From eb6a54a0a77c4664f4eff307c5af23387ad6cce8 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 21:29:06 +0200 Subject: [PATCH 01/18] Fix typos --- CHANGELOG.md | 4 ++-- README.md | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba340e1..a335537 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,7 +32,7 @@ Changelog **6.2.0** - Support Ubuntu 20.04 (Focal Fossa) -- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specifiy individual Ubuntu package cache settings. Default values are the same as before. +- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specify individual Ubuntu package cache settings. Default values are the same as before. - As kernel >= 5.6 (and kernel 5.4 in Ubuntu 20.04) now have `wireguard` module included `wireguard-dkms` package is no longer needed in that case. That's why WireGuard package installation is now part of the includes for the specific OS to make it easier to handle various cases. **6.1.0** @@ -109,7 +109,7 @@ Changelog **3.1.0** -- pass package list directly to some modules by using the new and prefered syntax instead `loop` or `with_items` (contribution by ahanselka) +- pass package list directly to some modules by using the new and preferred syntax instead `loop` or `with_items` (contribution by ahanselka) **3.0.1** diff --git a/README.md b/README.md index 226171d..83ddcf9 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ ansible-role-wireguard ====================== -This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster. This VPN also includes two clients so that I can communicate securly with the Kubernetes API server. Also my Postfix mailserver running as K8s DaemonSet forwards mails to my internal Postfix through WireGuard VPN. +This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster. This VPN also includes two clients so that I can communicate securely with the Kubernetes API server. Also my Postfix mailserver running as K8s DaemonSet forwards mails to my internal Postfix through WireGuard VPN. -I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a while. As I moved my cloud hosts from Scaleway to Hetzner cloud it was a good time to switch the VPN solution ;-) In general PeerVPN still works perfectly fine esp. if you need a easy to setup fully meshed network (where every node is able to talk to all other nodes and even if node `A` should be able to talk to Node `C` via node `B` ;-) ). But PeerVPN needs also lot of CPU resources and throuhput could be better. That's solved with [WireGuard](https://www.wireguard.io/). +I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a while. As I moved my cloud hosts from Scaleway to Hetzner cloud it was a good time to switch the VPN solution ;-) In general PeerVPN still works perfectly fine esp. if you need a easy to setup fully meshed network (where every node is able to talk to all other nodes and even if node `A` should be able to talk to Node `C` via node `B` ;-) ). But PeerVPN needs also lot of CPU resources and throughput could be better. That's solved with [WireGuard](https://www.wireguard.io/). In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/). @@ -34,7 +34,7 @@ I tag every release and try to stay with [semantic versioning](http://semver.org Requirements ------------ -By default port `51820` (protocol UDP) should be accessable from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward `. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere. You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things. Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down. +By default port `51820` (protocol UDP) should be accessible from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward `. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere. You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things. Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down. Changelog --------- @@ -150,7 +150,7 @@ The commands are executed in order as described in [wg-quick.8](https://git.zx2c `wireguard_address` is required as already mentioned. It's the IP of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs a unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s). -Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already) mentioned I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role. +Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role. First, here is a part of my Ansible `hosts` file: From f3c590665d0378c8f5c37e5c01e574af37662ebf Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 21:32:38 +0200 Subject: [PATCH 02/18] WireGuard should be written "WireGuard" --- CHANGELOG.md | 2 +- README.md | 2 +- defaults/main.yml | 2 +- tasks/setup-centos-7.yml | 4 ++-- tasks/setup-centos-8.yml | 4 ++-- tasks/setup-debian-raspbian.yml | 4 ++-- tasks/setup-debian-vanilla.yml | 4 ++-- tasks/setup-fedora.yml | 6 +++--- tasks/setup-ubuntu.yml | 2 +- 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a335537..3792501 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,7 +17,7 @@ Changelog - Switched to install from ELRepo KMOD package for CentOS (see https://www.wireguard.com/install/). This change may break installation for systems with custom kernels. The role previously supported custom kernel implicitly because it was using DKMS package (contribution by @elcomtik) - Role removes DKMS wireguard package, however it doesn't remove jdoss-wireguard-epel-7 repository. If you don't need this repository, do cleanup by: + Role removes DKMS WireGuard package, however it doesn't remove jdoss-wireguard-epel-7 repository. If you don't need this repository, do cleanup by: * remove `/etc/yum.repos.d/wireguard.repo` diff --git a/README.md b/README.md index 83ddcf9..610ff05 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ wireguard_remote_directory: "/etc/wireguard" # On Linux # The default port WireGuard will listen if not specified otherwise. wireguard_port: "51820" -# The default interface name that wireguard should use if not specified otherwise. +# The default interface name that WireGuard should use if not specified otherwise. wireguard_interface: "wg0" # The default owner of the wg.conf file diff --git a/defaults/main.yml b/defaults/main.yml index 90f0abf..eae7e8e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,7 +9,7 @@ wireguard_remote_directory: "{{ '/etc/wireguard' if not ansible_os_family == 'Da # The default port WireGuard will listen if not specified otherwise. wireguard_port: "51820" -# The default interface name that wireguard should use if not specified otherwise. +# The default interface name that WireGuard should use if not specified otherwise. wireguard_interface: "wg0" # The default owner of the wg.conf file diff --git a/tasks/setup-centos-7.yml b/tasks/setup-centos-7.yml index cddcccd..1f1f50a 100644 --- a/tasks/setup-centos-7.yml +++ b/tasks/setup-centos-7.yml @@ -11,7 +11,7 @@ name: yum-plugin-elrepo update_cache: yes -- name: (CentOS 7) Ensure wireguard DKMS package is removed +- name: (CentOS 7) Ensure WireGuard DKMS package is removed yum: name: - "wireguard-dkms" @@ -19,7 +19,7 @@ tags: - wg-install -- name: (CentOS 7) Install wireguard packages +- name: (CentOS 7) Install WireGuard packages yum: name: - "kmod-wireguard" diff --git a/tasks/setup-centos-8.yml b/tasks/setup-centos-8.yml index edce375..fff516e 100644 --- a/tasks/setup-centos-8.yml +++ b/tasks/setup-centos-8.yml @@ -6,7 +6,7 @@ - elrepo-release update_cache: yes -- name: (CentOS 8) Ensure wireguard DKMS package is removed +- name: (CentOS 8) Ensure WireGuard DKMS package is removed yum: name: - "wireguard-dkms" @@ -14,7 +14,7 @@ tags: - wg-install -- name: (CentOS 8) Install wireguard packages +- name: (CentOS 8) Install WireGuard packages yum: name: - "kmod-wireguard" diff --git a/tasks/setup-debian-raspbian.yml b/tasks/setup-debian-raspbian.yml index 8e7214b..e8fb653 100644 --- a/tasks/setup-debian-raspbian.yml +++ b/tasks/setup-debian-raspbian.yml @@ -1,6 +1,6 @@ --- -- name: (Raspbian) Install GPG - required to add wireguard key +- name: (Raspbian) Install GPG - required to add WireGuard key apt: name: gnupg state: present @@ -83,7 +83,7 @@ tags: - wg-install -- name: (Raspbian) Install wireguard packages +- name: (Raspbian) Install WireGuard packages apt: name: - "wireguard-dkms" diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml index 0b6aa0b..bc1a694 100644 --- a/tasks/setup-debian-vanilla.yml +++ b/tasks/setup-debian-vanilla.yml @@ -1,5 +1,5 @@ --- -- name: (Debian) Install GPG - required to add wireguard key +- name: (Debian) Install GPG - required to add WireGuard key apt: name: gnupg state: present @@ -27,7 +27,7 @@ - "linux-headers-{{ kernel_header_version }}" state: present -- name: (Debian) Install wireguard packages +- name: (Debian) Install WireGuard packages apt: name: - "wireguard-dkms" diff --git a/tasks/setup-fedora.yml b/tasks/setup-fedora.yml index 4561dba..f798e9f 100644 --- a/tasks/setup-fedora.yml +++ b/tasks/setup-fedora.yml @@ -1,13 +1,13 @@ --- -- name: (Fedora) Add wireguard COPR +- name: (Fedora) Add WireGuard COPR yum_repository: name: "jdoss-wireguard" - description: "Copr repo for wireguard owned by jdoss" + description: "Copr repo for WireGuard owned by jdoss" baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/fedora-$releasever-$basearch/" gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg" gpgcheck: yes -- name: (Fedora) Install wireguard packages +- name: (Fedora) Install WireGuard packages yum: name: - "wireguard-dkms" diff --git a/tasks/setup-ubuntu.yml b/tasks/setup-ubuntu.yml index 9df682e..6d932f5 100644 --- a/tasks/setup-ubuntu.yml +++ b/tasks/setup-ubuntu.yml @@ -26,7 +26,7 @@ tags: - wg-install - - name: (Ubuntu) Install wireguard packages (for Ubuntu < 19.10) + - name: (Ubuntu) Install WireGuard packages (for Ubuntu < 19.10) apt: name: - "wireguard-dkms" From 7a1af464b124b2316aa473524cefa709954f4a8e Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 22:49:21 +0200 Subject: [PATCH 03/18] Move condition code into Jinja instead of having two set_fact tasks --- tasks/main.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2dfa8b8..8183456 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -41,14 +41,9 @@ register: wg_subcommands changed_when: false -- name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available) - set_fact: - wg_syncconf: false - - name: Check if wg syncconf subcommand is available set_fact: - wg_syncconf: true - when: wg_subcommands.stdout | regex_search('syncconf:') + wg_syncconf: "{{ 'syncconf:' in wg_subcommands.stdout }}" - name: Show syncconf subcommand status debug: From c4a21dd0efae3e34d1530c32039a2241279b86cb Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 23:00:10 +0200 Subject: [PATCH 04/18] Use common namespace "wireguard" for role facts --- tasks/main.yml | 24 ++++++++++++------------ tasks/setup-debian-raspbian.yml | 18 +++++++++--------- tasks/setup-debian.yml | 4 ++-- templates/wg.conf.j2 | 6 +++--- 4 files changed, 26 insertions(+), 26 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 8183456..e79b0fd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -31,19 +31,19 @@ - name: Register if config/private key already exists on target host stat: path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" - register: config_file_stat + register: wireguard__register_config_file tags: - wg-generate-keys - wg-config - name: Get wg subcommands command: "wg --help" - register: wg_subcommands + register: wireguard__register_subcommands changed_when: false - name: Check if wg syncconf subcommand is available set_fact: - wg_syncconf: "{{ 'syncconf:' in wg_subcommands.stdout }}" + wg_syncconf: "{{ 'syncconf:' in wireguard__register_subcommands.stdout }}" - name: Show syncconf subcommand status debug: @@ -52,43 +52,43 @@ - block: - name: Generate WireGuard private key command: "wg genkey" - register: wg_private_key_result + register: wireguard__register_private_key changed_when: false tags: - wg-generate-keys - name: Set private key fact set_fact: - private_key: "{{ wg_private_key_result.stdout }}" + wireguard__fact_private_key: "{{ wireguard__register_private_key.stdout }}" tags: - wg-generate-keys - when: not config_file_stat.stat.exists + when: not wireguard__register_config_file.stat.exists - block: - name: Read WireGuard config file slurp: src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" - register: wg_config + register: wireguard__register_config tags: - wg-config - name: Set private key fact set_fact: - private_key: "{{ wg_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}" + wireguard__fact_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}" tags: - wg-config - when: config_file_stat.stat.exists + when: wireguard__register_config_file.stat.exists - name: Derive WireGuard public key - shell: "echo '{{ private_key }}' | wg pubkey" # noqa 306 - register: wg_public_key_result + shell: "echo '{{ wireguard__fact_private_key }}' | wg pubkey" # noqa 306 + register: wireguard__register_public_key changed_when: false tags: - wg-config - name: Set public key fact set_fact: - public_key: "{{ wg_public_key_result.stdout }}" + wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}" tags: - wg-config diff --git a/tasks/setup-debian-raspbian.yml b/tasks/setup-debian-raspbian.yml index e8fb653..4b2b46b 100644 --- a/tasks/setup-debian-raspbian.yml +++ b/tasks/setup-debian-raspbian.yml @@ -27,7 +27,7 @@ name: - "raspberrypi-kernel" state: latest - register: kernel_update + register: wireguard__register_kernel_update tags: - wg-install @@ -36,21 +36,21 @@ search_paths: ['/lib/molly-guard', '/usr/sbin'] when: - ansible_version.full is version('2.8.0', '>=') - - kernel_update is changed + - wireguard__register_kernel_update is changed tags: - wg-install - name: (Raspbian) Check if molly-guard is installed (Ansible < 2.8) stat: path: /lib/molly-guard/ - register: molly_guard + register: wireguard__register_molly_guard - name: (Raspbian) Reboot after kernel update (Ansible < 2.8, no molly-guard) reboot: when: - ansible_version.full is version('2.8.0', '<') - - kernel_update is changed - - not molly_guard.stat.exists + - wireguard__register_kernel_update is changed + - not wireguard__register_molly_guard.stat.exists tags: - wg-install @@ -61,8 +61,8 @@ ignore_unreachable: yes when: - ansible_version.full is version('2.8.0', '<') - - kernel_update is changed - - molly_guard.stat.exists + - wireguard__register_kernel_update is changed + - wireguard__register_molly_guard.stat.exists tags: - wg-install @@ -70,8 +70,8 @@ wait_for_connection: when: - ansible_version.full is version('2.8.0', '<') - - kernel_update is changed - - molly_guard.stat.exists + - wireguard__register_kernel_update is changed + - wireguard__register_molly_guard.stat.exists tags: - wg-install diff --git a/tasks/setup-debian.yml b/tasks/setup-debian.yml index 62515ad..97253e7 100644 --- a/tasks/setup-debian.yml +++ b/tasks/setup-debian.yml @@ -2,7 +2,7 @@ - include_tasks: "setup-debian-raspbian.yml" when: ansible_lsb.id == "Raspbian" - register: raspbian_setup + register: wireguard__register_raspbian_setup - include_tasks: "setup-debian-vanilla.yml" - when: raspbian_setup is skipped + when: wireguard__register_raspbian_setup is skipped diff --git a/templates/wg.conf.j2 b/templates/wg.conf.j2 index 2e6a15f..e4c8656 100644 --- a/templates/wg.conf.j2 +++ b/templates/wg.conf.j2 @@ -2,8 +2,8 @@ [Interface] # {{ inventory_hostname }} Address = {{hostvars[inventory_hostname].wireguard_address}} -PrivateKey = {{private_key}} -ListenPort = {{wireguard_port}} +PrivateKey = {{ wireguard__fact_private_key }} +ListenPort = {{ wireguard_port }} {% if hostvars[inventory_hostname].wireguard_dns is defined %} DNS = {{hostvars[inventory_hostname].wireguard_dns}} {% endif %} @@ -44,7 +44,7 @@ SaveConfig = true [Peer] # {{ host }} -PublicKey = {{hostvars[host].public_key}} +PublicKey = {{hostvars[host].wireguard__fact_public_key}} {% if hostvars[host].wireguard_allowed_ips is defined %} AllowedIPs = {{hostvars[host].wireguard_allowed_ips}} {% else %} From 35313342818cd28f9d8596149c98b6d2d3d2c2c7 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 23:02:57 +0200 Subject: [PATCH 05/18] Add ansible_managed header to templates files --- templates/wg.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/wg.conf.j2 b/templates/wg.conf.j2 index e4c8656..d19409f 100644 --- a/templates/wg.conf.j2 +++ b/templates/wg.conf.j2 @@ -1,4 +1,6 @@ #jinja2: lstrip_blocks:"True",trim_blocks:"True" +# {{ ansible_managed }} + [Interface] # {{ inventory_hostname }} Address = {{hostvars[inventory_hostname].wireguard_address}} From 713a7683ef884dda8652e7720983ecf0d69dc249 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 23:05:04 +0200 Subject: [PATCH 06/18] =?UTF-8?q?Move=20template=20into=20it=E2=80=99s=20f?= =?UTF-8?q?hs=20place?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- tasks/main.yml | 2 +- templates/{ => etc/wireguard}/wg.conf.j2 | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename templates/{ => etc/wireguard}/wg.conf.j2 (100%) diff --git a/tasks/main.yml b/tasks/main.yml index e79b0fd..2739330 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -102,7 +102,7 @@ - name: Generate WireGuard configuration file template: - src: wg.conf.j2 + src: etc/wireguard/wg.conf.j2 dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" owner: "{{ wireguard_conf_owner }}" group: "{{ wireguard_conf_group }}" diff --git a/templates/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2 similarity index 100% rename from templates/wg.conf.j2 rename to templates/etc/wireguard/wg.conf.j2 From a56a4d66005903c6e20fdad051ccc05e7c99f672 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 23:15:28 +0200 Subject: [PATCH 07/18] Properly solve ansible-lint 306 warning about shell task with pipe Do not ignore such warnings! They are there for a reason! --- tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2739330..0bfb739 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -80,7 +80,9 @@ when: wireguard__register_config_file.stat.exists - name: Derive WireGuard public key - shell: "echo '{{ wireguard__fact_private_key }}' | wg pubkey" # noqa 306 + command: "wg pubkey" + args: + stdin: "{{ wireguard__fact_private_key }}" register: wireguard__register_public_key changed_when: false tags: From 81c371c6a281b28a8bca3815a4eb970488e12b44 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 23:17:48 +0200 Subject: [PATCH 08/18] Solve ansible-lint [201] Trailing whitespace --- tasks/setup-centos-8.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/setup-centos-8.yml b/tasks/setup-centos-8.yml index fff516e..9a0bc09 100644 --- a/tasks/setup-centos-8.yml +++ b/tasks/setup-centos-8.yml @@ -1,7 +1,7 @@ --- - name: (CentOS 8) Install EPEL & ELRepo repository yum: - name: + name: - epel-release - elrepo-release update_cache: yes From e7588cd047c55fc23436d1d1712a5db9d7c08a6d Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 23:23:09 +0200 Subject: [PATCH 09/18] Fix ansible-lint warning [502] All tasks should be named Just drop the redundant task --- tasks/setup-debian-vanilla.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml index bc1a694..6a9ced0 100644 --- a/tasks/setup-debian-vanilla.yml +++ b/tasks/setup-debian-vanilla.yml @@ -15,16 +15,13 @@ - name: (Debian) Get architecture command: "dpkg --print-architecture" - register: dpkg_arch + register: wireguard__fact_dpkg_arch changed_when: False -- set_fact: - kernel_header_version: "{{ ('-cloud-' in ansible_kernel) | ternary(ansible_kernel,dpkg_arch.stdout) }}" - - name: (Debian) Install kernel headers to compile Wireguard with DKMS apt: name: - - "linux-headers-{{ kernel_header_version }}" + - "linux-headers-{{ ('-cloud-' in ansible_kernel) | ternary(ansible_kernel,wireguard__fact_dpkg_arch.stdout) }}" state: present - name: (Debian) Install WireGuard packages From 8b1ae7d4c28f3bce41d43c2b46efa69b38aadbd9 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 23:30:45 +0200 Subject: [PATCH 10/18] Remove obsolete .reload-module-on-update file It does not serve any function anymore after support for module reloading has been removed from the postinst script in 0.0.20200215-2 on 2020-02-24. A module update is properly signaled via /run/reboot-required so that the admin can (automatically) schedule a reboot when convenient. This will also be more in line with future Debian releases because starting with Debian bullseye, the kernel ships the module. --- tasks/main.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 0bfb739..23c58fd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -114,18 +114,10 @@ notify: - reconfigure wireguard -- name: Check if reload-module-on-update is set - stat: - path: "{{ wireguard_remote_directory }}/.reload-module-on-update" - register: reload_module_on_update - tags: - - wg-config - -- name: Set WireGuard reload-module-on-update +- name: Ensure legacy reload-module-on-update is absent file: dest: "{{ wireguard_remote_directory }}/.reload-module-on-update" - state: touch - when: not reload_module_on_update.stat.exists + state: absent tags: - wg-config From 5d68b0f97fb3c7428782c96924f73d7c0337ff3a Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 23:40:02 +0200 Subject: [PATCH 11/18] Prefer the metapackage "wireguard" for later Debian bullseye support --- tasks/setup-debian-vanilla.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml index 6a9ced0..38db1fd 100644 --- a/tasks/setup-debian-vanilla.yml +++ b/tasks/setup-debian-vanilla.yml @@ -27,8 +27,7 @@ - name: (Debian) Install WireGuard packages apt: name: - - "wireguard-dkms" - - "wireguard-tools" + - "wireguard" state: present tags: - wg-install From c1049ab64772b379a0fb2ece4b0d55f3f0a13481 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 23:44:48 +0200 Subject: [PATCH 12/18] Debian stretch is not currently supported by the role (anymore) It once was supported by an "unstable" workaround which has since been dropped in favor of Debian buster. --- README.md | 2 +- meta/main.yml | 1 - tasks/setup-debian-vanilla.yml | 2 +- 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 610ff05..2eed013 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a whil In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/). -This role is tested with Ubuntu 18.04 (Bionic Beaver), Ubuntu 20.04 (Focal Fossa) and Archlinux. Ubuntu 16.04 (Xenial Xerus), Debian 9 (Stretch), Debian 10 (Buster), Fedora 31 (or later), CentOS 7 and partially MacOS (see below) might also work or other distributions but haven't tested it (code for this operating systems was submitted by other contributors). If someone tested it let me please know if it works or send a pull request to make it work ;-) +This role is tested with Ubuntu 18.04 (Bionic Beaver), Ubuntu 20.04 (Focal Fossa) and Archlinux. Ubuntu 16.04 (Xenial Xerus), Debian 10 (Buster), Fedora 31 (or later), CentOS 7 and partially MacOS (see below) might also work or other distributions but haven't tested it (code for this operating systems was submitted by other contributors). If someone tested it let me please know if it works or send a pull request to make it work ;-) ### Running the VPN on MacOS diff --git a/meta/main.yml b/meta/main.yml index 8133ea6..a1c3f75 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -11,7 +11,6 @@ galaxy_info: - focal - name: Debian versions: - - stretch - buster - name: EL versions: diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml index 38db1fd..04db412 100644 --- a/tasks/setup-debian-vanilla.yml +++ b/tasks/setup-debian-vanilla.yml @@ -4,7 +4,7 @@ name: gnupg state: present -- name: (Debian) Add WireGuard repository on buster or earlier +- name: (Debian) Add WireGuard repository on buster apt_repository: repo: "deb http://deb.debian.org/debian buster-backports main" state: present From 2309abf09ea8333c1abe5ba3fde03dbd7afcd865 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 23:47:39 +0200 Subject: [PATCH 13/18] Remove forgotten gnupg pkg that is not needed anymore for Debian vanilla It was once needed for the apt_key tasks. --- tasks/setup-debian-vanilla.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml index 04db412..c18bc1e 100644 --- a/tasks/setup-debian-vanilla.yml +++ b/tasks/setup-debian-vanilla.yml @@ -1,9 +1,4 @@ --- -- name: (Debian) Install GPG - required to add WireGuard key - apt: - name: gnupg - state: present - - name: (Debian) Add WireGuard repository on buster apt_repository: repo: "deb http://deb.debian.org/debian buster-backports main" From a27f805d2d79ed081a23bab77c8d86909fe9bd98 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 13 Sep 2020 23:51:31 +0200 Subject: [PATCH 14/18] Ensure that buster-backports will be absent on Debian 11+ --- tasks/setup-debian-vanilla.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml index c18bc1e..6a6ce06 100644 --- a/tasks/setup-debian-vanilla.yml +++ b/tasks/setup-debian-vanilla.yml @@ -2,9 +2,8 @@ - name: (Debian) Add WireGuard repository on buster apt_repository: repo: "deb http://deb.debian.org/debian buster-backports main" - state: present + state: "{{ 'present' if (ansible_distribution_version | int <= 10) else 'absent' }}" update_cache: yes - when: ansible_distribution_version | int <= 10 tags: - wg-install From 132c59521a7b70dd0801cd7af42522dbdf98bc9a Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sat, 19 Sep 2020 21:31:11 +0200 Subject: [PATCH 15/18] Drop redundant use of `hostvars[inventory_hostname].` prefix Those variables are directly in the namespace. Using the long form is uncommon. A case could have been made if the later section of the config (which uses `hostvars[host]`) has similar semantics but that is not the case as those are peer sections. --- templates/etc/wireguard/wg.conf.j2 | 40 +++++++++++++++--------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2 index d19409f..87d0949 100644 --- a/templates/etc/wireguard/wg.conf.j2 +++ b/templates/etc/wireguard/wg.conf.j2 @@ -3,42 +3,42 @@ [Interface] # {{ inventory_hostname }} -Address = {{hostvars[inventory_hostname].wireguard_address}} +Address = {{wireguard_address}} PrivateKey = {{ wireguard__fact_private_key }} ListenPort = {{ wireguard_port }} -{% if hostvars[inventory_hostname].wireguard_dns is defined %} -DNS = {{hostvars[inventory_hostname].wireguard_dns}} +{% if wireguard_dns is defined %} +DNS = {{wireguard_dns}} {% endif %} -{% if hostvars[inventory_hostname].wireguard_fwmark is defined %} -FwMark = {{hostvars[inventory_hostname].wireguard_fwmark}} +{% if wireguard_fwmark is defined %} +FwMark = {{wireguard_fwmark}} {% endif %} -{% if hostvars[inventory_hostname].wireguard_mtu is defined %} -MTU = {{hostvars[inventory_hostname].wireguard_mtu}} +{% if wireguard_mtu is defined %} +MTU = {{wireguard_mtu}} {% endif %} -{% if hostvars[inventory_hostname].wireguard_table is defined %} -Table = {{hostvars[inventory_hostname].wireguard_table}} +{% if wireguard_table is defined %} +Table = {{wireguard_table}} {% endif %} -{% if hostvars[inventory_hostname].wireguard_preup is defined %} -{% for wg_preup in hostvars[inventory_hostname].wireguard_preup %} +{% if wireguard_preup is defined %} +{% for wg_preup in wireguard_preup %} PreUp = {{ wg_preup }} {% endfor %} {% endif %} -{% if hostvars[inventory_hostname].wireguard_predown is defined %} -{% for wg_predown in hostvars[inventory_hostname].wireguard_predown %} +{% if wireguard_predown is defined %} +{% for wg_predown in wireguard_predown %} PreDown = {{ wg_predown }} {% endfor %} {% endif %} -{% if hostvars[inventory_hostname].wireguard_postup is defined %} -{% for wg_postup in hostvars[inventory_hostname].wireguard_postup %} +{% if wireguard_postup is defined %} +{% for wg_postup in wireguard_postup %} PostUp = {{ wg_postup }} {% endfor %} {% endif %} -{% if hostvars[inventory_hostname].wireguard_postdown is defined %} -{% for wg_postdown in hostvars[inventory_hostname].wireguard_postdown %} +{% if wireguard_postdown is defined %} +{% for wg_postdown in wireguard_postdown %} PostDown = {{ wg_postdown }} {% endfor %} {% endif %} -{% if hostvars[inventory_hostname].wireguard_save_config is defined %} +{% if wireguard_save_config is defined %} SaveConfig = true {% endif %} {% for host in ansible_play_hosts %} @@ -57,8 +57,8 @@ PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}} {% endif %} {% if ( hostvars[host].wireguard_dc is defined and - hostvars[inventory_hostname].wireguard_dc is defined and - hostvars[inventory_hostname].wireguard_dc['name'] != hostvars[host].wireguard_dc['name'] + wireguard_dc is defined and + wireguard_dc['name'] != hostvars[host].wireguard_dc['name'] ) %} Endpoint = {{hostvars[host].wireguard_dc['endpoint']}}:{{hostvars[host].wireguard_dc['port']}} From 3362f1c2fcfaddd704779bc9e43ce76855d09a7c Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sat, 19 Sep 2020 21:37:33 +0200 Subject: [PATCH 16/18] Consistent use of spaces in Jinja2 print expressions --- templates/etc/wireguard/wg.conf.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2 index 87d0949..9416600 100644 --- a/templates/etc/wireguard/wg.conf.j2 +++ b/templates/etc/wireguard/wg.conf.j2 @@ -3,20 +3,20 @@ [Interface] # {{ inventory_hostname }} -Address = {{wireguard_address}} +Address = {{ wireguard_address }} PrivateKey = {{ wireguard__fact_private_key }} ListenPort = {{ wireguard_port }} {% if wireguard_dns is defined %} -DNS = {{wireguard_dns}} +DNS = {{ wireguard_dns }} {% endif %} {% if wireguard_fwmark is defined %} -FwMark = {{wireguard_fwmark}} +FwMark = {{ wireguard_fwmark }} {% endif %} {% if wireguard_mtu is defined %} -MTU = {{wireguard_mtu}} +MTU = {{ wireguard_mtu }} {% endif %} {% if wireguard_table is defined %} -Table = {{wireguard_table}} +Table = {{ wireguard_table }} {% endif %} {% if wireguard_preup is defined %} {% for wg_preup in wireguard_preup %} From 739c9de73ee584e064b28a7d23acc5d00b80f48d Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 20 Sep 2020 00:39:14 +0200 Subject: [PATCH 17/18] Move wireguard_ip template code to template where it belongs Instead of redundant set_fact task. --- tasks/main.yml | 4 ---- templates/etc/wireguard/wg.conf.j2 | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 23c58fd..cd2072d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -24,10 +24,6 @@ - wg-install when: not ansible_os_family == 'Darwin' -- name: Set WireGuard IP (without mask) - set_fact: - wireguard_ip: "{{ wireguard_address.split('/')[0] }}" - - name: Register if config/private key already exists on target host stat: path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2 index 9416600..1a8d489 100644 --- a/templates/etc/wireguard/wg.conf.j2 +++ b/templates/etc/wireguard/wg.conf.j2 @@ -50,7 +50,7 @@ PublicKey = {{hostvars[host].wireguard__fact_public_key}} {% if hostvars[host].wireguard_allowed_ips is defined %} AllowedIPs = {{hostvars[host].wireguard_allowed_ips}} {% else %} -AllowedIPs = {{hostvars[host].wireguard_ip}}/32 +AllowedIPs = {{ hostvars[host].wireguard_address.split('/')[0] }}/32 {% endif %} {% if hostvars[host].wireguard_persistent_keepalive is defined %} PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}} From cc0c5751b6025a05010f1a62c807bfb713b87397 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Wed, 23 Sep 2020 23:36:10 +0200 Subject: [PATCH 18/18] Add changelog entry for my first review/improvements round --- CHANGELOG.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3792501..e76d5f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,23 @@ Changelog --------- +**7.3.0** + +- Fix spelling and typos in docs. (contribution by @ypid) +- Drop Debian Stretch from the list of tested distros. Actual support was dropped/broken in 6.0.4 without updating the docs. (contribution by @ypid) +- Remove obsolete `.reload-module-on-update` file. + + It does not serve any function anymore after support for module + reloading has been removed from the postinst script in 0.0.20200215-2 on + 2020-02-24. A module update is properly signaled via + /run/reboot-required so that the admin can (automatically) schedule a + reboot when convenient. This will also be more in line with future Debian + releases because starting with Debian bullseye, the kernel ships the + module. (contribution by @ypid) + +- Add `ansible_managed` header to WireGuard configuration file (`wg0.conf` by default). This will most probably change the WireGuard configuration file but only the formatting. But since the Ansible registers this file as changed Ansible will sync/restart WireGuard service. For newer WireGuard versions (since Nov. 2019) this isn't a problem normally as `wg syncconf` command is used (also see `handlers/main.yml`). (contribution by @ypid) +- Behind the scenes coding style improvements and cleanup without user impact. (contribution by @ypid) + **7.2.0** - Basic MacOS X support (contribution by @rubendibattista)