helix/ansible-role-wireguard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add support for unmanaged WireGuard peers ()

Browse source 
* Add support for unmanaged WireGuard peers

Add variable wireguard_extra_peer_config that is raw WireGuard
configuration appended to the peers section. Value is a string
containing arbitrary wg-quick syntax.

This closes , and closes .

* update CHANGELOG ()

* Change unmanaged peers to dictionary instead of string

Based on review comment by @j8r in .

* README: update preshared_key example

Update wireguard_unmanaged_peers example for preshared_key.
Make it a comment to highlight it is optional and should probably be handled
like other secrets.

* Clean up jinja2 syntax

Based on review comments.

* Remove unneeded if of required public_key

The public_key is required for a wireguard peer so remove the if from
wireguard_unmanaged_peers public_key. The effect is that it is a syntax
error from Ansible rather than failing config validation when the config
has already been written and fails to load.
This commit is contained in:
Joonas Kuorilehto 2020-09-15 22:58:04 +03:00 committed by GitHub
parent f07cab4243
commit ee456757ed
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 2 deletions

4
CHANGELOG.md
View file

@ -1,6 +1,10 @@
Changelog Changelog
--------- ---------
**7.1.0**
- Add support for unmanaged peers with `wireguard_unmanaged_peers` (contribution by @joneskoo)
**7.0.0** **7.0.0**
- Switched to install from ELRepo KMOD package for CentOS (see https://www.wireguard.com/install/). This change may break installation for systems with custom kernels. The role previously supported custom kernel implicitly because it was using DKMS package (contribution by @elcomtik) - Switched to install from ELRepo KMOD package for CentOS (see https://www.wireguard.com/install/). This change may break installation for systems with custom kernels. The role previously supported custom kernel implicitly because it was using DKMS package (contribution by @elcomtik)

7
README.md
View file

@ -95,6 +95,13 @@ wireguard_postup:
wireguard_postdown: wireguard_postdown:
- ... - ...
wireguard_save_config: "true" wireguard_save_config: "true"
wireguard_unmanaged_peers:
client.example.com:
public_key: 5zsSBeZZ8P9pQaaJvY9RbELQulcwC5VBXaZ93egzOlI=
# preshared_key: ... e.g. from ansible-vault?
allowed_ips: 10.0.0.3/32
endpoint: client.example.com:51820
persistent_keepalive: 0
``` ```
`wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples: `wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples:

21
templates/wg.conf.j2
View file

@ -68,3 +68,24 @@ SaveConfig = true
{% endif %} {% endif %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% if wireguard_unmanaged_peers is defined %}
# Peers not managed by ansible from wireguard_unmanaged_peers
{% for peer in wireguard_unmanaged_peers.keys() %}
[Peer]
# {{ peer }}
PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
{% if wireguard_unmanaged_peers[peer].preshared_key is defined %}
PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].endpoint is defined %}
Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
{% endif %}
{% endfor %}
{% endif %}