Merge pull request #67 from ypid/improve
Improve coding style, spelling and Debian support
This commit is contained in:
commit
fbf47d2a13
13 changed files with 98 additions and 105 deletions
23
CHANGELOG.md
23
CHANGELOG.md
|
@ -1,6 +1,23 @@
|
|||
Changelog
|
||||
---------
|
||||
|
||||
**7.3.0**
|
||||
|
||||
- Fix spelling and typos in docs. (contribution by @ypid)
|
||||
- Drop Debian Stretch from the list of tested distros. Actual support was dropped/broken in 6.0.4 without updating the docs. (contribution by @ypid)
|
||||
- Remove obsolete `.reload-module-on-update` file.
|
||||
|
||||
It does not serve any function anymore after support for module
|
||||
reloading has been removed from the postinst script in 0.0.20200215-2 on
|
||||
2020-02-24. A module update is properly signaled via
|
||||
/run/reboot-required so that the admin can (automatically) schedule a
|
||||
reboot when convenient. This will also be more in line with future Debian
|
||||
releases because starting with Debian bullseye, the kernel ships the
|
||||
module. (contribution by @ypid)
|
||||
|
||||
- Add `ansible_managed` header to WireGuard configuration file (`wg0.conf` by default). This will most probably change the WireGuard configuration file but only the formatting. But since the Ansible registers this file as changed Ansible will sync/restart WireGuard service. For newer WireGuard versions (since Nov. 2019) this isn't a problem normally as `wg syncconf` command is used (also see `handlers/main.yml`). (contribution by @ypid)
|
||||
- Behind the scenes coding style improvements and cleanup without user impact. (contribution by @ypid)
|
||||
|
||||
**7.2.0**
|
||||
|
||||
- Basic MacOS X support (contribution by @rubendibattista)
|
||||
|
@ -17,7 +34,7 @@ Changelog
|
|||
|
||||
- Switched to install from ELRepo KMOD package for CentOS (see https://www.wireguard.com/install/). This change may break installation for systems with custom kernels. The role previously supported custom kernel implicitly because it was using DKMS package (contribution by @elcomtik)
|
||||
|
||||
Role removes DKMS wireguard package, however it doesn't remove jdoss-wireguard-epel-7 repository. If you don't need this repository, do cleanup by:
|
||||
Role removes DKMS WireGuard package, however it doesn't remove jdoss-wireguard-epel-7 repository. If you don't need this repository, do cleanup by:
|
||||
* remove `/etc/yum.repos.d/wireguard.repo`
|
||||
|
||||
|
||||
|
@ -32,7 +49,7 @@ Changelog
|
|||
**6.2.0**
|
||||
|
||||
- Support Ubuntu 20.04 (Focal Fossa)
|
||||
- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specifiy individual Ubuntu package cache settings. Default values are the same as before.
|
||||
- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specify individual Ubuntu package cache settings. Default values are the same as before.
|
||||
- As kernel >= 5.6 (and kernel 5.4 in Ubuntu 20.04) now have `wireguard` module included `wireguard-dkms` package is no longer needed in that case. That's why WireGuard package installation is now part of the includes for the specific OS to make it easier to handle various cases.
|
||||
|
||||
**6.1.0**
|
||||
|
@ -109,7 +126,7 @@ Changelog
|
|||
|
||||
**3.1.0**
|
||||
|
||||
- pass package list directly to some modules by using the new and prefered syntax instead `loop` or `with_items` (contribution by ahanselka)
|
||||
- pass package list directly to some modules by using the new and preferred syntax instead `loop` or `with_items` (contribution by ahanselka)
|
||||
|
||||
**3.0.1**
|
||||
|
||||
|
|
12
README.md
12
README.md
|
@ -1,13 +1,13 @@
|
|||
ansible-role-wireguard
|
||||
======================
|
||||
|
||||
This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster. This VPN also includes two clients so that I can communicate securly with the Kubernetes API server. Also my Postfix mailserver running as K8s DaemonSet forwards mails to my internal Postfix through WireGuard VPN.
|
||||
This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster. This VPN also includes two clients so that I can communicate securely with the Kubernetes API server. Also my Postfix mailserver running as K8s DaemonSet forwards mails to my internal Postfix through WireGuard VPN.
|
||||
|
||||
I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a while. As I moved my cloud hosts from Scaleway to Hetzner cloud it was a good time to switch the VPN solution ;-) In general PeerVPN still works perfectly fine esp. if you need a easy to setup fully meshed network (where every node is able to talk to all other nodes and even if node `A` should be able to talk to Node `C` via node `B` ;-) ). But PeerVPN needs also lot of CPU resources and throuhput could be better. That's solved with [WireGuard](https://www.wireguard.io/).
|
||||
I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a while. As I moved my cloud hosts from Scaleway to Hetzner cloud it was a good time to switch the VPN solution ;-) In general PeerVPN still works perfectly fine esp. if you need a easy to setup fully meshed network (where every node is able to talk to all other nodes and even if node `A` should be able to talk to Node `C` via node `B` ;-) ). But PeerVPN needs also lot of CPU resources and throughput could be better. That's solved with [WireGuard](https://www.wireguard.io/).
|
||||
|
||||
In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/).
|
||||
|
||||
This role is tested with Ubuntu 18.04 (Bionic Beaver), Ubuntu 20.04 (Focal Fossa) and Archlinux. Ubuntu 16.04 (Xenial Xerus), Debian 9 (Stretch), Debian 10 (Buster), Fedora 31 (or later), CentOS 7 and partially MacOS (see below) might also work or other distributions but haven't tested it (code for this operating systems was submitted by other contributors). If someone tested it let me please know if it works or send a pull request to make it work ;-)
|
||||
This role is tested with Ubuntu 18.04 (Bionic Beaver), Ubuntu 20.04 (Focal Fossa) and Archlinux. Ubuntu 16.04 (Xenial Xerus), Debian 10 (Buster), Fedora 31 (or later), CentOS 7 and partially MacOS (see below) might also work or other distributions but haven't tested it (code for this operating systems was submitted by other contributors). If someone tested it let me please know if it works or send a pull request to make it work ;-)
|
||||
|
||||
### Running the VPN on MacOS
|
||||
|
||||
|
@ -34,7 +34,7 @@ I tag every release and try to stay with [semantic versioning](http://semver.org
|
|||
Requirements
|
||||
------------
|
||||
|
||||
By default port `51820` (protocol UDP) should be accessable from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward `. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere. You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things. Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down.
|
||||
By default port `51820` (protocol UDP) should be accessible from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward `. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere. You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things. Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down.
|
||||
|
||||
Changelog
|
||||
---------
|
||||
|
@ -54,7 +54,7 @@ wireguard_remote_directory: "/etc/wireguard" # On Linux
|
|||
# The default port WireGuard will listen if not specified otherwise.
|
||||
wireguard_port: "51820"
|
||||
|
||||
# The default interface name that wireguard should use if not specified otherwise.
|
||||
# The default interface name that WireGuard should use if not specified otherwise.
|
||||
wireguard_interface: "wg0"
|
||||
|
||||
# The default owner of the wg.conf file
|
||||
|
@ -150,7 +150,7 @@ The commands are executed in order as described in [wg-quick.8](https://git.zx2c
|
|||
|
||||
`wireguard_address` is required as already mentioned. It's the IP of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs a unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).
|
||||
|
||||
Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already) mentioned I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
|
||||
Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
|
||||
|
||||
First, here is a part of my Ansible `hosts` file:
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ wireguard_remote_directory: "{{ '/etc/wireguard' if not ansible_os_family == 'Da
|
|||
# The default port WireGuard will listen if not specified otherwise.
|
||||
wireguard_port: "51820"
|
||||
|
||||
# The default interface name that wireguard should use if not specified otherwise.
|
||||
# The default interface name that WireGuard should use if not specified otherwise.
|
||||
wireguard_interface: "wg0"
|
||||
|
||||
# The default owner of the wg.conf file
|
||||
|
|
|
@ -11,7 +11,6 @@ galaxy_info:
|
|||
- focal
|
||||
- name: Debian
|
||||
versions:
|
||||
- stretch
|
||||
- buster
|
||||
- name: EL
|
||||
versions:
|
||||
|
|
|
@ -24,31 +24,22 @@
|
|||
- wg-install
|
||||
when: not ansible_os_family == 'Darwin'
|
||||
|
||||
- name: Set WireGuard IP (without mask)
|
||||
set_fact:
|
||||
wireguard_ip: "{{ wireguard_address.split('/')[0] }}"
|
||||
|
||||
- name: Register if config/private key already exists on target host
|
||||
stat:
|
||||
path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
|
||||
register: config_file_stat
|
||||
register: wireguard__register_config_file
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
- wg-config
|
||||
|
||||
- name: Get wg subcommands
|
||||
command: "wg --help"
|
||||
register: wg_subcommands
|
||||
register: wireguard__register_subcommands
|
||||
changed_when: false
|
||||
|
||||
- name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available)
|
||||
set_fact:
|
||||
wg_syncconf: false
|
||||
|
||||
- name: Check if wg syncconf subcommand is available
|
||||
set_fact:
|
||||
wg_syncconf: true
|
||||
when: wg_subcommands.stdout | regex_search('syncconf:')
|
||||
wg_syncconf: "{{ 'syncconf:' in wireguard__register_subcommands.stdout }}"
|
||||
|
||||
- name: Show syncconf subcommand status
|
||||
debug:
|
||||
|
@ -57,43 +48,45 @@
|
|||
- block:
|
||||
- name: Generate WireGuard private key
|
||||
command: "wg genkey"
|
||||
register: wg_private_key_result
|
||||
register: wireguard__register_private_key
|
||||
changed_when: false
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
|
||||
- name: Set private key fact
|
||||
set_fact:
|
||||
private_key: "{{ wg_private_key_result.stdout }}"
|
||||
wireguard__fact_private_key: "{{ wireguard__register_private_key.stdout }}"
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
when: not config_file_stat.stat.exists
|
||||
when: not wireguard__register_config_file.stat.exists
|
||||
|
||||
- block:
|
||||
- name: Read WireGuard config file
|
||||
slurp:
|
||||
src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
|
||||
register: wg_config
|
||||
register: wireguard__register_config
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
- name: Set private key fact
|
||||
set_fact:
|
||||
private_key: "{{ wg_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
|
||||
wireguard__fact_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
|
||||
tags:
|
||||
- wg-config
|
||||
when: config_file_stat.stat.exists
|
||||
when: wireguard__register_config_file.stat.exists
|
||||
|
||||
- name: Derive WireGuard public key
|
||||
shell: "echo '{{ private_key }}' | wg pubkey" # noqa 306
|
||||
register: wg_public_key_result
|
||||
command: "wg pubkey"
|
||||
args:
|
||||
stdin: "{{ wireguard__fact_private_key }}"
|
||||
register: wireguard__register_public_key
|
||||
changed_when: false
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
- name: Set public key fact
|
||||
set_fact:
|
||||
public_key: "{{ wg_public_key_result.stdout }}"
|
||||
wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
|
@ -107,7 +100,7 @@
|
|||
|
||||
- name: Generate WireGuard configuration file
|
||||
template:
|
||||
src: wg.conf.j2
|
||||
src: etc/wireguard/wg.conf.j2
|
||||
dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
|
||||
owner: "{{ wireguard_conf_owner }}"
|
||||
group: "{{ wireguard_conf_group }}"
|
||||
|
@ -117,18 +110,10 @@
|
|||
notify:
|
||||
- reconfigure wireguard
|
||||
|
||||
- name: Check if reload-module-on-update is set
|
||||
stat:
|
||||
path: "{{ wireguard_remote_directory }}/.reload-module-on-update"
|
||||
register: reload_module_on_update
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
- name: Set WireGuard reload-module-on-update
|
||||
- name: Ensure legacy reload-module-on-update is absent
|
||||
file:
|
||||
dest: "{{ wireguard_remote_directory }}/.reload-module-on-update"
|
||||
state: touch
|
||||
when: not reload_module_on_update.stat.exists
|
||||
state: absent
|
||||
tags:
|
||||
- wg-config
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
name: yum-plugin-elrepo
|
||||
update_cache: yes
|
||||
|
||||
- name: (CentOS 7) Ensure wireguard DKMS package is removed
|
||||
- name: (CentOS 7) Ensure WireGuard DKMS package is removed
|
||||
yum:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
|
@ -19,7 +19,7 @@
|
|||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (CentOS 7) Install wireguard packages
|
||||
- name: (CentOS 7) Install WireGuard packages
|
||||
yum:
|
||||
name:
|
||||
- "kmod-wireguard"
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
---
|
||||
- name: (CentOS 8) Install EPEL & ELRepo repository
|
||||
yum:
|
||||
name:
|
||||
name:
|
||||
- epel-release
|
||||
- elrepo-release
|
||||
update_cache: yes
|
||||
|
||||
- name: (CentOS 8) Ensure wireguard DKMS package is removed
|
||||
- name: (CentOS 8) Ensure WireGuard DKMS package is removed
|
||||
yum:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
|
@ -14,7 +14,7 @@
|
|||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (CentOS 8) Install wireguard packages
|
||||
- name: (CentOS 8) Install WireGuard packages
|
||||
yum:
|
||||
name:
|
||||
- "kmod-wireguard"
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
|
||||
- name: (Raspbian) Install GPG - required to add wireguard key
|
||||
- name: (Raspbian) Install GPG - required to add WireGuard key
|
||||
apt:
|
||||
name: gnupg
|
||||
state: present
|
||||
|
@ -27,7 +27,7 @@
|
|||
name:
|
||||
- "raspberrypi-kernel"
|
||||
state: latest
|
||||
register: kernel_update
|
||||
register: wireguard__register_kernel_update
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
|
@ -36,21 +36,21 @@
|
|||
search_paths: ['/lib/molly-guard', '/usr/sbin']
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '>=')
|
||||
- kernel_update is changed
|
||||
- wireguard__register_kernel_update is changed
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Check if molly-guard is installed (Ansible < 2.8)
|
||||
stat:
|
||||
path: /lib/molly-guard/
|
||||
register: molly_guard
|
||||
register: wireguard__register_molly_guard
|
||||
|
||||
- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, no molly-guard)
|
||||
reboot:
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '<')
|
||||
- kernel_update is changed
|
||||
- not molly_guard.stat.exists
|
||||
- wireguard__register_kernel_update is changed
|
||||
- not wireguard__register_molly_guard.stat.exists
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
|
@ -61,8 +61,8 @@
|
|||
ignore_unreachable: yes
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '<')
|
||||
- kernel_update is changed
|
||||
- molly_guard.stat.exists
|
||||
- wireguard__register_kernel_update is changed
|
||||
- wireguard__register_molly_guard.stat.exists
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
|
@ -70,8 +70,8 @@
|
|||
wait_for_connection:
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '<')
|
||||
- kernel_update is changed
|
||||
- molly_guard.stat.exists
|
||||
- wireguard__register_kernel_update is changed
|
||||
- wireguard__register_molly_guard.stat.exists
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
|
@ -83,7 +83,7 @@
|
|||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Install wireguard packages
|
||||
- name: (Raspbian) Install WireGuard packages
|
||||
apt:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
|
|
|
@ -1,37 +1,27 @@
|
|||
---
|
||||
- name: (Debian) Install GPG - required to add wireguard key
|
||||
apt:
|
||||
name: gnupg
|
||||
state: present
|
||||
|
||||
- name: (Debian) Add WireGuard repository on buster or earlier
|
||||
- name: (Debian) Add WireGuard repository on buster
|
||||
apt_repository:
|
||||
repo: "deb http://deb.debian.org/debian buster-backports main"
|
||||
state: present
|
||||
state: "{{ 'present' if (ansible_distribution_version | int <= 10) else 'absent' }}"
|
||||
update_cache: yes
|
||||
when: ansible_distribution_version | int <= 10
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Debian) Get architecture
|
||||
command: "dpkg --print-architecture"
|
||||
register: dpkg_arch
|
||||
register: wireguard__fact_dpkg_arch
|
||||
changed_when: False
|
||||
|
||||
- set_fact:
|
||||
kernel_header_version: "{{ ('-cloud-' in ansible_kernel) | ternary(ansible_kernel,dpkg_arch.stdout) }}"
|
||||
|
||||
- name: (Debian) Install kernel headers to compile Wireguard with DKMS
|
||||
apt:
|
||||
name:
|
||||
- "linux-headers-{{ kernel_header_version }}"
|
||||
- "linux-headers-{{ ('-cloud-' in ansible_kernel) | ternary(ansible_kernel,wireguard__fact_dpkg_arch.stdout) }}"
|
||||
state: present
|
||||
|
||||
- name: (Debian) Install wireguard packages
|
||||
- name: (Debian) Install WireGuard packages
|
||||
apt:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
- "wireguard-tools"
|
||||
- "wireguard"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
- include_tasks: "setup-debian-raspbian.yml"
|
||||
when: ansible_lsb.id == "Raspbian"
|
||||
register: raspbian_setup
|
||||
register: wireguard__register_raspbian_setup
|
||||
|
||||
- include_tasks: "setup-debian-vanilla.yml"
|
||||
when: raspbian_setup is skipped
|
||||
when: wireguard__register_raspbian_setup is skipped
|
||||
|
|
|
@ -1,13 +1,13 @@
|
|||
---
|
||||
- name: (Fedora) Add wireguard COPR
|
||||
- name: (Fedora) Add WireGuard COPR
|
||||
yum_repository:
|
||||
name: "jdoss-wireguard"
|
||||
description: "Copr repo for wireguard owned by jdoss"
|
||||
description: "Copr repo for WireGuard owned by jdoss"
|
||||
baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/fedora-$releasever-$basearch/"
|
||||
gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg"
|
||||
gpgcheck: yes
|
||||
|
||||
- name: (Fedora) Install wireguard packages
|
||||
- name: (Fedora) Install WireGuard packages
|
||||
yum:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
|
|
|
@ -26,7 +26,7 @@
|
|||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Ubuntu) Install wireguard packages (for Ubuntu < 19.10)
|
||||
- name: (Ubuntu) Install WireGuard packages (for Ubuntu < 19.10)
|
||||
apt:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
|
|
|
@ -1,42 +1,44 @@
|
|||
#jinja2: lstrip_blocks:"True",trim_blocks:"True"
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Interface]
|
||||
# {{ inventory_hostname }}
|
||||
Address = {{hostvars[inventory_hostname].wireguard_address}}
|
||||
PrivateKey = {{private_key}}
|
||||
ListenPort = {{wireguard_port}}
|
||||
{% if hostvars[inventory_hostname].wireguard_dns is defined %}
|
||||
DNS = {{hostvars[inventory_hostname].wireguard_dns}}
|
||||
Address = {{ wireguard_address }}
|
||||
PrivateKey = {{ wireguard__fact_private_key }}
|
||||
ListenPort = {{ wireguard_port }}
|
||||
{% if wireguard_dns is defined %}
|
||||
DNS = {{ wireguard_dns }}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_fwmark is defined %}
|
||||
FwMark = {{hostvars[inventory_hostname].wireguard_fwmark}}
|
||||
{% if wireguard_fwmark is defined %}
|
||||
FwMark = {{ wireguard_fwmark }}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_mtu is defined %}
|
||||
MTU = {{hostvars[inventory_hostname].wireguard_mtu}}
|
||||
{% if wireguard_mtu is defined %}
|
||||
MTU = {{ wireguard_mtu }}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_table is defined %}
|
||||
Table = {{hostvars[inventory_hostname].wireguard_table}}
|
||||
{% if wireguard_table is defined %}
|
||||
Table = {{ wireguard_table }}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_preup is defined %}
|
||||
{% for wg_preup in hostvars[inventory_hostname].wireguard_preup %}
|
||||
{% if wireguard_preup is defined %}
|
||||
{% for wg_preup in wireguard_preup %}
|
||||
PreUp = {{ wg_preup }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_predown is defined %}
|
||||
{% for wg_predown in hostvars[inventory_hostname].wireguard_predown %}
|
||||
{% if wireguard_predown is defined %}
|
||||
{% for wg_predown in wireguard_predown %}
|
||||
PreDown = {{ wg_predown }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_postup is defined %}
|
||||
{% for wg_postup in hostvars[inventory_hostname].wireguard_postup %}
|
||||
{% if wireguard_postup is defined %}
|
||||
{% for wg_postup in wireguard_postup %}
|
||||
PostUp = {{ wg_postup }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_postdown is defined %}
|
||||
{% for wg_postdown in hostvars[inventory_hostname].wireguard_postdown %}
|
||||
{% if wireguard_postdown is defined %}
|
||||
{% for wg_postdown in wireguard_postdown %}
|
||||
PostDown = {{ wg_postdown }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if hostvars[inventory_hostname].wireguard_save_config is defined %}
|
||||
{% if wireguard_save_config is defined %}
|
||||
SaveConfig = true
|
||||
{% endif %}
|
||||
{% for host in ansible_play_hosts %}
|
||||
|
@ -44,19 +46,19 @@ SaveConfig = true
|
|||
|
||||
[Peer]
|
||||
# {{ host }}
|
||||
PublicKey = {{hostvars[host].public_key}}
|
||||
PublicKey = {{hostvars[host].wireguard__fact_public_key}}
|
||||
{% if hostvars[host].wireguard_allowed_ips is defined %}
|
||||
AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
|
||||
{% else %}
|
||||
AllowedIPs = {{hostvars[host].wireguard_ip}}/32
|
||||
AllowedIPs = {{ hostvars[host].wireguard_address.split('/')[0] }}/32
|
||||
{% endif %}
|
||||
{% if hostvars[host].wireguard_persistent_keepalive is defined %}
|
||||
PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
|
||||
{% endif %}
|
||||
{% if (
|
||||
hostvars[host].wireguard_dc is defined and
|
||||
hostvars[inventory_hostname].wireguard_dc is defined and
|
||||
hostvars[inventory_hostname].wireguard_dc['name'] != hostvars[host].wireguard_dc['name']
|
||||
wireguard_dc is defined and
|
||||
wireguard_dc['name'] != hostvars[host].wireguard_dc['name']
|
||||
)
|
||||
%}
|
||||
Endpoint = {{hostvars[host].wireguard_dc['endpoint']}}:{{hostvars[host].wireguard_dc['port']}}
|
Loading…
Reference in a new issue