From 4626475a9c6ceeb986603c420730d28885acd737 Mon Sep 17 00:00:00 2001
From: John Potter <51755577+john-p-potter@users.noreply.github.com>
Date: Thu, 7 Oct 2021 14:30:28 -0500
Subject: [PATCH] feat: Update CentOS 7 to use signed kernel-plus module (#129)

* feat: Update CentOS 7 to use signed kernel-plus module

* Apply suggestions from code review

Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com>

* Update CentOS 7 for optional signed kernel-plus module

Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com>
---
 CHANGELOG.md             |  4 +++
 defaults/main.yml        | 16 +++++++++
 meta/main.yml            |  2 +-
 tasks/setup-centos-7.yml | 73 +++++++++++++++++++++++++++++++---------
 4 files changed, 78 insertions(+), 17 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a2fd4ca..16867bc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ SPDX-License-Identifier: GPL-3.0-or-later
 Changelog
 ---------
 
+**8.2.0**
+
+- add support for `kernel-plus` for CentOS 7 (contribution by @john-p-potter)
+
 **8.1.0**
 
 - add Rocky Linux support
diff --git a/defaults/main.yml b/defaults/main.yml
index ba13a28..44af117 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -38,6 +38,22 @@ wireguard_ubuntu_update_cache: "true"
 # Set package cache valid time
 wireguard_ubuntu_cache_valid_time: "3600"
 
+#######################################
+# Settings only relevant for CentOS 7
+#######################################
+
+# Set wireguard_centos7_installation_method to "kernel-plus"
+# to use the kernel-plus kernel, which includes a built-in,
+# signed WireGuard module.
+# UTILIZING KERNEL-PLUS WILL PERFORM A SYSTEM REBOOT DURING SETUP!!
+#
+# The default of "standard" will use the standard kernel and 
+# the ELRepo module for WireGuard.
+wireguard_centos7_installation_method: "standard"
+
+# The default seconds to wait for machine to reboot and respond
+wireguard_centos7_kernel_plus_reboot_timeout: "600"
+
 # This is sensitive: encrypt it with a tool like Ansible Vault.
 # If not set, a new one is generated on a blank configuration.
 # wireguard_private_key:
diff --git a/meta/main.yml b/meta/main.yml
index e4ed23d..834b7c9 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -5,7 +5,7 @@ galaxy_info:
   author: Robert Wimmer
   description: Installs Wireguard incl. systemd integration
   license: GPL-3.0-or-later
-  min_ansible_version: 2.5
+  min_ansible_version: 2.7
   role_name: ansible_role_wireguard
   namespace: githubixx
   platforms:
diff --git a/tasks/setup-centos-7.yml b/tasks/setup-centos-7.yml
index 85bc258..bfacc45 100644
--- a/tasks/setup-centos-7.yml
+++ b/tasks/setup-centos-7.yml
@@ -2,17 +2,28 @@
 # Copyright (C) 2020 Roman Danko
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-- name: (CentOS 7) Install EPEL & ELRepo repository
-  yum:
-    name:
-      - epel-release
-      - https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
-    update_cache: true
+- name: (CentOS 7) Tasks for standard kernel
+  block:
+    - name: (CentOS 7) Install EPEL & ELRepo repository
+      yum:
+        name:
+          - epel-release
+          - https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
+        update_cache: true
 
-- name: (CentOS 7) Install yum-plugin-elrepo
-  yum:
-    name: yum-plugin-elrepo
-    update_cache: true
+    - name: (CentOS 7) Install yum-plugin-elrepo
+      yum:
+        name: yum-plugin-elrepo
+        update_cache: true
+
+    - name: (CentOS 7) Install WireGuard packages
+      yum:
+        name:
+          - "kmod-wireguard"
+          - "wireguard-tools"
+        state: present
+  when:
+    - wireguard_centos7_installation_method == "standard"
 
 - name: (CentOS 7) Ensure WireGuard DKMS package is removed
   yum:
@@ -20,9 +31,39 @@
       - "wireguard-dkms"
     state: absent
 
-- name: (CentOS 7) Install WireGuard packages
-  yum:
-    name:
-      - "kmod-wireguard"
-      - "wireguard-tools"
-    state: present
+- name: (CentOS 7) Tasks for kernel-plus
+  block:
+    - name: (CentOS 7) Install EPEL repository & yum utils
+      yum:
+        name:
+          - epel-release
+          - yum-utils
+        update_cache: true
+
+    - name: (CentOS 7) Enable CentosPlus repo
+      command: yum-config-manager --setopt=centosplus.includepkgs=kernel-plus --enablerepo=centosplus --save
+      changed_when: false
+
+    - name: (CentOS 7) Update to kernel-plus
+      replace:
+        path: /etc/sysconfig/kernel
+        regexp: '^DEFAULTKERNEL=kernel$'
+        replace: 'DEFAULTKERNEL=kernel-plus'
+
+    - name: (CentOS 7) Install WireGuard packages
+      yum:
+        name:
+          - "kernel-plus"
+          - "wireguard-tools"
+        state: present
+      register: centos7_yum_updates
+
+    - name: (CentOS 7) Reboot Instance to update kernel
+      reboot:
+        reboot_timeout: "{{ wireguard_centos7_kernel_plus_reboot_timeout }}"
+      when:
+        - centos7_yum_updates.changes is defined
+        - centos7_yum_updates.changes.installed|flatten|select('regex', '^kernel-plus$') is any
+
+  when:
+    - wireguard_centos7_installation_method == "kernel-plus"