Add support for unmanaged WireGuard peers (#63)
* Add support for unmanaged WireGuard peers Add variable wireguard_extra_peer_config that is raw WireGuard configuration appended to the peers section. Value is a string containing arbitrary wg-quick syntax. This closes #41, and closes #45. * update CHANGELOG (#63) * Change unmanaged peers to dictionary instead of string Based on review comment by @j8r in #63. * README: update preshared_key example Update wireguard_unmanaged_peers example for preshared_key. Make it a comment to highlight it is optional and should probably be handled like other secrets. * Clean up jinja2 syntax Based on review comments. * Remove unneeded if of required public_key The public_key is required for a wireguard peer so remove the if from wireguard_unmanaged_peers public_key. The effect is that it is a syntax error from Ansible rather than failing config validation when the config has already been written and fails to load.
This commit is contained in:
Joonas Kuorilehto
GitHub
parent
f07cab4243
commit
ee456757ed
3 changed files with 34 additions and 2 deletions
|
|
@ -1,10 +1,14 @@
|
|||
Changelog
|
||||
---------
|
||||
|
||||
**7.1.0**
|
||||
|
||||
- Add support for unmanaged peers with `wireguard_unmanaged_peers` (contribution by @joneskoo)
|
||||
|
||||
**7.0.0**
|
||||
|
||||
- Switched to install from ELRepo KMOD package for CentOS (see https://www.wireguard.com/install/). This change may break installation for systems with custom kernels. The role previously supported custom kernel implicitly because it was using DKMS package (contribution by @elcomtik)
|
||||
|
||||
|
||||
Role removes DKMS wireguard package, however it doesn't remove jdoss-wireguard-epel-7 repository. If you don't need this repository, do cleanup by:
|
||||
* remove `/etc/yum.repos.d/wireguard.repo`
|
||||
|
||||
|
|
|
|||
|
|
@ -95,6 +95,13 @@ wireguard_postup:
|
|||
wireguard_postdown:
|
||||
- ...
|
||||
wireguard_save_config: "true"
|
||||
wireguard_unmanaged_peers:
|
||||
client.example.com:
|
||||
public_key: 5zsSBeZZ8P9pQaaJvY9RbELQulcwC5VBXaZ93egzOlI=
|
||||
# preshared_key: ... e.g. from ansible-vault?
|
||||
allowed_ips: 10.0.0.3/32
|
||||
endpoint: client.example.com:51820
|
||||
persistent_keepalive: 0
|
||||
```
|
||||
|
||||
`wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples:
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ SaveConfig = true
|
|||
{% endif %}
|
||||
{% for host in ansible_play_hosts %}
|
||||
{% if host != inventory_hostname %}
|
||||
|
||||
|
||||
[Peer]
|
||||
# {{ host }}
|
||||
PublicKey = {{hostvars[host].public_key}}
|
||||
|
|
@ -68,3 +68,24 @@ SaveConfig = true
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% if wireguard_unmanaged_peers is defined %}
|
||||
|
||||
# Peers not managed by ansible from wireguard_unmanaged_peers
|
||||
{% for peer in wireguard_unmanaged_peers.keys() %}
|
||||
[Peer]
|
||||
# {{ peer }}
|
||||
PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
|
||||
{% if wireguard_unmanaged_peers[peer].preshared_key is defined %}
|
||||
PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
|
||||
{% endif %}
|
||||
{% if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
|
||||
AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
|
||||
{% endif %}
|
||||
{% if wireguard_unmanaged_peers[peer].endpoint is defined %}
|
||||
Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
|
||||
{% endif %}
|
||||
{% if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
|
||||
PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
|
|||
Loading…
Reference in a new issue