diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..16e3eae --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,39 @@ +--- +# This workflow requires a GALAXY_API_KEY secret present in the GitHub +# repository or organization. +# +# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy +# See: https://github.com/ansible/galaxy/issues/46 + +name: Release +on: + push: + tags: + - '*' + +defaults: + run: + working-directory: 'githubixx.ansible_role_wireguard' + +jobs: + release: + name: Release + runs-on: ubuntu-latest + steps: + - name: Check out the codebase. + uses: actions/checkout@v2 + with: + path: 'githubixx.ansible_role_wireguard' + + - name: Set up Python 3. + uses: actions/setup-python@v2 + with: + python-version: '3.x' + + - name: Install Ansible. + run: pip3 install ansible-core + + - name: Trigger a new import on Galaxy. + run: >- + ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} + $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..3186f8d --- /dev/null +++ b/.yamllint @@ -0,0 +1,9 @@ +--- +extends: default + +rules: + line-length: + max: 150 + level: warning + + comments-indentation: disable diff --git a/CHANGELOG.md b/CHANGELOG.md index 8dc9d0e..37abeaf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,18 @@ SPDX-License-Identifier: GPL-3.0-or-later # Changelog +## 10.0.0 + +- remove Fedora 34 + add Fedora 36 to Molecule test +- remove support for Fedora 35 / add support for Fedora 36 +- add Molecule setup for openSUSE 15.4 +- add Github release action to push new release to Ansible Galaxy +- add `.yamllint` +- `tasks/main.yml`: names should start with an uppercase letter +- `handlers/main.yml`: names should start with an uppercase letter +- improve the task key order to: name, when, tags, block +- fix Jinja2 spacing + ## 9.3.0 - add support for Ubuntu 22.04 (Jammy Jellyfish) diff --git a/handlers/main.yml b/handlers/main.yml index 298d0e7..84dca6d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,7 +2,7 @@ # Copyright (C) 2018-2022 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later -- name: restart wireguard +- name: Restart wireguard ansible.builtin.service: name: "wg-quick@{{ wireguard_interface }}" state: "{{ item }}" @@ -15,13 +15,13 @@ - wireguard_service_enabled == "yes" listen: "reconfigure wireguard" -- name: syncconf wireguard +- name: Syncconf wireguard ansible.builtin.shell: | set -o errexit set -o pipefail set -o nounset - systemctl is-active wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }} - wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf) + systemctl is-active wg-quick@{{ wireguard_interface | quote }} || systemctl start wg-quick@{{ wireguard_interface | quote }} + wg syncconf {{ wireguard_interface | quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface | quote }}.conf) exit 0 args: executable: "/bin/bash" diff --git a/meta/main.yml b/meta/main.yml index 15e4611..93c4af7 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,3 +1,4 @@ +--- # Copyright (C) 2018-2022 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later @@ -25,8 +26,8 @@ galaxy_info: - "8" - name: Fedora versions: - - "34" - "35" + - "36" - name: opensuse versions: - "15.3" diff --git a/molecule/kvm-single-server/molecule.yml b/molecule/kvm-single-server/molecule.yml index 2494d05..7cf5fee 100644 --- a/molecule/kvm-single-server/molecule.yml +++ b/molecule/kvm-single-server/molecule.yml @@ -93,4 +93,3 @@ scenario: verifier: name: ansible - enabled: false diff --git a/molecule/kvm-single-server/verify.yml b/molecule/kvm-single-server/verify.yml new file mode 100644 index 0000000..4551ce3 --- /dev/null +++ b/molecule/kvm-single-server/verify.yml @@ -0,0 +1,33 @@ +--- +# Copyright (C) 2022 Robert Wimmer +# SPDX-License-Identifier: GPL-3.0-or-later + +- name: Verify setup + hosts: all + vars: + hosts_count: "{{ groups['vpn'] | length }}" + tasks: + - name: Count WireGuard interfaces + ansible.builtin.shell: | + set -o errexit + set -o pipefail + set -o nounset + wg | grep "peer: " | wc -l + exit 0 + args: + executable: "/bin/bash" + register: wireguard__interfaces_count + changed_when: false + + - name: Print WireGuard interface count + ansible.builtin.debug: + var: wireguard__interfaces_count.stdout + + - name: Print hosts count in vpn group + ansible.builtin.debug: + var: hosts_count + + - name: There should be as much WireGuard interfaces as hosts in vpn group minus one + ansible.builtin.assert: + that: + - "hosts_count|int -1 == wireguard__interfaces_count.stdout|int" diff --git a/molecule/kvm/molecule.yml b/molecule/kvm/molecule.yml index 4e50630..a76e470 100644 --- a/molecule/kvm/molecule.yml +++ b/molecule/kvm/molecule.yml @@ -11,13 +11,12 @@ driver: provider: name: libvirt type: libvirt - options: - memory: 192 - cpus: 2 platforms: - name: test-wg-ubuntu2004 box: generic/ubuntu2004 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -28,6 +27,8 @@ platforms: - ubuntu - name: test-wg-ubuntu1804 box: generic/ubuntu1804 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -38,6 +39,8 @@ platforms: - ubuntu - name: test-wg-debian10 box: generic/debian10 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -46,8 +49,10 @@ platforms: groups: - vpn - debian - - name: test-wg-fedora34 - box: generic/fedora34 + - name: test-wg-fedora36 + box: generic/fedora36 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -58,6 +63,8 @@ platforms: - fedora - name: test-wg-centos7 box: generic/centos7 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -68,6 +75,8 @@ platforms: - el7 - name: test-wg-arch box: archlinux/archlinux + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -78,6 +87,8 @@ platforms: - archlinux - name: test-wg-debian11 box: generic/debian11 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -88,6 +99,8 @@ platforms: - debian - name: test-wg-rocky8 box: generic/rocky8 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -98,6 +111,8 @@ platforms: - el8 - name: test-wg-alma8 box: generic/alma8 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -108,6 +123,8 @@ platforms: - el8 - name: test-wg-centos7-kernel-plus box: generic/centos7 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -118,6 +135,8 @@ platforms: - el7 - name: test-wg-opensuse-leap-15-3 box: opensuse/Leap-15.3.x86_64 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -128,6 +147,8 @@ platforms: - opensuse - name: test-wg-fedora35 box: generic/fedora35 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -138,6 +159,8 @@ platforms: - fedora - name: test-wg-rocky8-dkms box: generic/rocky8 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -148,7 +171,9 @@ platforms: - el8 - el8dkms - name: test-wg-ubuntu2204 - box: alvistack/ubuntu-22.04 + box: generic/ubuntu2004 + memory: 1024 + cpus: 2 interfaces: - auto_config: true network_name: private_network @@ -157,7 +182,18 @@ platforms: groups: - vpn - ubuntu - + - name: test-wg-opensuse-leap-15-4 + box: opensuse/Leap-15.4.x86_64 + memory: 1024 + cpus: 2 + interfaces: + - auto_config: true + network_name: private_network + type: static + ip: 192.168.10.150 + groups: + - vpn + - opensuse provisioner: name: ansible @@ -185,7 +221,7 @@ provisioner: wireguard_persistent_keepalive: "30" wireguard_endpoint: "192.168.10.30" ansible_python_interpreter: "/usr/bin/python" - test-wg-fedora34: + test-wg-fedora36: wireguard_address: "10.10.10.40/24" wireguard_port: 51820 wireguard_persistent_keepalive: "30" @@ -246,6 +282,11 @@ provisioner: wireguard_port: 51820 wireguard_persistent_keepalive: "30" wireguard_endpoint: "192.168.10.140" + test-wg-opensuse-leap-15-4: + wireguard_address: "10.10.10.150/24" + wireguard_port: 51820 + wireguard_persistent_keepalive: "30" + wireguard_endpoint: "192.168.10.150" scenario: name: kvm diff --git a/tasks/main.yml b/tasks/main.yml index 96282ee..cfcd181 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -12,11 +12,11 @@ tags: - wg-install with_first_found: - - "setup-{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version }}.yml" - - "setup-{{ ansible_distribution|lower }}-{{ ansible_distribution_version }}.yml" - - "setup-{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml" - - "setup-{{ ansible_distribution|lower }}.yml" - - "setup-{{ ansible_os_family|lower }}.yml" + - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.yml" + - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}.yml" + - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_release }}.yml" + - "setup-{{ ansible_distribution | lower }}.yml" + - "setup-{{ ansible_os_family | lower }}.yml" tags: - wg-install @@ -43,6 +43,10 @@ {%- endif %} - name: Make sure wg syncconf option is available + when: + - not wireguard_interface_restart + tags: + - wg-config block: - name: Get available wg subcommands ansible.builtin.command: "wg --help" @@ -54,19 +58,15 @@ ansible.builtin.set_fact: wireguard__syncconf_avail: "{{ 'syncconf:' in wireguard__register_subcommands.stdout }}" - - name: wg syncconf subcommand available + - name: Wg syncconf subcommand available ansible.builtin.debug: var: wireguard__syncconf_avail - name: Fall back to interface restart if wg syncconf is not available - ansible.builtin.set_fact: - wireguard__restart_interface: true when: - not wireguard__syncconf_avail - when: - - not wireguard_interface_restart - tags: - - wg-config + ansible.builtin.set_fact: + wireguard__restart_interface: true - name: Final decision on WireGuard interface restart method ansible.builtin.debug: @@ -86,6 +86,9 @@ - wg-config - name: WireGuard private key handling for new keys + when: + - not wireguard__register_config_file.stat.exists + - wireguard_private_key is not defined block: - name: Generate WireGuard private key ansible.builtin.command: "wg genkey" @@ -101,11 +104,11 @@ no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-generate-keys - when: - - not wireguard__register_config_file.stat.exists - - wireguard_private_key is not defined - name: WireGuard private key handling for existing keys + when: + - wireguard__register_config_file.stat.exists + - wireguard_private_key is not defined block: - name: Read WireGuard config file ansible.builtin.slurp: @@ -121,9 +124,6 @@ no_log: '{{ ansible_verbosity < 3 }}' tags: - wg-config - when: - - wireguard__register_config_file.stat.exists - - wireguard_private_key is not defined - name: Derive WireGuard public key ansible.builtin.command: "wg pubkey" diff --git a/tasks/setup-centos-7.yml b/tasks/setup-centos-7.yml index e798f4d..11b2f42 100644 --- a/tasks/setup-centos-7.yml +++ b/tasks/setup-centos-7.yml @@ -3,6 +3,8 @@ # SPDX-License-Identifier: GPL-3.0-or-later - name: (CentOS 7) Tasks for standard kernel + when: + - wireguard_centos7_installation_method == "standard" block: - name: (CentOS 7) Install EPEL & ELRepo repository ansible.builtin.yum: @@ -22,8 +24,6 @@ - "kmod-wireguard" - "wireguard-tools" state: present - when: - - wireguard_centos7_installation_method == "standard" - name: (CentOS 7) Ensure WireGuard DKMS package is removed ansible.builtin.yum: @@ -32,6 +32,8 @@ state: absent - name: (CentOS 7) Tasks for kernel-plus + when: + - wireguard_centos7_installation_method == "kernel-plus" block: - name: (CentOS 7) Install EPEL repository & yum utils ansible.builtin.yum: @@ -64,6 +66,3 @@ when: - centos7_yum_updates.changes is defined - centos7_yum_updates.changes.installed|flatten|select('regex', '^kernel-plus$') is any - - when: - - wireguard_centos7_installation_method == "kernel-plus" diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml index 717dc38..7cf2d74 100644 --- a/tasks/setup-debian-vanilla.yml +++ b/tasks/setup-debian-vanilla.yml @@ -4,6 +4,8 @@ # SPDX-License-Identifier: GPL-3.0-or-later - name: (Debian) Tasks for Debian version <= 10 + when: + - ansible_distribution_major_version is version('11', '<') block: - name: (Debian) Add WireGuard repository on buster ansible.builtin.apt_repository: @@ -30,8 +32,6 @@ state: present when: - ('-cloud-' not in ansible_kernel) - when: - - ansible_distribution_major_version is version('11', '<') - name: (Debian) Install WireGuard packages ansible.builtin.apt: diff --git a/tasks/setup-debian.yml b/tasks/setup-debian.yml index 9eff33b..4dccfd9 100644 --- a/tasks/setup-debian.yml +++ b/tasks/setup-debian.yml @@ -16,6 +16,8 @@ register: wireguard__register_raspbian_setup - name: Setup for Proxmox VE variants + when: + - ansible_kernel.find("pve") != -1 block: - name: Setup Proxmox VE host ansible.builtin.include_tasks: @@ -36,8 +38,6 @@ when: - ansible_virtualization_role == "guest" register: wireguard__register_pve_guest_variant_setup - when: - - ansible_kernel.find("pve") != -1 - name: Setup for Debian ansible.builtin.include_tasks: diff --git a/tasks/setup-rocky-8.yml b/tasks/setup-rocky-8.yml index c8650b7..f40a255 100644 --- a/tasks/setup-rocky-8.yml +++ b/tasks/setup-rocky-8.yml @@ -3,6 +3,8 @@ # SPDX-License-Identifier: GPL-3.0-or-later - name: (Rocky Linux 8) Tasks for standard kernel + when: + - wireguard_rockylinux8_installation_method == "standard" block: - name: (Rocky Linux 8) Install EPEL & ELRepo repository ansible.builtin.yum: @@ -23,10 +25,10 @@ - "kmod-wireguard" - "wireguard-tools" state: present - when: - - wireguard_rockylinux8_installation_method == "standard" - name: (Rocky Linux 8) Tasks for non-standard kernel + when: + - wireguard_rockylinux8_installation_method == "dkms" block: - name: (Rocky Linux 8) Install jdoss/wireguard COPR repository community.general.copr: @@ -52,5 +54,3 @@ - "wireguard-dkms" - "wireguard-tools" state: present - when: - - wireguard_rockylinux8_installation_method == "dkms" diff --git a/tasks/setup-ubuntu.yml b/tasks/setup-ubuntu.yml index 9f957d0..376f6f9 100644 --- a/tasks/setup-ubuntu.yml +++ b/tasks/setup-ubuntu.yml @@ -8,6 +8,8 @@ cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}" - name: (Ubuntu) Tasks for Ubuntu < 19.10 + when: + - ansible_lsb.major_release is version('19.10', '<') block: - name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10) ansible.builtin.package: @@ -17,8 +19,6 @@ packages: - software-properties-common - linux-headers-{{ ansible_kernel }} - when: - - ansible_lsb.major_release is version('19.10', '<') - name: (Ubuntu) Ensure WireGuard DKMS package is removed ansible.builtin.apt: