19.10', '<')
  block:
    - name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10)
      ansible.builtin.package:
@ -17,8 +19,6 @@
        packages:
          - software-properties-common
          - linux-headers-{{ ansible_kernel }}
-  when:
-    - ansible_lsb.major_release is version('19.10', '<')

 - name: (Ubuntu) Ensure WireGuard DKMS package is removed
  ansible.builtin.apt: