helix/ansible-role-wireguard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: helix:master
Branches Tags
helix:master
helix:unmanaged-hosts
helix:14.0.0
helix:13.0.1
helix:13.0.0
helix:12.0.0
helix:11.1.0
helix:11.0.0
helix:10.0.0
helix:9.3.0
helix:9.2.0
helix:9.1.0
helix:9.0.1
helix:9.0.0
helix:8.4.0
helix:8.3.0
helix:8.1.0
helix:8.0.0
helix:7.12.0
helix:7.11.0
helix:7.10.0
helix:7.9.0
helix:7.8.0
helix:7.7.0
helix:7.6.0
helix:7.5.0
helix:7.4.0
helix:7.3.1
helix:7.3.0
helix:7.2.0
helix:7.1.0
helix:7.0.0
helix:6.3.1
helix:6.3.0
helix:6.2.0
helix:6.1.0
helix:6.0.4
helix:6.0.3
helix:6.0.2
helix:6.0.1
helix:6.0.0
helix:5.0.0
helix:4.2.0
helix:4.1.1
helix:4.1.0
helix:4.0.0
helix:3.2.2
helix:3.2.1
helix:3.2.0
helix:3.1.0
helix:3.0.1
helix:3.0.0
helix:2.0.1
helix:2.0.0
..
compare: helix:unmanaged-hosts
Branches Tags
helix:master
helix:unmanaged-hosts
helix:14.0.0
helix:13.0.1
helix:13.0.0
helix:12.0.0
helix:11.1.0
helix:11.0.0
helix:10.0.0
helix:9.3.0
helix:9.2.0
helix:9.1.0
helix:9.0.1
helix:9.0.0
helix:8.4.0
helix:8.3.0
helix:8.1.0
helix:8.0.0
helix:7.12.0
helix:7.11.0
helix:7.10.0
helix:7.9.0
helix:7.8.0
helix:7.7.0
helix:7.6.0
helix:7.5.0
helix:7.4.0
helix:7.3.1
helix:7.3.0
helix:7.2.0
helix:7.1.0
helix:7.0.0
helix:6.3.1
helix:6.3.0
helix:6.2.0
helix:6.1.0
helix:6.0.4
helix:6.0.3
helix:6.0.2
helix:6.0.1
helix:6.0.0
helix:5.0.0
helix:4.2.0
helix:4.1.1
helix:4.1.0
helix:4.0.0
helix:3.2.2
helix:3.2.1
helix:3.2.0
helix:3.1.0
helix:3.0.1
helix:3.0.0
helix:2.0.1
helix:2.0.0

2 commits
master ... unmanaged-

Author SHA1 Message Date
githubixx
818b55051e remove wg-unmanaged.conf.j2 2020-08-07 21:52:54 +02:00
githubixx
9fdcbd9ac7 skeleton for unmanged hosts 2020-08-07 21:47:41 +02:00
42 changed files with 558 additions and 2610 deletions
Show stats Expand all files Collapse all files

39
.github/workflows/release.yml vendored
View file

@ -1,39 +0,0 @@
---
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
# repository or organization.
#
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
# See: https://github.com/ansible/galaxy/issues/46
name: Release
on:
push:
tags:
- '*'
defaults:
run:
working-directory: 'githubixx.ansible_role_wireguard'
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'githubixx.ansible_role_wireguard'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install Ansible.
run: pip3 install ansible-core
- name: Trigger a new import on Galaxy.
run: >-
ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}
$(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

4
.gitignore vendored
View file

@ -1,4 +0,0 @@
# Copyright (C) 2018-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
molecule/kvm/.vagrant

10
.reuse/dep5
View file

@ -1,10 +0,0 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: ansible-role-wireguard
Upstream-Contact: Robert Wimmer <>
Source: https://github.com/githubixx/ansible-role-wireguard
# Sample paragraph, commented out:
#
# Files: src/*
# Copyright: $YEAR $NAME <$CONTACT>
# License: ...

9
.yamllint
View file

@ -1,9 +0,0 @@
---
extends: default
rules:
line-length:
max: 150
level: warning
comments-indentation: disable

259
CHANGELOG.md
View file

@ -1,209 +1,25 @@
<!--
Copyright (C) 2018-2023 Robert Wimmer
SPDX-License-Identifier: GPL-3.0-or-later
-->
Changelog
---------
# Changelog
## 14.0.0
- **BREAKING** CentOS7: Introduce `wireguard_centos7_kernel_plus_reboot` and `wireguard_centos7_standard_reboot` variables. Both are set to "true" by default. This will cause the host to be rebooted in case the "wireguard" kernel module was installed the very first time. If `wireguard_centos7_installation_method: "kernel-plus"` is set and the host wasn't booted with a `kernel-plus` kernel already you most probably need to reboot. For the `standard` kernel this might not be needed.
- CentOS7: Add reboot to the standard mode to make sure the WireGuard kernel module is available (contribution by @mofelee)
- **BREAKING** Introduce `wireguard_update_cache` variable to control if package manager caches should be updated before the installation (contribution by @sebix). Before this release the package manager cache wasn't updated for AlmaLinux 9, Archlinux, Fedora and openSUSE. With `wireguard_update_cache` set to `true` by default those OSes are now also update the package manager cache. If you don't want that set `wireguard_update_cache` to `false` for the host in question.
- variable `wireguard_ubuntu_update_cache` is deprecated
- add support for Oracle Linux 9 (contribution by @cola-zero)
## 13.0.1
- [fix](https://github.com/githubixx/ansible-role-wireguard/pull/182) in README
## 13.0.0
- add IPv6 support (contribution by @DiscowZombie)
- introduce `wireguard_addresses` variable (contribution by @DiscowZombie)
## 12.0.0
- remove Fedora 35 support (reached EOL)
- remove openSUSE 15.3 support (reached EOL)
- remove Debian 10 (Buster) support (reached EOL)
- fix Molecule prepare for Archlinux
- fix `ansible-lint` issue in `tasks/setup-debian-raspbian-buster.yml`
## 11.1.0
- add support for elementary OS 6
- ignore some minor linter warnings
## 11.0.0
- add support for Rocky Linux 9 (original PR from @vincentDcmps: https://github.com/githubixx/ansible-role-wireguard/pull/163)
- add support for AlmaLinux 9 (original PR from @trunet: https://github.com/githubixx/ansible-role-wireguard/pull/164)
- add `EL9` to `meta/main.yml`
- require Ansible >= `2.11` as Rocky Linux is only supported with this version or above
- `ansible-lint`: use `community.general.pacman` module instead of `ansible.builtin.pacman` for Archlinux setup
## 10.0.0
- remove Fedora 34 + add Fedora 36 to Molecule test
- remove support for Fedora 35 / add support for Fedora 36
- add Molecule setup for openSUSE 15.4
- add Github release action to push new release to Ansible Galaxy
- add `.yamllint`
- `tasks/main.yml`: names should start with an uppercase letter
- `handlers/main.yml`: names should start with an uppercase letter
- improve the task key order to: name, when, tags, block
- fix Jinja2 spacing
## 9.3.0
- add support for Ubuntu 22.04 (Jammy Jellyfish)
## 9.2.0
- add `wireguard_interface_restart` variable. This allows the user to decide if the WireGuard interface should be restarted or not in case of changes to the interface. The default is (and was) to use `wg syncconf` which applies the changes to the interface without the need to restart the interface. Restarting the interface was only done if `wg`'s `syncconf` command wasn't available. But that's basically only true for very old (and outdated) WireGuard tools. For more information on this have a look at the README (initial [PR](https://github.com/githubixx/ansible-role-wireguard/pull/152) by @lmm-git)
- on Debian `lsb-release` is no longer needed (contribution by @blackandred)
- WireGuard is directly supported by `Raspbian 11` (Bullseye) and higher. So `Raspbian 11` and `Raspbian 10 (Buster)` (and lower) needs to be handled a little bit differently. (contribution by @penguineer)
- implement a very basic Molecule unit test
## 9.1.0
- For `Rocky Linux 8` only: Added variable `wireguard_rockylinux8_installation_method`. Set `wireguard_rockylinux8_installation_method` to `dkms` to build WireGuard module from source, with wireguard-dkms. This is required if you use a custom kernel and/or your arch is not `x86_64`. The default of `standard` will install the kernel module with kmod-wireguard from ELRepo (contribution by @gitouche-sur-osm)
## 9.0.1
- FIX: The template rendering the WireGuard configuration only checked if `wireguard_save_config` was set and if so sets `SaveConfig = true`. So setting `wireguard_save_config: "false"` had no effect.
## 9.0.0
- set minimally required Ansible version to `2.9` (contribution by @8ware)
- fully qualify modules names (requires Ansible >= 2.9) (contribution by @8ware)
- rearrange hooks to match lifecycle order (contribution by @8ware)
- remove `CentOS 8` support (reached end of life) - use AlmaLinux or Rocky Linux instead
- remove `Fedora 33` support (reached end of life)
- remove `openSUSE Leap 15.2` support (reached end of life)
- add `openSUSE 15.3` support
- add `Fedora 35` support
- remove Proxmox from Molecule test (Vagrant boxes for Proxmox are not useable)
- Remove unnecessary check if value is an integer on `wireguard_port` (see [#112](https://github.com/githubixx/ansible-role-wireguard/pull/112) (contribution by @abelfodil)
## 8.4.0
- add support for installing wireguard in pve lxc guest (contribution by @tobias-richter)
## 8.3.0
- add Molecule test for CentOS 7 `kernel-plus`
## 8.2.0
- add support for `kernel-plus` for CentOS 7 (contribution by @john-p-potter)
## 8.1.0
- add Rocky Linux support
- add AlmaLinux support
- add Molecule tests for Rocky Linux and AlmaLinux
## 8.0.0
- add `Debian 11 (Bullseye)` support
- add 'Fedora 34` support
- remove `Fedora 32` support (EOL was in May 2021)
- fix various issues reported by `ansible-lint`
- Archlinux: As `linux-lts` is using kernel `5.10` now there is no need to install `wireguard-lts` + WireGuard DKMS packages any longer (and this packages are gone anyway)
## 7.12.0
- Refactor `wg-install` tag handling. For more details see [Fix tag "wg-install" & Add no_log](https://github.com/githubixx/ansible-role-wireguard/pull/110) and [Tag wg-install is not applied properly](Tag wg-install is not applied properly) (contribution by @moonrail)
- Default verbosity of 0 or slight increases up to 2 will now not print any private keys to output (contribution by @moonrail)
## 7.11.0
- Introduce new variables `wireguard_service_enabled` and `wireguard_service_state` (contribution by @tjend)
## 7.10.0
- Support for Proxmox
- Check if `wireguard_endpoint` exists before checking if it is empty
## 7.9.0
- Added support for `Fedora 33` (contribution by @wzzrd)
- Removed support for `Fedora 31` (reached end of life)
## 7.8.0
- Added support for `openSUSE Leap 15.2`
## 7.7.0
- Use wireguard packages from Debian Backports instead of Debian Sid, these packages are more suitable for a stable distribution and have less impact on the system. Packages from unstable must be removed manually (including kernel) to make the switch on an existing system. Upgrading the role has no effect other than adding Debian Backports to the Apt repositories.
- Fix reboot mechanism in Raspbian role, now also works without `molly-guard`
## 7.6.0
- Added `wireguard_private_key` variable (contribution by @j8r)
- Fix check mode for Debian (contribution by @j8r)
## 7.5.0
- `wireguard` package is now available for Ubuntu 18.04 in universe repository. Before that `ppa:wireguard/wireguard` was used but that one isn't available anymore. The install procedure for Ubuntu 18.04 and 20.04 is now the same as both can use `wireguard` metapackage now. The role takes care to remove `wireguard-dkms` package in favour of `wireguard` metapackage but it leaves the configuration file for `ppa:wireguard/wireguard` repository untouched. So it's up to you to remove that PPA. Either use `apt-add-repository --remove ppa:wireguard/wireguard` or remove the file manually at `/etc/apt/sources.list.d/` directory (you man need to run `apt-get update` afterwards).
## 7.4.0
- Added initial molecule infrastructure
- Remove useless block for single task in `setup-debian-vanilla.yml` (contribution by @rubendibattista)
## 7.3.1
- Debian only: Ensure the headers for the currently running kernel are installed instead of the latest one which might not be running yet. This allows DKMS to build the module for the current kernel version and avoids the need for an reboot to load the module. (contribution by @ldelelis and @ypid)
## 7.3.0
- Fix spelling and typos in docs. (contribution by @ypid)
- Drop Debian Stretch from the list of tested Linux distributions. Actual support was dropped/broken in 6.0.4 without updating the docs. (contribution by @ypid)
- Remove obsolete `.reload-module-on-update` file. It does not serve any function anymore after support for module reloading has been removed from the postinst script in 0.0.20200215-2 on 2020-02-24. A module update is properly signaled via /run/reboot-required so that the admin can (automatically) schedule a reboot when convenient. This will also be more in line with future Debian releases because starting with Debian bullseye, the kernel ships the module. (contribution by @ypid)
- Add `ansible_managed` header to WireGuard configuration file (`wg0.conf` by default). This will most probably change the WireGuard configuration file but only the formatting. But since the Ansible registers this file as changed Ansible will sync/restart WireGuard service. For newer WireGuard versions (since Nov. 2019) this isn't a problem normally as `wg syncconf` command is used (also see `handlers/main.yml`). (contribution by @ypid)
- Behind the scenes coding style improvements and cleanup without user impact. (contribution by @ypid)
## 7.2.0
- Basic MacOS X support (contribution by @rubendibattista)
- Introduce variables `wireguard_conf_owner`, `wireguard_conf_group` and `wireguard_conf_mode` (contribution by @rubendibattista)
- Fixed a typo bug in `handlers/main.yml` (contribution by @gabriel-v). But it looks like this had no impact on the "sync/restart" functionality.
- Proper formatting of WireGuard configuration file (`wg0.conf` by default). This will most probably change the WireGuard configuration file but only the formatting. But since the Ansible registers this file as changed Ansible will sync/restart WireGuard service. For newer WireGuard versions (since Nov. 2019) this isn't a problem normally as `wg syncconf` command is used (also see `handlers/main.yml`).
- Introduce `wireguard_dc` variable. This is an alpha feature and subject to change and may be even removed in future releases again. Therefore no documentation for this variable yet.
## 7.1.0
- Add support for unmanaged peers with `wireguard_unmanaged_peers` (contribution by @joneskoo)
## 7.0.0
- Switched to install from ELRepo KMOD package for CentOS (see [WireGuard installation](https://www.wireguard.com/install/)). This change may break installation for systems with custom kernels. The role previously supported custom kernel implicitly because it was using DKMS package (contribution by @elcomtik)
- Role removes DKMS WireGuard package, however it doesn't remove jdoss-wireguard-epel-7 repository. If you don't need this repository, do cleanup by removing `/etc/yum.repos.d/wireguard.repo`
## 6.3.1
**6.3.1**
- Support Openstack Debian images (contribution by @pallinger)
## 6.3.0
**6.3.0**
- Support Raspbian (contribution by @penguineer)
## 6.2.0
**6.2.0**
- Support Ubuntu 20.04 (Focal Fossa)
- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specify individual Ubuntu package cache settings. Default values are the same as before.
- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specifiy individual Ubuntu package cache settings. Default values are the same as before.
- As kernel >= 5.6 (and kernel 5.4 in Ubuntu 20.04) now have `wireguard` module included `wireguard-dkms` package is no longer needed in that case. That's why WireGuard package installation is now part of the includes for the specific OS to make it easier to handle various cases.
## 6.1.0
**6.1.0**
- Archlinux: Linux kernel >= 5.6 contains `wireguard` module now. No need to install `wireguard-dkms` anymore in this case. Installations with LTS kernel installs `wireguard-lts` package now instead of `wireguard-dkms`. Installations with kernel <= 5.6 will still install `wireguard-dkms` package.
## 6.0.4
**6.0.4**
- Use the buster-backports repository on Debian Buster (or older), use package standard repositories on sid/bullseye.
standard repositories on sid/bullseye.
@ -213,94 +29,95 @@ SPDX-License-Identifier: GPL-3.0-or-later
If you remove the apt preference (`/etc/apt/preferences.d/limit-unstable`) updates from `unstable` are accepted by apt. This likely is not what you want and may lead to an unstable state.
If you want to clean up:
- remove `/etc/apt/preferences.d/limit-unstable` and
- remove `deb http://deb.debian.org/debian/ unstable main` from `/etc/apt/sources.list.d/deb_debian_org_debian.list`.
* remove `/etc/apt/preferences.d/limit-unstable` and
* remove `deb http://deb.debian.org/debian/ unstable main` from `/etc/apt/sources.list.d/deb_debian_org_debian.list`.
The backports repository has a lower priority and does not need an apt preference.
## 6.0.3
**6.0.3**
- If `wg syncconf` command is not available do stop/start service instead of restart (contribution by @cristichiru)
## 6.0.2
**6.0.2**
- Debian: install `gnupg` package instead of `gpg`. (contribution by @zinefer)
## 6.0.1
**6.0.1**
- add shell options to syncconf handler to fail fast in case of error
## 6.0.0
**6.0.0**
- Newer versions of WireGuard (around November 2019) introduced `wg syncconf` subcommand. This has the advantage that changes to the WireGuard configuration can be applied without disturbing existing connections. With this change this role tries to use `wg syncconf` subcommand when available. This even works if you have hosts with older and newer WireGuard versions.
## 5.0.0
**5.0.0**
- `wireguard_(preup|postdown|preup|predown)` settings are now a list. If more `iptables` commands needs to be specified e.g. then this changes makes it more readable. The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8). Also see README for more examples. (contribution by @Madic-)
## 4.2.0
**4.2.0**
- Add support for Fedora (contribution by @ties)
## 4.1.1
**4.1.1**
- Install GPG to be able to import WireGuard key (Debian)
## 4.1.0
**4.1.0**
- Allow to specify additional Wireguard interface options: `fwmark`, `mtu`, `table`, `preup` and `predown` (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8))
- Allow to specifiy additional Wireguard interface options: `fwmark`, `mtu`, `table`, `preup` and `predown` (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8))
- Add host comments in Wireguard config file
## 4.0.0
**4.0.0**
- While the changes introduced are backwards compatible in general if you stay with your current settings some variables are no longer needed. So this is partly a breaking change and therefore justifies a new major version.
- Support multiple Wireguard interfaces. See README for examples (contribution by fbourqui)
- Make role stateless: In the previous versions the private and public keys of the Wireguard hosts were stored locally in the directory defined with the `wireguard_cert_directory` variable. This is no longer the case. The variables `wireguard_cert_directory`, `wireguard_cert_owner` and `wireguard_cert_group` are no longer needed and were removed. If you used this role before this release it's safe to remove them from your settings. The directory that was defined with the `wireguard_cert_directory` variable will be kept. While not tested it may enable you to go back to an older version of this role and it should still work (contribution by fbourqui)
- Reminder: `wireguard_cert_directory` default was `~/wireguard/certs`. Public and Private keys where stored on the host running ansible playbook. As a security best practice private keys of all your WireGuard endpoints should not be kept locally.
## 3.2.2
**3.2.2**
- remove unneeded `with_inventory_hostnames` loops (thanks to @pierreozoux for initial PR)
- remove unneeded `with_inventory_hostnames` loops (thanks to pierreozoux for initial PR)
## 3.2.1
**3.2.1**
- remove unnecessary files (contribution by @pierreozoux)
- remove unecessary files (contribution by pierreozoux)
## 3.2.0
**3.2.0**
- add support for RHEL/CentOS (contribution by @ahanselka)
- add support for RHEL/CentOS (contribution by ahanselka)
## 3.1.0
**3.1.0**
- pass package list directly to some modules by using the new and preferred syntax instead `loop` or `with_items` (contribution by @ahanselka)
- pass package list directly to some modules by using the new and prefered syntax instead `loop` or `with_items` (contribution by ahanselka)
## 3.0.1
**3.0.1**
- fix address in README
## 3.0.0
**3.0.0**
- support for Debian added (contribution by @ties)
- support for Debian added (contribution by ties)
## 2.0.1
**2.0.1**
- make Ansible linter happy
## 2.0.0
**2.0.0**
- use correct semantic versioning as described in [Semantic versioning](https://semver.org). Needed for Ansible Galaxy importer as it now insists on using semantic versioning.
- use correct semantic versioning as described in https://semver.org. Needed for Ansible Galaxy importer as it now insists on using semantic versioning.
- moved changelog entries to separate file
- make Ansible linter happy
- no major changes but decided to start a new major release as versioning scheme changed quite heavily
## v1.0.2
**v1.0.2**
- update README
## v1.0.1
**v1.0.1**
- update README
## v1.0.0
**v1.0.0**
- initial implementation

625
LICENSES/GPL-3.0-or-later.txt
View file

@ -1,625 +0,0 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright © 2007 Free Software Foundation, Inc. <https://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies of this license
document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for software and
other kinds of works.
The licenses for most software and other practical works are designed to take
away your freedom to share and change the works. By contrast, the GNU General
Public License is intended to guarantee your freedom to share and change all
versions of a program--to make sure it remains free software for all its users.
We, the Free Software Foundation, use the GNU General Public License for most
of our software; it applies also to any other work released this way by its
authors. You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our
General Public Licenses are designed to make sure that you have the freedom
to distribute copies of free software (and charge for them if you wish), that
you receive source code or can get it if you want it, that you can change
the software or use pieces of it in new free programs, and that you know you
can do these things.
To protect your rights, we need to prevent others from denying you these rights
or asking you to surrender the rights. Therefore, you have certain responsibilities
if you distribute copies of the software, or if you modify it: responsibilities
to respect the freedom of others.
For example, if you distribute copies of such a program, whether gratis or
for a fee, you must pass on to the recipients the same freedoms that you received.
You must make sure that they, too, receive or can get the source code. And
you must show them these terms so they know their rights.
Developers that use the GNU GPL protect your rights with two steps: (1) assert
copyright on the software, and (2) offer you this License giving you legal
permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains that
there is no warranty for this free software. For both users' and authors'
sake, the GPL requires that modified versions be marked as changed, so that
their problems will not be attributed erroneously to authors of previous versions.
Some devices are designed to deny users access to install or run modified
versions of the software inside them, although the manufacturer can do so.
This is fundamentally incompatible with the aim of protecting users' freedom
to change the software. The systematic pattern of such abuse occurs in the
area of products for individuals to use, which is precisely where it is most
unacceptable. Therefore, we have designed this version of the GPL to prohibit
the practice for those products. If such problems arise substantially in other
domains, we stand ready to extend this provision to those domains in future
versions of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents. States
should not allow patents to restrict development and use of software on general-purpose
computers, but in those that do, we wish to avoid the special danger that
patents applied to a free program could make it effectively proprietary. To
prevent this, the GPL assures that patents cannot be used to render the program
non-free.
The precise terms and conditions for copying, distribution and modification
follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of works,
such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this License.
Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals
or organizations.
To "modify" a work means to copy from or adapt all or part of the work in
a fashion requiring copyright permission, other than the making of an exact
copy. The resulting work is called a "modified version" of the earlier work
or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based on the
Program.
To "propagate" a work means to do anything with it that, without permission,
would make you directly or secondarily liable for infringement under applicable
copyright law, except executing it on a computer or modifying a private copy.
Propagation includes copying, distribution (with or without modification),
making available to the public, and in some countries other activities as
well.
To "convey" a work means any kind of propagation that enables other parties
to make or receive copies. Mere interaction with a user through a computer
network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices" to the
extent that it includes a convenient and prominently visible feature that
(1) displays an appropriate copyright notice, and (2) tells the user that
there is no warranty for the work (except to the extent that warranties are
provided), that licensees may convey the work under this License, and how
to view a copy of this License. If the interface presents a list of user commands
or options, such as a menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work for making
modifications to it. "Object code" means any non-source form of a work.
A "Standard Interface" means an interface that either is an official standard
defined by a recognized standards body, or, in the case of interfaces specified
for a particular programming language, one that is widely used among developers
working in that language.
The "System Libraries" of an executable work include anything, other than
the work as a whole, that (a) is included in the normal form of packaging
a Major Component, but which is not part of that Major Component, and (b)
serves only to enable use of the work with that Major Component, or to implement
a Standard Interface for which an implementation is available to the public
in source code form. A "Major Component", in this context, means a major essential
component (kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to produce
the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all the source
code needed to generate, install, and (for an executable work) run the object
code and to modify the work, including scripts to control those activities.
However, it does not include the work's System Libraries, or general-purpose
tools or generally available free programs which are used unmodified in performing
those activities but which are not part of the work. For example, Corresponding
Source includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically linked
subprograms that the work is specifically designed to require, such as by
intimate data communication or control flow between those subprograms and
other parts of the work.
The Corresponding Source need not include anything that users can regenerate
automatically from other parts of the Corresponding Source.
The Corresponding Source for a work in source code form is that same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of copyright
on the Program, and are irrevocable provided the stated conditions are met.
This License explicitly affirms your unlimited permission to run the unmodified
Program. The output from running a covered work is covered by this License
only if the output, given its content, constitutes a covered work. This License
acknowledges your rights of fair use or other equivalent, as provided by copyright
law.
You may make, run and propagate covered works that you do not convey, without
conditions so long as your license otherwise remains in force. You may convey
covered works to others for the sole purpose of having them make modifications
exclusively for you, or provide you with facilities for running those works,
provided that you comply with the terms of this License in conveying all material
for which you do not control copyright. Those thus making or running the covered
works for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of your copyrighted
material outside their relationship with you.
Conveying under any other circumstances is permitted solely under the conditions
stated below. Sublicensing is not allowed; section 10 makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological measure
under any applicable law fulfilling obligations under article 11 of the WIPO
copyright treaty adopted on 20 December 1996, or similar laws prohibiting
or restricting circumvention of such measures.
When you convey a covered work, you waive any legal power to forbid circumvention
of technological measures to the extent such circumvention is effected by
exercising rights under this License with respect to the covered work, and
you disclaim any intention to limit operation or modification of the work
as a means of enforcing, against the work's users, your or third parties'
legal rights to forbid circumvention of technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you receive
it, in any medium, provided that you conspicuously and appropriately publish
on each copy an appropriate copyright notice; keep intact all notices stating
that this License and any non-permissive terms added in accord with section
7 apply to the code; keep intact all notices of the absence of any warranty;
and give all recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey, and you
may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to produce
it from the Program, in the form of source code under the terms of section
4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified it, and
giving a relevant date.
b) The work must carry prominent notices stating that it is released under
this License and any conditions added under section 7. This requirement modifies
the requirement in section 4 to "keep intact all notices".
c) You must license the entire work, as a whole, under this License to anyone
who comes into possession of a copy. This License will therefore apply, along
with any applicable section 7 additional terms, to the whole of the work,
and all its parts, regardless of how they are packaged. This License gives
no permission to license the work in any other way, but it does not invalidate
such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display Appropriate
Legal Notices; however, if the Program has interactive interfaces that do
not display Appropriate Legal Notices, your work need not make them do so.
A compilation of a covered work with other separate and independent works,
which are not by their nature extensions of the covered work, and which are
not combined with it such as to form a larger program, in or on a volume of
a storage or distribution medium, is called an "aggregate" if the compilation
and its resulting copyright are not used to limit the access or legal rights
of the compilation's users beyond what the individual works permit. Inclusion
of a covered work in an aggregate does not cause this License to apply to
the other parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms of sections
4 and 5, provided that you also convey the machine-readable Corresponding
Source under the terms of this License, in one of these ways:
a) Convey the object code in, or embodied in, a physical product (including
a physical distribution medium), accompanied by the Corresponding Source fixed
on a durable physical medium customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product (including
a physical distribution medium), accompanied by a written offer, valid for
at least three years and valid for as long as you offer spare parts or customer
support for that product model, to give anyone who possesses the object code
either (1) a copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical medium customarily
used for software interchange, for a price no more than your reasonable cost
of physically performing this conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the written
offer to provide the Corresponding Source. This alternative is allowed only
occasionally and noncommercially, and only if you received the object code
with such an offer, in accord with subsection 6b.
d) Convey the object code by offering access from a designated place (gratis
or for a charge), and offer equivalent access to the Corresponding Source
in the same way through the same place at no further charge. You need not
require recipients to copy the Corresponding Source along with the object
code. If the place to copy the object code is a network server, the Corresponding
Source may be on a different server (operated by you or a third party) that
supports equivalent copying facilities, provided you maintain clear directions
next to the object code saying where to find the Corresponding Source. Regardless
of what server hosts the Corresponding Source, you remain obligated to ensure
that it is available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided you inform
other peers where the object code and Corresponding Source of the work are
being offered to the general public at no charge under subsection 6d.
A separable portion of the object code, whose source code is excluded from
the Corresponding Source as a System Library, need not be included in conveying
the object code work.
A "User Product" is either (1) a "consumer product", which means any tangible
personal property which is normally used for personal, family, or household
purposes, or (2) anything designed or sold for incorporation into a dwelling.
In determining whether a product is a consumer product, doubtful cases shall
be resolved in favor of coverage. For a particular product received by a particular
user, "normally used" refers to a typical or common use of that class of product,
regardless of the status of the particular user or of the way in which the
particular user actually uses, or expects or is expected to use, the product.
A product is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent the
only significant mode of use of the product.
"Installation Information" for a User Product means any methods, procedures,
authorization keys, or other information required to install and execute modified
versions of a covered work in that User Product from a modified version of
its Corresponding Source. The information must suffice to ensure that the
continued functioning of the modified object code is in no case prevented
or interfered with solely because modification has been made.
If you convey an object code work under this section in, or with, or specifically
for use in, a User Product, and the conveying occurs as part of a transaction
in which the right of possession and use of the User Product is transferred
to the recipient in perpetuity or for a fixed term (regardless of how the
transaction is characterized), the Corresponding Source conveyed under this
section must be accompanied by the Installation Information. But this requirement
does not apply if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has been installed
in ROM).
The requirement to provide Installation Information does not include a requirement
to continue to provide support service, warranty, or updates for a work that
has been modified or installed by the recipient, or for the User Product in
which it has been modified or installed. Access to a network may be denied
when the modification itself materially and adversely affects the operation
of the network or violates the rules and protocols for communication across
the network.
Corresponding Source conveyed, and Installation Information provided, in accord
with this section must be in a format that is publicly documented (and with
an implementation available to the public in source code form), and must require
no special password or key for unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this License
by making exceptions from one or more of its conditions. Additional permissions
that are applicable to the entire Program shall be treated as though they
were included in this License, to the extent that they are valid under applicable
law. If additional permissions apply only to part of the Program, that part
may be used separately under those permissions, but the entire Program remains
governed by this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option remove any
additional permissions from that copy, or from any part of it. (Additional
permissions may be written to require their own removal in certain cases when
you modify the work.) You may place additional permissions on material, added
by you to a covered work, for which you have or can give appropriate copyright
permission.
Notwithstanding any other provision of this License, for material you add
to a covered work, you may (if authorized by the copyright holders of that
material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the terms of
sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or author
attributions in that material or in the Appropriate Legal Notices displayed
by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or requiring
that modified versions of such material be marked in reasonable ways as different
from the original version; or
d) Limiting the use for publicity purposes of names of licensors or authors
of the material; or
e) Declining to grant rights under trademark law for use of some trade names,
trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that material by
anyone who conveys the material (or modified versions of it) with contractual
assumptions of liability to the recipient, for any liability that these contractual
assumptions directly impose on those licensors and authors.
All other non-permissive additional terms are considered "further restrictions"
within the meaning of section 10. If the Program as you received it, or any
part of it, contains a notice stating that it is governed by this License
along with a term that is a further restriction, you may remove that term.
If a license document contains a further restriction but permits relicensing
or conveying under this License, you may add to a covered work material governed
by the terms of that license document, provided that the further restriction
does not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you must place,
in the relevant source files, a statement of the additional terms that apply
to those files, or a notice indicating where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the form
of a separately written license, or stated as exceptions; the above requirements
apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly provided
under this License. Any attempt otherwise to propagate or modify it is void,
and will automatically terminate your rights under this License (including
any patent licenses granted under the third paragraph of section 11).
However, if you cease all violation of this License, then your license from
a particular copyright holder is reinstated (a) provisionally, unless and
until the copyright holder explicitly and finally terminates your license,
and (b) permanently, if the copyright holder fails to notify you of the violation
by some reasonable means prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is reinstated permanently
if the copyright holder notifies you of the violation by some reasonable means,
this is the first time you have received notice of violation of this License
(for any work) from that copyright holder, and you cure the violation prior
to 30 days after your receipt of the notice.
Termination of your rights under this section does not terminate the licenses
of parties who have received copies or rights from you under this License.
If your rights have been terminated and not permanently reinstated, you do
not qualify to receive new licenses for the same material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or run a copy
of the Program. Ancillary propagation of a covered work occurring solely as
a consequence of using peer-to-peer transmission to receive a copy likewise
does not require acceptance. However, nothing other than this License grants
you permission to propagate or modify any covered work. These actions infringe
copyright if you do not accept this License. Therefore, by modifying or propagating
a covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically receives
a license from the original licensors, to run, modify and propagate that work,
subject to this License. You are not responsible for enforcing compliance
by third parties with this License.
An "entity transaction" is a transaction transferring control of an organization,
or substantially all assets of one, or subdividing an organization, or merging
organizations. If propagation of a covered work results from an entity transaction,
each party to that transaction who receives a copy of the work also receives
whatever licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the Corresponding
Source of the work from the predecessor in interest, if the predecessor has
it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the rights
granted or affirmed under this License. For example, you may not impose a
license fee, royalty, or other charge for exercise of rights granted under
this License, and you may not initiate litigation (including a cross-claim
or counterclaim in a lawsuit) alleging that any patent claim is infringed
by making, using, selling, offering for sale, or importing the Program or
any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this License
of the Program or a work on which the Program is based. The work thus licensed
is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims owned or controlled
by the contributor, whether already acquired or hereafter acquired, that would
be infringed by some manner, permitted by this License, of making, using,
or selling its contributor version, but do not include claims that would be
infringed only as a consequence of further modification of the contributor
version. For purposes of this definition, "control" includes the right to
grant patent sublicenses in a manner consistent with the requirements of this
License.
Each contributor grants you a non-exclusive, worldwide, royalty-free patent
license under the contributor's essential patent claims, to make, use, sell,
offer for sale, import and otherwise run, modify and propagate the contents
of its contributor version.
In the following three paragraphs, a "patent license" is any express agreement
or commitment, however denominated, not to enforce a patent (such as an express
permission to practice a patent or covenant not to sue for patent infringement).
To "grant" such a patent license to a party means to make such an agreement
or commitment not to enforce a patent against the party.
If you convey a covered work, knowingly relying on a patent license, and the
Corresponding Source of the work is not available for anyone to copy, free
of charge and under the terms of this License, through a publicly available
network server or other readily accessible means, then you must either (1)
cause the Corresponding Source to be so available, or (2) arrange to deprive
yourself of the benefit of the patent license for this particular work, or
(3) arrange, in a manner consistent with the requirements of this License,
to extend the patent license to downstream recipients. "Knowingly relying"
means you have actual knowledge that, but for the patent license, your conveying
the covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that country
that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or arrangement,
you convey, or propagate by procuring conveyance of, a covered work, and grant
a patent license to some of the parties receiving the covered work authorizing
them to use, propagate, modify or convey a specific copy of the covered work,
then the patent license you grant is automatically extended to all recipients
of the covered work and works based on it.
A patent license is "discriminatory" if it does not include within the scope
of its coverage, prohibits the exercise of, or is conditioned on the non-exercise
of one or more of the rights that are specifically granted under this License.
You may not convey a covered work if you are a party to an arrangement with
a third party that is in the business of distributing software, under which
you make payment to the third party based on the extent of your activity of
conveying the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory patent
license (a) in connection with copies of the covered work conveyed by you
(or copies made from those copies), or (b) primarily for and in connection
with specific products or compilations that contain the covered work, unless
you entered into that arrangement, or that patent license was granted, prior
to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting any implied
license or other defenses to infringement that may otherwise be available
to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or otherwise)
that contradict the conditions of this License, they do not excuse you from
the conditions of this License. If you cannot convey a covered work so as
to satisfy simultaneously your obligations under this License and any other
pertinent obligations, then as a consequence you may not convey it at all.
For example, if you agree to terms that obligate you to collect a royalty
for further conveying from those to whom you convey the Program, the only
way you could satisfy both those terms and this License would be to refrain
entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have permission to
link or combine any covered work with a work licensed under version 3 of the
GNU Affero General Public License into a single combined work, and to convey
the resulting work. The terms of this License will continue to apply to the
part which is the covered work, but the special requirements of the GNU Affero
General Public License, section 13, concerning interaction through a network
will apply to the combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of the
GNU General Public License from time to time. Such new versions will be similar
in spirit to the present version, but may differ in detail to address new
problems or concerns.
Each version is given a distinguishing version number. If the Program specifies
that a certain numbered version of the GNU General Public License "or any
later version" applies to it, you have the option of following the terms and
conditions either of that numbered version or of any later version published
by the Free Software Foundation. If the Program does not specify a version
number of the GNU General Public License, you may choose any version ever
published by the Free Software Foundation.
If the Program specifies that a proxy can decide which future versions of
the GNU General Public License can be used, that proxy's public statement
of acceptance of a version permanently authorizes you to choose that version
for the Program.
Later license versions may give you additional or different permissions. However,
no additional obligations are imposed on any author or copyright holder as
a result of your choosing to follow a later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE
LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM
PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL
ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM
AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,
INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO
USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided above cannot
be given local legal effect according to their terms, reviewing courts shall
apply local law that most closely approximates an absolute waiver of all civil
liability in connection with the Program, unless a warranty or assumption
of liability accompanies a copy of the Program in return for a fee. END OF
TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest possible
use to the public, the best way to achieve this is to make it free software
which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest to attach
them to the start of each source file to most effectively state the exclusion
of warranty; and each file should have at least the "copyright" line and a
pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program. If not, see <https://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short notice like
this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it under certain
conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands might
be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary. For
more information on this, and how to apply and follow the GNU GPL, see <https://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General Public
License instead of this License. But first, please read <https://www.gnu.org/
licenses /why-not-lgpl.html>.

358
README.md
View file

@ -1,55 +1,13 @@
<!--
Copyright (C) 2018-2023 Robert Wimmer
Copyright (C) 2019 fbourqui
SPDX-License-Identifier: GPL-3.0-or-later
-->
ansible-role-wireguard
======================
This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. The latest release is [available via Ansible Galaxy](https://galaxy.ansible.com/githubixx/ansible_role_wireguard). I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster.
This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster. This VPN also includes two clients so that I can communicate securly with the Kubernetes API server. Also my Postfix mailserver running as K8s DaemonSet forwards mails to my internal Postfix through WireGuard VPN.
I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a while. As I moved my cloud hosts from Scaleway to Hetzner cloud it was a good time to switch the VPN solution ;-) In general PeerVPN still works perfectly fine esp. if you need a easy to setup fully meshed network (where every node is able to talk to all other nodes and even if node `A` should be able to talk to Node `C` via node `B` ;-) ). But PeerVPN needs also lot of CPU resources and throuhput could be better. That's solved with [WireGuard](https://www.wireguard.io/).
In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/).
Linux
-----
This role should work with:
- Ubuntu 18.04 (Bionic Beaver)
- Ubuntu 20.04 (Focal Fossa)
- Ubuntu 22.04 (Jammy Jellyfish)
- Archlinux
- Debian 11 (Bullseye)
- Fedora 36
- CentOS 7
- AlmaLinux
- Rocky Linux
- openSUSE Leap 15.4
- Oracle Linux 9
Best effort:
- elementary OS 6
Molecule tests are [available](https://github.com/githubixx/ansible-role-wireguard#testing) (see further down below). It should also work with `Raspbian Buster` but for this one there is no test available. MacOS (see below) should also work partitially but is only best effort.
MacOS
-----
While this playbook configures, enables and starts a `systemd` service on Linux in a such a way that no additional action is needed, on MacOS it installs the required packages and it just generates the correct `wg0.conf` file that is then placed in the specified `wireguard_remote_directory` (`/opt/local/etc/wireguard` by default). In order to run the VPN, then, you need to:
```bash
sudo wg-quick up wg0
```
and to deactivate it
```bash
sudo wg-quick down wg0
```
or you can install the [official app](https://apps.apple.com/it/app/wireguard/id1451685025?l=en&mt=12) and import the `wg0.conf` file.
This role is tested with Ubuntu 18.04 (Bionic Beaver), Ubuntu 20 (Focal Fossa) and Archlinux. Ubuntu 16.04 (Xenial Xerus), Debian 9 (Stretch), Debian 10 (Buster), Fedora 31 (or later) and CentOS 7 might also work or other distributions but haven't tested it (code for this operating systems was submitted by other contributors). If someone tested it let me please know if it works or send a pull request to make it work ;-)
Versions
--------
@ -59,9 +17,7 @@ I tag every release and try to stay with [semantic versioning](http://semver.org
Requirements
------------
By default port `51820` (protocol UDP) should be accessible from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward`. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere.
You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things.
Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down.
By default port `51820` (protocol UDP) should be accessable from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward `. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere. You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things. Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down.
Changelog
---------
@ -71,168 +27,49 @@ see [CHANGELOG.md](https://github.com/githubixx/ansible-role-wireguard/blob/mast
Role Variables
--------------
These variables can be changed in `group_vars/` e.g.:
These variables can be changed in `group_vars/`:
```yaml
```
# Directory to store WireGuard configuration on the remote hosts
wireguard_remote_directory: "/etc/wireguard" # On Linux
# wireguard_remote_directory: "/opt/local/etc/wireguard" # On MacOS
wireguard_remote_directory: "/etc/wireguard"
# The default port WireGuard will listen if not specified otherwise.
wireguard_port: "51820"
# The default interface name that WireGuard should use if not specified otherwise.
# The default interface name that wireguard should use if not specified otherwise.
wireguard_interface: "wg0"
# The default owner of the wg.conf file
wireguard_conf_owner: root
# The default group of the wg.conf file
wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'wheel' }}"
# The default mode of the wg.conf file
wireguard_conf_mode: 0600
# The default state of the wireguard service
wireguard_service_enabled: "yes"
wireguard_service_state: "started"
# By default "wg syncconf" is used to apply WireGuard interface settings if
# they've changed. Older WireGuard tools doesn't provide this option. In that
# case as a fallback the WireGuard interface will be restarted. This causes a
# short interruption of network connections.
#
# So even if "false" is the default, the role figures out if the "syncconf"
# option of the "wg" utility is available and if not falls back to "true"
# (which means interface will be restarted as this is the only possible option
# in this case).
#
# Possible options:
# - false (default)
# - true
#
# Both options have their pros and cons. The default "false" option (do not
# restart interface)
# - does not need to restart the WireGuard interface to apply changes
# - does not cause a short VPN connection interruption when changes are applied
# - might cause network routes are not properly reloaded
#
# Setting the option value to "true" will
# - restart the WireGuard interface as the name suggests in case of changes
# - cause a short VPN connection interruption when changes are applied
# - make sure that network routes are properly reloaded
#
# So it depends a little bit on your setup which option works best. If you
# don't have an overly complicated routing that changes very often or at all
# using "false" here is most properly good enough for you. E.g. if you just
# want to connect a few servers via VPN and it normally stays this way.
#
# If you have a more dynamic routing setup then setting this to "true" might be
# the safest way to go. Also if you want to avoid the possibility creating some
# hard to detect side effects this option should be considered.
wireguard_interface_restart: false
# Normally the role automatically creates a private key the very first time
# if there isn't already a WireGuard configuration. But this option allows
# to provide your own WireGuard private key if really needed. As this is of
# course a very sensitive value you might consider a tool like Ansible Vault
# to store it encrypted.
# wireguard_private_key:
# Set to "false" if package cache should not be updated (only relevant if
# the package manager in question supports this option)
wireguard_update_cache: "true"
```
There are also a few Linux distribution specific settings:
The following variable is mandatory and needs to be configured for every host in `host_vars/`:
```yaml
#######################################
# Settings only relevant for:
# - Ubuntu
# - elementary OS
#######################################
# DEPRECATED: Please use "wireguard_update_cache" instead.
# Set to "false" if package cache should not be updated.
wireguard_ubuntu_update_cache: "{{ wireguard_update_cache }}"
# Set package cache valid time
wireguard_ubuntu_cache_valid_time: "3600"
#######################################
# Settings only relevant for CentOS 7
#######################################
# Set wireguard_centos7_installation_method to "kernel-plus"
# to use the kernel-plus kernel, which includes a built-in,
# signed WireGuard module.
#
# The default of "standard" will use the standard kernel and
# the ELRepo module for WireGuard.
wireguard_centos7_installation_method: "standard"
# Reboot host if necessary if the "kernel-plus" kernel is in use
wireguard_centos7_kernel_plus_reboot: true
# The default seconds to wait for machine to reboot and respond
# if "kernel-plus" is in use. Is only relevant if
# "wireguard_centos7_kernel_plus_reboot" is set to "true".
wireguard_centos7_kernel_plus_reboot_timeout: "600"
# Reboot host if necessary if the standard kernel is in use
wireguard_centos7_standard_reboot: true
# The default seconds to wait for machine to reboot and respond
# if "standard" kernel is in use. Is only relevant if
# "wireguard_centos7_standard_reboot" is set to "true".
wireguard_centos7_standard_reboot_timeout: "600"
#########################################
# Settings only relevant for RockyLinux 8
#########################################
# Set wireguard_rockylinux8_installation_method to "dkms"
# to build WireGuard module from source, with wireguard-dkms.
# This is required if you use a custom kernel and/or your arch
# is not x86_64.
#
# The default of "standard" will install the kernel module
# with kmod-wireguard from ELRepo.
wireguard_rockylinux8_installation_method: "standard"
```
wireguard_address: "10.8.0.101/24"
```
Every host in `host_vars/` should configure at least one address via `wireguard_address` or `wireguard_addresses`. The `wireguard_address` can only contain one IPv4, thus it's recommended to use the `wireguard_addresses` variable that can contain an array of both IPv4 and IPv6 addresses.
Of course all IP's should be in the same subnet like `/24` we see in the example above. If `wireguard_allowed_ips` is not set then the default value is the value from `wireguard_address` without the CIDR but instead with `/32` which is basically a host route (have a look `templates/wg.conf.j2`). Let's see this example and let's assume you don't set `wireguard_allowed_ips` explicitly:
```yaml
wireguard_addresses:
- "10.8.0.101/24"
```
Of course all IP's should be in the same subnet like `/24` we see in the example above. If `wireguard_allowed_ips` is not set then the default values are IPs defined in `wireguard_address` and `wireguard_addresses` without the CIDR but instead with `/32` (IPv4) or `/128` (IPv6) which is basically a host route (have a look `templates/wg.conf.j2`). Let's see this example and let's assume you don't set `wireguard_allowed_ips` explicitly:
```ini
[Interface]
Address = 10.8.0.2/24
PrivateKey = ....
ListenPort = 51820
[Peer]
PublicKey = ....
PrivateKey = ....
AllowedIPs = 10.8.0.101/32
Endpoint = controller01.p.domain.tld:51820
```
This is part of the WireGuard config from my workstation. It has the VPN IP `10.8.0.2` and we've a `/24` subnet in which all my WireGuard hosts are located. Also you can see we've a peer here that has the endpoint `controller01.p.domain.tld:51820`. When `wireguard_allowed_ips` is not explicitly set the Ansible template will add an `AllowedIPs` entry with the IP of that host plus `/32` or `/128`. In WireGuard this basically specifies the routing. The config above says: On my workstation with the IP `10.8.0.2` I want send all traffic to `10.8.0.101/32` to the endpoint `controller01.p.domain.tld:51820`. Now let's assume we set `wireguard_allowed_ips: "0.0.0.0/0"`. Then the resulting config looks like this.
This is part of the WireGuard config from my workstation. It has the VPN IP `10.8.0.2` and we've a `/24` subnet in which all my WireGuard hosts are located. Also you can see we've a peer here that has the endpoint `controller01.p.domain.tld:51820`. When `wireguard_allowed_ips` is not explicitly set the Ansible template will add an `AllowedIPs` entry with the IP of that host plus `/32`. In WireGuard this basically specifies the routing. The config above says: On my workstation with the IP `10.8.0.2` I want send all traffic to `10.8.0.101/32` to the endpoint `controller01.p.domain.tld:51820`. Now let's assume we set `wireguard_allowed_ips: "0.0.0.0/0"`. Then the resulting config looks like this.
```ini
```
[Interface]
Address = 10.8.0.2/24
PrivateKey = ....
ListenPort = 51820
[Peer]
PublicKey = ....
PrivateKey = ....
AllowedIPs = 0.0.0.0/0
Endpoint = controller01.p.domain.tld:51820
```
@ -241,7 +78,7 @@ Now this is basically the same as above BUT now the config says: I want to route
You can specify further optional settings (they don't have a default and won't be set if not specified besides `wireguard_allowed_ips` as already mentioned) also per host in `host_vars/` (or in your Ansible hosts file if you like). The values for the following variables are just examples and no defaults (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8)):
```yaml
```
wireguard_allowed_ips: ""
wireguard_endpoint: "host1.domain.tld"
wireguard_persistent_keepalive: "30"
@ -258,25 +95,18 @@ wireguard_postup:
wireguard_postdown:
- ...
wireguard_save_config: "true"
wireguard_unmanaged_peers:
client.example.com:
public_key: 5zsSBeZZ8P9pQaaJvY9RbELQulcwC5VBXaZ93egzOlI=
# preshared_key: ... e.g. from ansible-vault?
allowed_ips: 10.0.0.3/32
endpoint: client.example.com:51820
persistent_keepalive: 0
```
`wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples:
```yaml
```
wireguard_postup:
- iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE
- iptables -A FORWARD -i %i -j ACCEPT
- iptables -A FORWARD -o %i -j ACCEPT
```
```yaml
```
wireguard_preup:
- echo 1 > /proc/sys/net/ipv4/ip_forward
- ufw allow 51820/udp
@ -284,13 +114,13 @@ wireguard_preup:
The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8).
One of `wireguard_address` (deprecated) or `wireguard_addresses` (recommended) is required as already mentioned. It's the IPs of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs at least one unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).
`wireguard_address` is required as already mentioned. It's the IP of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs a unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).
Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already) mentioned I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
First, here is a part of my Ansible `hosts` file:
```ini
```
[vpn]
controller0[1:3].i.domain.tld
worker0[1:2].i.domain.tld
@ -304,53 +134,45 @@ controller0[1:3].i.domain.tld
worker0[1:2].i.domain.tld
```
As you can see I've three groups here: `vpn` (all hosts on that will get WireGuard installed), `k8s_controller` (the Kubernetes controller nodes) and `k8s_worker` (the Kubernetes worker nodes). The `i` in the domainname is for `internal`. All the `i.domain.tld` DNS entries have a `A` record that points to the WireGuard IP that we define shortly for every host e.g.: `controller01.i.domain.tld. IN A 10.8.0.101`. The reason for that is that all Kubernetes components only binds and listen on the WireGuard interface in my setup. And since I need this internal IPs for all my Kubernetes components I specify the internal DNS entries in my Ansible `hosts` file. That way I can use the Ansible inventory hostnames and variables very easy in the playbooks and templates.
As you can see I've three gropus here: `vpn` (all hosts on that will get WireGuard installed), `k8s_controller` (the Kubernetes controller nodes) and `k8s_worker` (the Kubernetes worker nodes). The `i` in the domainname is for `internal`. All the `i.domain.tld` DNS entries have a `A` record that points to the WireGuard IP that we define shortly for every host e.g.: ` controller01.i.domain.tld. IN A 10.8.0.101`. The reason for that is that all Kubernetes components only binds and listen on the WireGuard interface in my setup. And since I need this internal IPs for all my Kubernetes components I specify the internal DNS entries in my Ansible `hosts` file. That way I can use the Ansible inventory hostnames and variables very easy in the playbooks and templates.
For the Kubernetes controller nodes I've defined the following host variables:
Ansible host file: `host_vars/controller01.i.domain.tld`
```yaml
```
---
wireguard_addresses:
- "10.8.0.101/24"
wireguard_address: "10.8.0.101/24"
wireguard_endpoint: "controller01.p.domain.tld"
ansible_host: "controller01.p.domain.tld"
ansible_python_interpreter: /usr/bin/python3
```
Ansible host file: `host_vars/controller02.i.domain.tld`:
```yaml
```
---
wireguard_addresses:
- "10.8.0.102/24"
wireguard_address: "10.8.0.102/24"
wireguard_endpoint: "controller02.p.domain.tld"
ansible_host: "controller02.p.domain.tld"
ansible_python_interpreter: /usr/bin/python3
```
Ansible host file: `host_vars/controller03.i.domain.tld`:
```yaml
```
---
wireguard_addresses:
- "10.8.0.103/24"
wireguard_address: "10.8.0.103/24"
wireguard_endpoint: "controller03.p.domain.tld"
ansible_host: "controller03.p.domain.tld"
ansible_python_interpreter: /usr/bin/python3
```
I've specified `ansible_python_interpreter` here for every node as the controller nodes use Ubuntu 18.04 which has Python 3 installed by default. `ansible_host` is set to the public DNS of that host. Ansible will use this hostname to connect to the host via SSH. I use the same value also for `wireguard_endpoint` because of the same reason. The WireGuard peers needs to connect to the other peers via a public IP (well at least via a IP that the WireGuard hosts can connect to - that could be of course also a internal IP if it works for you). IPs specified by `wireguard_address` or `wireguard_addresses` needs to be unique of course for every host.
I've specified `ansible_python_interpreter` here for every node as the controller nodes use Ubuntu 18.04 which has Python 3 installed by default. `ansible_host` is set to the public DNS of that host. Ansible will use this hostname to connect to the host via SSH. I use the same value also for `wireguard_endpoint` because of the same reason. The WireGuard peers needs to connect to the other peers via a public IP (well at least via a IP that the WireGuard hosts can connect to - that could be of course also a internal IP if it works for you). The `wireguard_address` needs to be unique of course for every host.
For the Kubernetes worker I've defined the following variables:
Ansible host file: `host_vars/worker01.i.domain.tld`
```yaml
```
---
wireguard_addresses:
- "10.8.0.111/24"
wireguard_address: "10.8.0.111/24"
wireguard_endpoint: "worker01.p.domain.tld"
wireguard_persistent_keepalive: "30"
ansible_host: "worker01.p.domain.tld"
@ -358,11 +180,9 @@ ansible_python_interpreter: /usr/bin/python3
```
Ansible host file: `host_vars/worker02.i.domain.tld`:
```yaml
```
---
wireguard_addresses:
- "10.8.0.112/24"
wireguard_address: "10.8.0.112/24"
wireguard_endpoint: "worker02.p.domain.tld"
wireguard_persistent_keepalive: "30"
ansible_host: "worker02.p.domain.tld"
@ -373,23 +193,21 @@ As you can see the variables are basically the same as the controller nodes have
For my internal server at home (connected via DSL router to the internet) we've this configuration:
```yaml
```
---
wireguard_addresses:
- "10.8.0.1/24"
wireguard_address: "10.8.0.1/24"
wireguard_endpoint: "server.at.home.p.domain.tld"
wireguard_persistent_keepalive: "30"
ansible_host: 192.168.2.254
ansible_port: 22
```
By default the SSH daemon is listening on a different port than 22 on all of my public nodes but internally I use `22` and that's the reason to set `ansible_port: 22` here. Also `ansible_host` is of course a internal IP for that host. The `wireguard_endpoint` value is a dynamic DNS entry. Since my IP at home isn't static I need to run a script every minute at my home server that checks if the IP has changed and if so adjusts my DNS record. I use OVH's DynHost feature to accomplish this but you can use and DynDNS provider you want of course. Also I forward incoming traffic on port `51820/UDP` to my internal server to allow incoming WireGuard traffic. IPs from `wireguard_address` and `wireguard_addresses` needs to be of course part of our WireGuard subnet.
By default the SSH daemon is listening on a different port than 22 on all of my public nodes but internally I use `22` and that's the reason to set `ansible_port: 22` here. Also `ansible_host` is of course a internal IP for that host. The `wireguard_endpoint` value is a dynamic DNS entry. Since my IP at home isn't static I need to run a script every minute at my home server that checks if the IP has changed and if so adjusts my DNS record. I use OVH's DynHost feature to accomplish this but you can use and DynDNS provider you want of course. Also I forward incoming traffic on port `51820/UDP` to my internal server to allow incoming WireGuard traffic. The `wireguard_address` needs to be of course part of our WireGuard subnet.
And finally for my workstation (on which I run all `ansible-playbook` commands):
```yaml
wireguard_addresses:
- "10.8.0.2/24"
```
wireguard_address: "10.8.0.2/24"
wireguard_endpoint: ""
ansible_connection: local
ansible_become: false
@ -397,41 +215,41 @@ ansible_become: false
As you can see `wireguard_endpoint: ""` is a empty string here. That means the Ansible role won't set an endpoint for my workstation. Since there is no need for the other hosts to connect to my workstation it doesn't makes sense to have a endpoint defined. So in this case I can access all hosts defined in the Ansible group `vpn` from my workstation but not the other way round. So the resulting WireGuard config for my workstation looks like this:
```ini
```
[Interface]
Address = 10.8.0.2/24
PrivateKey = ....
ListenPort = 51820
[Peer]
PublicKey = ....
PrivateKey = ....
AllowedIPs = 10.8.0.101/32
Endpoint = controller01.p.domain.tld:51820
[Peer]
PublicKey = ....
PrivateKey = ....
AllowedIPs = 10.8.0.102/32
Endpoint = controller02.p.domain.tld:51820
[Peer]
PublicKey = ....
PrivateKey = ....
AllowedIPs = 10.8.0.103/32
Endpoint = controller03.p.domain.tld:51820
[Peer]
PublicKey = ....
PrivateKey = ....
AllowedIPs = 10.8.0.111/32
PersistentKeepalive = 30
Endpoint = worker01.p.domain.tld:51820
[Peer]
PublicKey = ....
PrivateKey = ....
AllowedIPs = 10.8.0.112/32
PersistentKeepalive = 30
Endpoint = worker02.p.domain.tld:51820
[Peer]
PublicKey = ....
PrivateKey = ....
AllowedIPs = 10.8.0.1/32
PersistentKeepalive = 30
Endpoint = server.at.home.p.domain.tld:51820
@ -439,42 +257,32 @@ Endpoint = server.at.home.p.domain.tld:51820
The other WireGuard config files (`wg0.conf` by default) looks similar but of course `[Interface]` includes the config of that specific host and the `[Peer]` entries lists the config of the other hosts.
Example Playbooks
-----------------
Example Playbook
----------------
```yaml
```
- hosts: vpn
roles:
- githubixx.ansible_role_wireguard
- wireguard
```
```yaml
hosts: vpn
roles:
-
role: githubixx.ansible_role_wireguard
tags: role-wireguard
```
Example inventory using two different WireGuard interfaces on host "multi"
Example Inventory using two different WireGuard interfaces on host "multi"
--------------------------------------------------------------------------
This is a complex example using yaml inventory format:
```yaml
```
vpn1:
hosts:
multi:
wireguard_addresses:
- "10.9.0.1/32"
wireguard_address: 10.9.0.1/32
wireguard_allowed_ips: "10.9.0.1/32, 192.168.2.0/24"
wireguard_endpoint: multi.example.com
wireguard_endpoint: multi.exemple.com
nated:
wireguard_addresses:
- "10.9.0.2/32"
wireguard_address: 10.9.0.2/32
wireguard_allowed_ips: "10.9.0.2/32, 192.168.3.0/24"
wireguard_persistent_keepalive: 15
wireguard_endpoint: nated.example.com
wireguard_endpoint: nated.exemple.com
wireguard_postup:
- iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE
- iptables -A FORWARD -i %i -j ACCEPT
@ -493,62 +301,32 @@ vpn2:
wireguard_interface: wg1
# when using several interface on one host, we must use different ports
wireguard_port: 51821
wireguard_addresses:
- "10.9.1.1/32"
wireguard_endpoint: multi.example.com
wireguard_address: 10.9.1.1/32
wireguard_endpoint: multi.exemple.com
another:
wireguard_address:
- "10.9.1.2/32"
wireguard_endpoint: another.example.com
wireguard_address: 10.9.1.2/32
wireguard_endpoint: another.exemple.com
```
Sample playbooks for example above:
Playbooks
---------
```yaml
```
- hosts: vpn1
roles:
- githubixx.ansible_role_wireguard
- wireguard
```
```yaml
```
- hosts: vpn2
roles:
- githubixx.ansible_role_wireguard
```
Testing
-------
This role has a small test setup that is created using [Molecule](https://github.com/ansible-community/molecule), libvirt (vagrant-libvirt) and QEMU/KVM. Please see my blog post [Testing Ansible roles with Molecule, libvirt (vagrant-libvirt) and QEMU/KVM](https://www.tauceti.blog/posts/testing-ansible-roles-with-molecule-libvirt-vagrant-qemu-kvm/) how to setup. The test configuration is [here](https://github.com/githubixx/ansible-role-wireguard/tree/master/molecule/kvm).
Afterwards molecule can be executed:
```bash
molecule converge -s kvm
```
This will setup quite a few virtual machines (VM) with different supported Linux operating systems. To run a few tests:
```bash
molecule verify -s kvm
```
To clean up run
```bash
molecule destroy -s kvm
```
There is also a small Molecule setup that mimics a central WireGuard server with a few clients:
```bash
molecule converge -s kvm-single-server
- wireguard
```
License
-------
[GNU General Public License v3.0 or later](https://spdx.org/licenses/GPL-3.0-or-later.html)
GNU GENERAL PUBLIC LICENSE Version 3
Author Information
------------------

125
defaults/main.yml
View file

@ -1,126 +1,41 @@
---
# Copyright (C) 2018-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
#######################################
################################################################################
# General settings
#######################################
################################################################################
# Directory to store WireGuard configuration on the remote hosts
wireguard_remote_directory: "{{ '/etc/wireguard' if not ansible_os_family == 'Darwin' else '/opt/local/etc/wireguard' }}"
wireguard_remote_directory: "/etc/wireguard"
# The default port WireGuard will listen if not specified otherwise.
wireguard_port: "51820"
# The default interface name that WireGuard should use if not specified otherwise.
# The default interface name that wireguard should use if not specified otherwise.
wireguard_interface: "wg0"
# The default owner of the wg.conf file
wireguard_conf_owner: root
# The default group of the wg.conf file
wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'wheel' }}"
################################################################################
# Settings for devices like laptops, tablets, mobiles, etc. not managed by
# Ansible. If you don't have such devices just leave the variables commented.
################################################################################
# The default mode of the wg.conf file
wireguard_conf_mode: 0600
# Directory to store configurations for unmanaged hosts
wireguard_unmanaged_hosts_directory: "{{ '~/wireguard_unmanaged_hosts' | expanduser }}"
# The default state of the wireguard service
wireguard_service_enabled: "yes"
wireguard_service_state: "started"
#
wireguard_unmanaged_hosts_list:
- tablet01
- mobile01
# By default "wg syncconf" is used to apply WireGuard interface settings if
# they've changed. Older WireGuard tools doesn't provide this option. In that
# case as a fallback the WireGuard interface will be restarted. This causes a
# short interruption of network connections.
#
# So even if "false" is the default, the role figures out if the "syncconf"
# option of the "wg" utility is available and if not falls back to "true"
# (which means interface will be restarted as this is the only possible option
# in this case).
#
# Possible options:
# - false (default)
# - true
#
# Both options have their pros and cons. The default "false" option (do not
# restart interface)
# - does not need to restart the WireGuard interface to apply changes
# - does not cause a short VPN connection interruption when changes are applied
# - might cause network routes are not properly reloaded
#
# Setting the option value to "true" will
# - restart the WireGuard interface as the name suggests in case of changes
# - cause a short VPN connection interruption when changes are applied
# - make sure that network routes are properly reloaded
#
# So it depends a little bit on your setup which option works best. If you
# don't have an overly complicated routing that changes very often or at all
# using "false" here is most properly good enough for you. E.g. if you just
# want to connect a few servers via VPN and it normally stays this way.
#
# If you have a more dynamic routing setup then setting this to "true" might be
# the safest way to go. Also if you want to avoid the possibility creating some
# hard to detect side effects this option should be considered.
wireguard_interface_restart: false
wireguard_unmanaged_delegate_to: "127.0.0.1"
# This is sensitive: encrypt it with a tool like Ansible Vault.
# If not set, a new one is generated on a blank configuration.
# wireguard_private_key:
# Set to "false" if package cache should not be updated (only relevant if
# the package manager in question supports this option)
wireguard_update_cache: "true"
###############################################################################
# Settings only relevant for Ubuntu
###############################################################################
#######################################
# Settings only relevant for:
# - Ubuntu
# - elementary OS
#######################################
# DEPRECATED: Please use "wireguard_update_cache" instead.
# Set to "false" if package cache should not be updated.
wireguard_ubuntu_update_cache: "{{ wireguard_update_cache }}"
# Set to "false" if package cache should not be updated
wireguard_ubuntu_update_cache: "true"
# Set package cache valid time
wireguard_ubuntu_cache_valid_time: "3600"
#######################################
# Settings only relevant for CentOS 7
#######################################
# Set wireguard_centos7_installation_method to "kernel-plus"
# to use the kernel-plus kernel, which includes a built-in,
# signed WireGuard module.
#
# The default of "standard" will use the standard kernel and
# the ELRepo module for WireGuard.
wireguard_centos7_installation_method: "standard"
# Reboot host if necessary if the "kernel-plus" kernel is in use
wireguard_centos7_kernel_plus_reboot: true
# The default seconds to wait for machine to reboot and respond
# if "kernel-plus" is in use. Is only relevant if
# "wireguard_centos7_kernel_plus_reboot" is set to "true".
wireguard_centos7_kernel_plus_reboot_timeout: "600"
# Reboot host if necessary if the standard kernel is in use
wireguard_centos7_standard_reboot: true
# The default seconds to wait for machine to reboot and respond
# if "standard" kernel is in use. Is only relevant if
# "wireguard_centos7_standard_reboot" is set to "true".
wireguard_centos7_standard_reboot_timeout: "600"
#########################################
# Settings only relevant for RockyLinux 8
#########################################
# Set wireguard_rockylinux8_installation_method to "dkms"
# to build WireGuard module from source, with wireguard-dkms.
# This is required if you use a custom kernel and/or your arch
# is not x86_64.
#
# The default of "standard" will install the kernel module
# with kmod-wireguard from ELRepo.
wireguard_rockylinux8_installation_method: "standard"

37
handlers/main.yml
View file

@ -1,32 +1,23 @@
---
# Copyright (C) 2018-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Restart wireguard
ansible.builtin.service:
- name: restart wireguard
service:
name: "wg-quick@{{ wireguard_interface }}"
state: "{{ item }}"
loop:
- stopped
- started
when:
- wireguard__restart_interface
- not ansible_os_family == 'Darwin'
- wireguard_service_enabled == "yes"
- stopped
- started
when: not wg_syncconf
listen: "reconfigure wireguard"
- name: Syncconf wireguard
ansible.builtin.shell: |
set -o errexit
set -o pipefail
set -o nounset
systemctl is-active wg-quick@{{ wireguard_interface | quote }} || systemctl start wg-quick@{{ wireguard_interface | quote }}
wg syncconf {{ wireguard_interface | quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface | quote }}.conf)
exit 0
- name: syncconf wireguard
shell: |
set -o errexit
set -o pipefail
set -o nounset
systemctl is-active wg-quick@wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
exit 0
args:
executable: "/bin/bash"
when:
- not wireguard__restart_interface
- not ansible_os_family == 'Darwin'
- wireguard_service_enabled == "yes"
when: wg_syncconf
listen: "reconfigure wireguard"

45
meta/main.yml
View file

@ -1,35 +1,24 @@
---
# Copyright (C) 2018-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
galaxy_info:
author: Robert Wimmer
description: Installs Wireguard incl. systemd integration
license: GPL-3.0-or-later
min_ansible_version: "2.11"
namespace: githubixx
role_name: ansible_role_wireguard
license: GPLv3
min_ansible_version: 2.5
platforms:
- name: ArchLinux
- name: Ubuntu
versions:
- "bionic"
- "focal"
- "jammy"
- name: Debian
versions:
- "bullseye"
- name: EL
versions:
- "7"
- "8"
- "9"
- name: Fedora
versions:
- "36"
- name: opensuse
versions:
- "15.4"
- name: ArchLinux
- name: Ubuntu
versions:
- bionic
- focal
- name: Debian
versions:
- stretch
- buster
- name: EL
versions:
- 7
- name: Fedora
versions:
- 31
galaxy_tags:
- networking
- security

12
molecule/kvm-single-server/converge.yml
View file

@ -1,12 +0,0 @@
---
# Copyright (C) 2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- hosts: all
remote_user: vagrant
become: true
gather_facts: true
tasks:
- name: Include WireGuard role
ansible.builtin.include_role:
name: githubixx.ansible_role_wireguard

95
molecule/kvm-single-server/molecule.yml
View file

@ -1,95 +0,0 @@
---
# Copyright (C) 2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
dependency:
name: galaxy
driver:
name: vagrant
provider:
name: libvirt
type: libvirt
options:
memory: 192
cpus: 2
platforms:
- name: test-wg-ubuntu2004
box: generic/ubuntu2004
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.10
groups:
- vpn
- ubuntu
- name: test-wg-ubuntu1804
box: generic/ubuntu1804
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.20
groups:
- vpn
- ubuntu
- name: test-wg-debian11
box: generic/debian11
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.30
groups:
- vpn
- debian
- name: test-wg-ubuntu2204
box: alvistack/ubuntu-22.04
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.40
groups:
- vpn
- ubuntu
provisioner:
name: ansible
connection_options:
ansible_ssh_user: vagrant
ansible_become: true
log: true
lint:
name: ansible-lint
inventory:
host_vars:
test-wg-ubuntu2004:
wireguard_address: "10.10.10.10/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.10"
test-wg-ubuntu1804:
wireguard_address: "10.10.10.20/24"
wireguard_persistent_keepalive: "30"
wireguard_endpoint: ""
test-wg-debian11:
wireguard_address: "10.10.10.30/24"
wireguard_persistent_keepalive: "30"
wireguard_endpoint: ""
ansible_python_interpreter: "/usr/bin/python3"
test-wg-ubuntu2204:
wireguard_address: "10.10.10.40/24"
wireguard_persistent_keepalive: "30"
wireguard_endpoint: ""
scenario:
name: kvm-single-server
test_sequence:
- prepare
- converge
verifier:
name: ansible

13
molecule/kvm-single-server/prepare.yml
View file

@ -1,13 +0,0 @@
---
# Copyright (C) 2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- hosts: ubuntu
remote_user: vagrant
become: true
gather_facts: true
tasks:
- name: Update APT package cache
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600

33
molecule/kvm-single-server/verify.yml
View file

@ -1,33 +0,0 @@
---
# Copyright (C) 2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Verify setup
hosts: all
vars:
hosts_count: "{{ groups['vpn'] | length }}"
tasks:
- name: Count WireGuard interfaces
ansible.builtin.shell: |
set -o errexit
set -o pipefail
set -o nounset
wg | grep "peer: " | wc -l
exit 0
args:
executable: "/bin/bash"
register: wireguard__interfaces_count
changed_when: false
- name: Print WireGuard interface count
ansible.builtin.debug:
var: wireguard__interfaces_count.stdout
- name: Print hosts count in vpn group
ansible.builtin.debug:
var: hosts_count
- name: There should be as much WireGuard interfaces as hosts in vpn group minus one
ansible.builtin.assert:
that:
- "hosts_count|int -1 == wireguard__interfaces_count.stdout|int"

12
molecule/kvm/converge.yml
View file

@ -1,12 +0,0 @@
---
# Copyright (C) 2020-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- hosts: all
remote_user: vagrant
become: true
gather_facts: true
tasks:
- name: Include WireGuard role
ansible.builtin.include_role:
name: githubixx.ansible_role_wireguard

297
molecule/kvm/molecule.yml
View file

@ -1,297 +0,0 @@
---
# Copyright (C) 2020-2022 Robert Wimmer
# Copyright (C) 2020 Pierre Ozoux
# SPDX-License-Identifier: GPL-3.0-or-later
dependency:
name: galaxy
driver:
name: vagrant
provider:
name: libvirt
type: libvirt
platforms:
- name: test-wg-ubuntu2004
box: generic/ubuntu2004
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.10
groups:
- vpn
- ubuntu
- name: test-wg-ubuntu1804
box: generic/ubuntu1804
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.20
groups:
- vpn
- ubuntu
- name: test-wg-fedora36
box: generic/fedora36
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.40
groups:
- vpn
- fedora
- name: test-wg-centos7
box: generic/centos7
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.50
groups:
- vpn
- el7
- name: test-wg-arch
box: archlinux/archlinux
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.60
groups:
- vpn
- archlinux
- name: test-wg-debian11
box: generic/debian11
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.70
groups:
- vpn
- debian
- name: test-wg-rocky8
box: generic/rocky8
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.80
groups:
- vpn
- el8
- name: test-wg-alma8
box: generic/alma8
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.90
groups:
- vpn
- el8
- name: test-wg-centos7-kernel-plus
box: generic/centos7
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.100
groups:
- vpn
- el7
- name: test-wg-rocky8-dkms
box: generic/rocky8
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.130
groups:
- vpn
- el8
- el8dkms
- name: test-wg-ubuntu2204
box: generic/ubuntu2004
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.140
groups:
- vpn
- ubuntu
- name: test-wg-opensuse-leap-15-4
box: opensuse/Leap-15.4.x86_64
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.150
groups:
- vpn
- opensuse
- name: test-wg-rocky9
box: generic/rocky9
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.160
groups:
- vpn
- el9
- name: test-wg-alma9
box: generic/alma9
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.170
groups:
- vpn
- el9
- name: test-wg-oracle9
box: generic/oracle9
memory: 1024
cpus: 2
interfaces:
- auto_config: true
network_name: private_network
type: static
ip: 192.168.10.180
groups:
- vpn
- el9
provisioner:
name: ansible
connection_options:
ansible_ssh_user: vagrant
ansible_become: true
log: true
lint:
name: ansible-lint
inventory:
host_vars:
test-wg-ubuntu2004:
wireguard_address: "10.10.10.10/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.10"
test-wg-ubuntu1804:
wireguard_address: "10.10.10.20/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.20"
test-wg-fedora36:
wireguard_address: "10.10.10.40/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.40"
wireguard_interface_restart: true
test-wg-centos7:
wireguard_address: "10.10.10.50/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.50"
wireguard_interface_restart: true
test-wg-arch:
wireguard_address: "10.10.10.60/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.60"
ansible_python_interpreter: "/usr/bin/python"
test-wg-debian11:
wireguard_address: "10.10.10.70/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.70"
ansible_python_interpreter: "/usr/bin/python3"
test-wg-rocky8:
wireguard_address: "10.10.10.80/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.80"
test-wg-alma8:
wireguard_address: "10.10.10.90/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.90"
test-wg-centos7-kernel-plus:
wireguard_address: "10.10.10.100/24"
wireguard_port: 51821
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.100"
wireguard_centos7_installation_method: "kernel-plus"
test-wg-rocky8-dkms:
wireguard_address: "10.10.10.130/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.130"
wireguard_rockylinux8_installation_method: "dkms"
test-wg-ubuntu2204:
wireguard_address: "10.10.10.140/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.140"
test-wg-opensuse-leap-15-4:
wireguard_address: "10.10.10.150/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.150"
test-wg-rocky9:
wireguard_address: "10.10.10.160/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.160"
test-wg-alma9:
wireguard_address: "10.10.10.170/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.170"
test-wg-oracle9:
wireguard_address: "10.10.10.180/24"
wireguard_port: 51820
wireguard_persistent_keepalive: "30"
wireguard_endpoint: "192.168.10.180"
scenario:
name: kvm
test_sequence:
- prepare
- converge
verifier:
name: ansible

70
molecule/kvm/prepare.yml
View file

@ -1,70 +0,0 @@
---
# Copyright (C) 2021-2023 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- hosts: opensuse
remote_user: vagrant
become: true
gather_facts: true
tasks:
- name: Remove backports repositories
ansible.builtin.raw: |
zypper rr repo-backports-debug-update
zypper rr repo-backports-update
changed_when: false
failed_when: false
- hosts: archlinux
remote_user: vagrant
become: true
gather_facts: false
tasks:
- name: Init pacman
ansible.builtin.raw: |
pacman-key --init
pacman-key --populate archlinux
changed_when: false
failed_when: false
- name: Updating pacman cache
raw: pacman -Sy
- name: Install Python
ansible.builtin.raw: |
pacman -S --noconfirm python
args:
executable: /bin/bash
changed_when: false
- hosts: proxmox
remote_user: vagrant
become: true
gather_facts: true
tasks:
- name: (Proxmox) Delete /var/lib/apt/lists/lock
ansible.builtin.file:
name: /var/lib/apt/lists/lock
state: absent
- hosts: ubuntu
remote_user: vagrant
become: true
gather_facts: true
tasks:
- name: Update APT package cache
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600
- hosts: el8dkms
remote_user: vagrant
become: true
gather_facts: true
tasks:
- name: Install ELRepo mainline kernel
ansible.builtin.raw: |
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
dnf install -y https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
dnf --enablerepo=elrepo-kernel install -y kernel-ml
changed_when: false
failed_when: false

33
molecule/kvm/verify.yml
View file

@ -1,33 +0,0 @@
---
# Copyright (C) 2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Verify setup
hosts: all
vars:
hosts_count: "{{ groups['vpn'] | length }}"
tasks:
- name: Count WireGuard interfaces
ansible.builtin.shell: |
set -o errexit
set -o pipefail
set -o nounset
wg | grep "peer: " | wc -l
exit 0
args:
executable: "/bin/bash"
register: wireguard__interfaces_count
changed_when: false
- name: Print WireGuard interface count
ansible.builtin.debug:
var: wireguard__interfaces_count.stdout
- name: Print hosts count in vpn group
ansible.builtin.debug:
var: hosts_count
- name: There should be as much WireGuard interfaces as hosts in vpn group minus one
ansible.builtin.assert:
that:
- "hosts_count|int -1 == wireguard__interfaces_count.stdout|int"

223
tasks/main.yml
View file

@ -1,153 +1,110 @@
---
# Copyright (C) 2018-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
#- name: Gather instance facts
# setup:
- name: Gather instance facts
ansible.builtin.setup:
#- name: Include distribution specific tasks
# include_tasks: "setup-{{ ansible_distribution|lower }}.yml"
- name: Include tasks depending on OS
ansible.builtin.include_tasks:
file: "{{ item }}"
apply:
tags:
- wg-install
with_first_found:
- "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.yml"
- "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}.yml"
- "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_release }}.yml"
- "setup-{{ ansible_distribution | lower }}.yml"
- "setup-{{ ansible_os_family | lower }}.yml"
tags:
- wg-install
- name: Include unmanaged hosts variables
include_vars:
name: wireguard_unmanaged_host_{{ item }}
dir: vars
extensions:
- yml
- yaml
loop: "{{ wireguard_unmanaged_hosts_list }}"
when: wireguard_unmanaged_hosts_list is defined
- debug: var=wireguard_unmanaged_host_{{ item }}
loop: "{{ wireguard_unmanaged_hosts_list }}"
- name: Enable WireGuard kernel module
community.general.modprobe:
modprobe:
name: wireguard
state: present
register: wireguard__register_module_enabled
until: wireguard__register_module_enabled is succeeded
register: wireguard_module_enabled
until: wireguard_module_enabled is succeeded
retries: 10
delay: 10
failed_when: wireguard__register_module_enabled is failure
failed_when: wireguard_module_enabled is failure
tags:
- wg-install
when: not ansible_os_family == 'Darwin'
- name: Set default for WireGuard interface restart behavior
ansible.builtin.set_fact:
wireguard__restart_interface: >-
{%- if wireguard_interface_restart -%}
true
{%- else -%}
false
{%- endif %}
tags:
- skip_ansible_lint
- name: Make sure wg syncconf option is available
when:
- not wireguard_interface_restart
tags:
- wg-config
block:
- name: Get available wg subcommands
ansible.builtin.command: "wg --help"
register: wireguard__register_subcommands
changed_when: false
check_mode: false
- name: Check if wg syncconf subcommand is available
ansible.builtin.set_fact:
wireguard__syncconf_avail: "{{ 'syncconf:' in wireguard__register_subcommands.stdout }}"
- name: Wg syncconf subcommand available
ansible.builtin.debug:
var: wireguard__syncconf_avail
- name: Fall back to interface restart if wg syncconf is not available
when:
- not wireguard__syncconf_avail
ansible.builtin.set_fact:
wireguard__restart_interface: true
- name: Final decision on WireGuard interface restart method
ansible.builtin.debug:
msg: >-
{%- if wireguard__restart_interface -%}
'restart'
{%- else -%}
'syncconf'
{%- endif %}
tags:
- skip_ansible_lint
- name: Set WireGuard IP (without mask)
set_fact:
wireguard_ip: "{{ wireguard_address.split('/')[0] }}"
- name: Register if config/private key already exists on target host
ansible.builtin.stat:
stat:
path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
register: wireguard__register_config_file
register: config_file_stat
tags:
- wg-generate-keys
- wg-config
- name: WireGuard private key handling for new keys
when:
- not wireguard__register_config_file.stat.exists
- wireguard_private_key is not defined
block:
- name: Generate WireGuard private key
ansible.builtin.command: "wg genkey"
register: wireguard__register_private_key
changed_when: false
no_log: '{{ ansible_verbosity < 3 }}'
tags:
- wg-generate-keys
- name: Get wg subcommands
command: "wg --help"
register: wg_subcommands
changed_when: false
- name: Set private key fact
ansible.builtin.set_fact:
wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
no_log: '{{ ansible_verbosity < 3 }}'
tags:
- wg-generate-keys
- name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available)
set_fact:
wg_syncconf: false
- name: WireGuard private key handling for existing keys
when:
- wireguard__register_config_file.stat.exists
- wireguard_private_key is not defined
block:
- name: Read WireGuard config file
ansible.builtin.slurp:
src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
register: wireguard__register_config
no_log: '{{ ansible_verbosity < 3 }}'
tags:
- wg-config
- name: Check if wg syncconf subcommand is available
set_fact:
wg_syncconf: true
when: wg_subcommands.stdout | regex_search('syncconf:')
- name: Set private key fact
ansible.builtin.set_fact:
wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
no_log: '{{ ansible_verbosity < 3 }}'
tags:
- wg-config
- name: Show syncconf subcommand status
debug:
var: wg_syncconf
- block:
- name: Generate WireGuard private key
command: "wg genkey"
register: wg_private_key_result
changed_when: false
tags:
- wg-generate-keys
- name: Set private key fact
set_fact:
private_key: "{{ wg_private_key_result.stdout }}"
tags:
- wg-generate-keys
when: not config_file_stat.stat.exists
- block:
- name: Read WireGuard config file
slurp:
src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
register: wg_config
tags:
- wg-config
- name: Set private key fact
set_fact:
private_key: "{{ wg_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
tags:
- wg-config
when: config_file_stat.stat.exists
- name: Derive WireGuard public key
ansible.builtin.command: "wg pubkey"
args:
stdin: "{{ wireguard_private_key }}"
register: wireguard__register_public_key
shell: "echo '{{ private_key }}' | wg pubkey" # noqa 306
register: wg_public_key_result
changed_when: false
check_mode: false
no_log: '{{ ansible_verbosity < 3 }}'
tags:
- wg-config
- name: Set public key fact
ansible.builtin.set_fact:
wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
set_fact:
public_key: "{{ wg_public_key_result.stdout }}"
tags:
- wg-config
- name: Create WireGuard configuration directory
ansible.builtin.file:
file:
dest: "{{ wireguard_remote_directory }}"
state: directory
mode: 0700
@ -155,28 +112,34 @@
- wg-config
- name: Generate WireGuard configuration file
ansible.builtin.template:
src: etc/wireguard/wg.conf.j2
template:
src: wg.conf.j2
dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
owner: "{{ wireguard_conf_owner }}"
group: "{{ wireguard_conf_group }}"
mode: "{{ wireguard_conf_mode }}"
no_log: '{{ ansible_verbosity < 3 }}'
owner: root
group: root
mode: 0600
tags:
- wg-config
notify:
- reconfigure wireguard
- name: Ensure legacy reload-module-on-update is absent
ansible.builtin.file:
- name: Check if reload-module-on-update is set
stat:
path: "{{ wireguard_remote_directory }}/.reload-module-on-update"
register: reload_module_on_update
tags:
- wg-config
- name: Set WireGuard reload-module-on-update
file:
dest: "{{ wireguard_remote_directory }}/.reload-module-on-update"
state: absent
state: touch
when: not reload_module_on_update.stat.exists
tags:
- wg-config
- name: Start and enable WireGuard service
ansible.builtin.service:
service:
name: "wg-quick@{{ wireguard_interface }}"
state: "{{ wireguard_service_state }}"
enabled: "{{ wireguard_service_enabled }}"
when: not ansible_os_family == 'Darwin'
state: started
enabled: yes

23
tasks/setup-almalinux-8.yml
View file

@ -1,23 +0,0 @@
---
# Copyright (C) 2021-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (AlmaLinux 8) Install EPEL & ELRepo repository
ansible.builtin.yum:
name:
- epel-release
- elrepo-release
update_cache: "{{ wireguard_update_cache }}"
- name: (AlmaLinux 8) Ensure WireGuard DKMS package is removed
ansible.builtin.yum:
name:
- "wireguard-dkms"
state: absent
- name: (AlmaLinux 8) Install WireGuard packages
ansible.builtin.yum:
name:
- "kmod-wireguard"
- "wireguard-tools"
state: present

9
tasks/setup-almalinux.yml
View file

@ -1,9 +0,0 @@
---
# Copyright (C) 2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (AlmaLinux) Install wireguard-tools package
ansible.builtin.yum:
name: wireguard-tools
state: present
update_cache: "{{ wireguard_update_cache }}"

32
tasks/setup-archlinux.yml
View file

@ -1,12 +1,32 @@
---
# Copyright (C) 2018-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (Archlinux) Install wireguard-lts package
pacman:
name: "{{ item.name }}"
state: "{{ item.state }}"
with_items:
- { name: wireguard-dkms, state: absent }
- { name: wireguard-lts, state: present }
become: yes
tags:
- wg-install
when:
- ansible_kernel is match(".*-lts$")
- ansible_kernel is version('5.6', '<')
- name: (Archlinux) Refresh the master package lists
community.general.pacman:
update_cache: "{{ wireguard_update_cache }}"
- name: (Archlinux) Install wireguard-dkms package
pacman:
name: wireguard-dkms
state: present
become: yes
tags:
- wg-install
when:
- not ansible_kernel is match(".*-lts$")
- ansible_kernel is version('5.6', '<')
- name: (Archlinux) Install wireguard-tools package
community.general.pacman:
pacman:
name: wireguard-tools
state: present
tags:
- wg-install

77
tasks/setup-centos-7.yml
View file

@ -1,77 +0,0 @@
---
# Copyright (C) 2020 Roman Danko
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (CentOS 7) Tasks for standard kernel
when:
- wireguard_centos7_installation_method == "standard"
block:
- name: (CentOS 7) Install EPEL & ELRepo repository
ansible.builtin.yum:
name:
- epel-release
- https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
update_cache: "{{ wireguard_update_cache }}"
- name: (CentOS 7) Install yum-plugin-elrepo
ansible.builtin.yum:
name: yum-plugin-elrepo
update_cache: "{{ wireguard_update_cache }}"
- name: (CentOS 7) Install WireGuard packages
ansible.builtin.yum:
name:
- "kmod-wireguard"
- "wireguard-tools"
state: present
register: wireguard__centos7_yum_updates
- name: (CentOS 7) Reboot Instance to update kernel
when:
- wireguard_centos7_standard_reboot
- wireguard__centos7_yum_updates.changed
ansible.builtin.reboot:
reboot_timeout: "{{ wireguard_centos7_standard_reboot_timeout }}"
- name: (CentOS 7) Ensure WireGuard DKMS package is removed
ansible.builtin.yum:
name:
- "wireguard-dkms"
state: absent
- name: (CentOS 7 - kernel-plus) Tasks for kernel-plus
when:
- wireguard_centos7_installation_method == "kernel-plus"
block:
- name: (CentOS 7) Install EPEL repository & yum utils
ansible.builtin.yum:
name:
- epel-release
- yum-utils
update_cache: "{{ wireguard_update_cache }}"
- name: (CentOS 7 - kernel-plus) Enable CentosPlus repo
ansible.builtin.command: yum-config-manager --setopt=centosplus.includepkgs=kernel-plus --enablerepo=centosplus --save
changed_when: false
- name: (CentOS 7 - kernel-plus) Update to kernel-plus
ansible.builtin.replace:
path: /etc/sysconfig/kernel
regexp: '^DEFAULTKERNEL=kernel$'
replace: 'DEFAULTKERNEL=kernel-plus'
- name: (CentOS 7 - kernel-plus) Install WireGuard packages
ansible.builtin.yum:
name:
- "kernel-plus"
- "wireguard-tools"
state: present
register: wireguard__centos7_yum_updates
- name: (CentOS 7 - kernel-plus) Reboot Instance to update kernel
when:
- wireguard_centos7_kernel_plus_reboot
- wireguard__centos7_yum_updates.changes is defined
- wireguard__centos7_yum_updates.changes.installed|flatten|select('regex', '^kernel-plus$') is any
ansible.builtin.reboot:
reboot_timeout: "{{ wireguard_centos7_kernel_plus_reboot_timeout }}"

19
tasks/setup-centos.yml Normal file
View file

@ -0,0 +1,19 @@
---
- name: (CentOS) Add WireGuard repository
get_url:
url: https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
dest: /etc/yum.repos.d/wireguard.repo
- name: (CentOS) Install EPEL repository
yum:
name: epel-release
update_cache: yes
- name: (CentOS) Install wireguard packages
yum:
name:
- "wireguard-dkms"
- "wireguard-tools"
state: present
tags:
- wg-install

16
tasks/setup-debian-pve-guest-variant.yml
View file

@ -1,16 +0,0 @@
---
# Copyright (C) 2021 Tobias Richter
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (Proxmox) Add WireGuard repository
ansible.builtin.apt_repository:
repo: "deb http://deb.debian.org/debian buster-backports main"
state: "{{ 'present' if (ansible_distribution_version | int <= 10) else 'absent' }}"
update_cache: "{{ wireguard_update_cache }}"
- name: (Proxmox lxc) Install wireguard-tools.
ansible.builtin.apt:
install_recommends: false
name:
- wireguard-tools
state: present

23
tasks/setup-debian-pve-host-variant.yml
View file

@ -1,23 +0,0 @@
---
# Copyright (C) 2018-2022 Robert Wimmer
# Copyright (C) 2019-2020 Ties de Kock
# Copyright (C) 2021 Steve Fan
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (Proxmox) Add WireGuard repository
ansible.builtin.apt_repository:
repo: "deb http://deb.debian.org/debian buster-backports main"
state: "{{ 'present' if (ansible_distribution_version | int <= 10) else 'absent' }}"
update_cache: "{{ wireguard_update_cache }}"
- name: (Proxmox) Install kernel headers for the currently running kernel to compile WireGuard with DKMS
ansible.builtin.apt:
name:
- "pve-headers-{{ ansible_kernel }}"
state: present
- name: (Proxmox) Install WireGuard packages
ansible.builtin.apt:
name:
- "wireguard"
state: present

87
tasks/setup-debian-raspbian-buster.yml
View file

@ -1,87 +0,0 @@
---
# Copyright (C) 2020 Stefan Haun
# SPDX-License-Identifier: GPL-3.0-or-later
# Note: This setup is called for Raspbian 10 (Buster) and lower.
# Since Raspbian 11 (Bullseye) wireguard is supported out
# of the box.
# Any Raspbian-related changes for Bullseye and above need to
# go to a separate playbook.
- name: (Raspbian) Install GPG - required to add WireGuard key
ansible.builtin.apt:
name: gnupg
state: present
- name: (Raspbian) Add Debian repository keys
ansible.builtin.apt_key:
keyserver: "keyserver.ubuntu.com"
id: "{{ item }}"
state: present
when: ansible_lsb.id == "Raspbian"
with_items:
- "04EE7237B7D453EC"
- "648ACFD622F3D138"
- name: (Raspbian) Add Debian Buster Backports repository for WireGuard
ansible.builtin.apt_repository:
repo: "deb http://deb.debian.org/debian buster-backports main"
state: present
update_cache: "{{ wireguard_update_cache }}"
- name: (Raspbian) Install latest kernel
ansible.builtin.apt:
name:
- "raspberrypi-kernel"
state: latest # noqa package-latest
register: wireguard__register_kernel_update
- name: (Raspbian) Reboot after kernel update (Ansible >= 2.8)
ansible.builtin.reboot:
search_paths: ['/lib/molly-guard', '/usr/sbin', '/sbin']
when:
- ansible_version.full is version('2.8.0', '>=')
- wireguard__register_kernel_update is changed
- name: (Raspbian) Check if molly-guard is installed (Ansible < 2.8)
ansible.builtin.stat:
path: /lib/molly-guard/
register: wireguard__register_molly_guard
- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, no molly-guard)
ansible.builtin.reboot:
when:
- ansible_version.full is version('2.8.0', '<')
- wireguard__register_kernel_update is changed
- not wireguard__register_molly_guard.stat.exists
- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, with molly-guard)
ansible.builtin.command: /lib/molly-guard/shutdown -r now
async: 1
poll: 0
ignore_unreachable: true
changed_when: false
when:
- ansible_version.full is version('2.8.0', '<')
- wireguard__register_kernel_update is changed
- wireguard__register_molly_guard.stat.exists
- name: (Raspbian) Waiting for host to be available (Ansible < 2.8, with molly-guard)
ansible.builtin.wait_for_connection:
when:
- ansible_version.full is version('2.8.0', '<')
- wireguard__register_kernel_update is changed
- wireguard__register_molly_guard.stat.exists
- name: (Raspbian) Install latest kernel headers to compile Wireguard with DKMS
ansible.builtin.apt:
name:
- "raspberrypi-kernel-headers"
state: latest # noqa package-latest
- name: (Raspbian) Install WireGuard packages
ansible.builtin.apt:
name:
- "wireguard-dkms"
- "wireguard-tools"
state: present

93
tasks/setup-debian-raspbian.yml Normal file
View file

@ -0,0 +1,93 @@
---
- name: (Raspbian) Install GPG - required to add wireguard key
apt:
name: gnupg
state: present
- name: (Raspbian) Add Debian repository key
apt_key:
keyserver: "keyserver.ubuntu.com"
id: "04EE7237B7D453EC"
state: present
when: ansible_lsb.id == "Raspbian"
tags:
- wg-install
- name: (Raspbian) Add Debian Unstable repository for WireGuard
apt_repository:
repo: "deb http://deb.debian.org/debian unstable main"
state: present
update_cache: yes
tags:
- wg-install
- name: (Raspbian) Install latest kernel
apt:
name:
- "raspberrypi-kernel"
state: latest
register: kernel_update
tags:
- wg-install
- name: (Raspbian) Reboot after kernel update (Ansible >= 2.8)
reboot:
search_paths: ['/lib/molly-guard', '/usr/sbin']
when:
- ansible_version.full is version('2.8.0', '>=')
- kernel_update is changed
tags:
- wg-install
- name: (Raspbian) Check if molly-guard is installed (Ansible < 2.8)
stat:
path: /lib/molly-guard/
register: molly_guard
- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, no molly-guard)
reboot:
when:
- ansible_version.full is version('2.8.0', '<')
- kernel_update is changed
- not molly_guard.stat.exists
tags:
- wg-install
- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, with molly-guard)
command: /lib/molly-guard/shutdown -r now
async: 1
poll: 0
ignore_unreachable: yes
when:
- ansible_version.full is version('2.8.0', '<')
- kernel_update is changed
- molly_guard.stat.exists
tags:
- wg-install
- name: (Raspbian) Waiting for host to be available (Ansible < 2.8, with molly-guard)
wait_for_connection:
when:
- ansible_version.full is version('2.8.0', '<')
- kernel_update is changed
- molly_guard.stat.exists
tags:
- wg-install
- name: (Raspbian) Install latest kernel headers to compile Wireguard with DKMS
apt:
name:
- "raspberrypi-kernel-headers"
state: latest
tags:
- wg-install
- name: (Raspbian) Install wireguard packages
apt:
name:
- "wireguard-dkms"
- "wireguard-tools"
state: present
tags:
- wg-install

44
tasks/setup-debian-vanilla.yml
View file

@ -1,11 +1,37 @@
---
# Copyright (C) 2018-2022 Robert Wimmer
# Copyright (C) 2019-2020 Ties de Kock
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (Debian) Install WireGuard packages
ansible.builtin.apt:
name:
- "wireguard"
- name: (Debian) Install GPG - required to add wireguard key
apt:
name: gnupg
state: present
update_cache: "{{ wireguard_update_cache }}"
- name: (Debian) Add WireGuard repository on buster or earlier
apt_repository:
repo: "deb http://deb.debian.org/debian buster-backports main"
state: present
update_cache: yes
when: ansible_distribution_version | int <= 10
tags:
- wg-install
- name: (Debian) Get architecture
command: "dpkg --print-architecture"
register: dpkg_arch
changed_when: False
- set_fact:
kernel_header_version: "{{ ('-cloud-' in ansible_kernel) | ternary(ansible_kernel,dpkg_arch.stdout) }}"
- name: (Debian) Install kernel headers to compile Wireguard with DKMS
apt:
name:
- "linux-headers-{{ kernel_header_version }}"
state: present
- name: (Debian) Install wireguard packages
apt:
name:
- "wireguard-dkms"
- "wireguard-tools"
state: present
tags:
- wg-install

53
tasks/setup-debian.yml
View file

@ -1,51 +1,8 @@
---
# Copyright (C) 2020 Stefan Haun
# Copyright (C) 2021 Steve Fan
# SPDX-License-Identifier: GPL-3.0-or-later
- name: Setup for Raspbian
ansible.builtin.include_tasks:
file: "setup-debian-raspbian-buster.yml"
apply:
tags:
- wg-install
when:
- ansible_lsb.id is defined
- ansible_lsb.id == "Raspbian"
- ansible_lsb.major_release is version('11', '<')
register: wireguard__register_raspbian_setup
- include_tasks: "setup-debian-raspbian.yml"
when: ansible_lsb.id == "Raspbian"
register: raspbian_setup
- name: Setup for Proxmox VE variants
when:
- ansible_kernel.find("pve") != -1
block:
- name: Setup Proxmox VE host
ansible.builtin.include_tasks:
file: "setup-debian-pve-host-variant.yml"
apply:
tags:
- wg-install
when:
- ansible_virtualization_role == "host"
register: wireguard__register_pve_host_variant_setup
- name: Setup Proxmox VE guest
ansible.builtin.include_tasks:
file: "setup-debian-pve-guest-variant.yml"
apply:
tags:
- wg-install
when:
- ansible_virtualization_role == "guest"
register: wireguard__register_pve_guest_variant_setup
- name: Setup for Debian
ansible.builtin.include_tasks:
file: "setup-debian-vanilla.yml"
apply:
tags:
- wg-install
when:
- wireguard__register_raspbian_setup is skipped
- wireguard__register_pve_guest_variant_setup is skipped
- wireguard__register_pve_host_variant_setup is skipped
- include_tasks: "setup-debian-vanilla.yml"
when: raspbian_setup is skipped

13
tasks/setup-elementary os.yml
View file

@ -1,13 +0,0 @@
---
# Copyright (C) 2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (elementary OS) Update APT package cache
ansible.builtin.apt:
update_cache: "{{ wireguard_ubuntu_update_cache }}"
cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}"
- name: (elementary OS) Install wireguard package
ansible.builtin.apt:
name: "wireguard"
state: present

18
tasks/setup-fedora.yml
View file

@ -1,11 +1,17 @@
---
# Copyright (C) 2020 Ties de Kock
# Copyright (C) 2023 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (Fedora) Add wireguard COPR
yum_repository:
name: "jdoss-wireguard"
description: "Copr repo for wireguard owned by jdoss"
baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/fedora-$releasever-$basearch/"
gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg"
gpgcheck: yes
- name: (Fedora) Install WireGuard packages
ansible.builtin.yum:
- name: (Fedora) Install wireguard packages
yum:
name:
- "wireguard-dkms"
- "wireguard-tools"
state: present
update_cache: "{{ wireguard_update_cache }}"
tags:
- wg-install

14
tasks/setup-macosx.yml
View file

@ -1,14 +0,0 @@
---
# Copyright (C) 2020 Ruben Di Battista
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (MacOS) Install wireguard package
ansible.builtin.package:
name: wireguard-go
state: present
become: true
- name: (MacOS) Install wireguard-tools package
ansible.builtin.package:
name: wireguard-tools
state: present

10
tasks/setup-opensuse leap.yml
View file

@ -1,10 +0,0 @@
---
# Copyright (C) 2020-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (openSUSE Leap) Install WireGuard packages
community.general.zypper:
name:
- "wireguard-tools"
state: present
update_cache: "{{ wireguard_update_cache }}"

8
tasks/setup-oraclelinux.yml
View file

@ -1,8 +0,0 @@
---
# Copyright (C) 2022 Masahiro Koga
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (OracleLinux) Install wireguard-tools package
ansible.builtin.yum:
name: wireguard-tools
state: present

56
tasks/setup-rocky-8.yml
View file

@ -1,56 +0,0 @@
---
# Copyright (C) 2021-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (Rocky Linux 8) Tasks for standard kernel
when:
- wireguard_rockylinux8_installation_method == "standard"
block:
- name: (Rocky Linux 8) Install EPEL & ELRepo repository
ansible.builtin.yum:
name:
- epel-release
- elrepo-release
update_cache: "{{ wireguard_update_cache }}"
- name: (Rocky Linux 8) Ensure WireGuard DKMS package is removed
ansible.builtin.yum:
name:
- "wireguard-dkms"
state: absent
- name: (Rocky Linux 8) Install WireGuard packages
ansible.builtin.yum:
name:
- "kmod-wireguard"
- "wireguard-tools"
state: present
- name: (Rocky Linux 8) Tasks for non-standard kernel
when:
- wireguard_rockylinux8_installation_method == "dkms"
block:
- name: (Rocky Linux 8) Install jdoss/wireguard COPR repository
community.general.copr:
state: enabled
name: jdoss/wireguard
chroot: epel-8-{{ ansible_architecture }}
- name: (Rocky Linux 8) Install EPEL repository
ansible.builtin.yum:
name:
- epel-release
update_cache: "{{ wireguard_update_cache }}"
- name: (Rocky Linux 8) Ensure WireGuard KMOD package is removed
ansible.builtin.yum:
name:
- "kmod-wireguard"
state: absent
- name: (Rocky Linux 8) Install WireGuard packages
ansible.builtin.yum:
name:
- "wireguard-dkms"
- "wireguard-tools"
state: present

9
tasks/setup-rocky.yml
View file

@ -1,9 +0,0 @@
---
# Copyright (C) 2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (Rocky Linux) Install wireguard-tools package
ansible.builtin.yum:
name: wireguard-tools
state: present
update_cache: "{{ wireguard_update_cache }}"

64
tasks/setup-ubuntu.yml
View file

@ -1,32 +1,48 @@
---
# Copyright (C) 2018-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
- name: (Ubuntu) Update APT package cache
ansible.builtin.apt:
apt:
update_cache: "{{ wireguard_ubuntu_update_cache }}"
cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}"
tags:
- wg-install
- name: (Ubuntu) Tasks for Ubuntu < 19.10
- block:
- name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10)
package:
name: "{{ packages }}"
state: present
vars:
packages:
- software-properties-common
- linux-headers-{{ ansible_kernel }}
tags:
- wg-install
- name: (Ubuntu) Add WireGuard repository (for Ubuntu < 19.10)
apt_repository:
repo: "ppa:wireguard/wireguard"
state: present
update_cache: yes
tags:
- wg-install
- name: (Ubuntu) Install wireguard packages (for Ubuntu < 19.10)
apt:
name:
- "wireguard-dkms"
- "wireguard-tools"
state: present
tags:
- wg-install
when:
- ansible_lsb.major_release is version('19.10', '<')
block:
- name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10)
ansible.builtin.package:
name: "{{ packages }}"
state: present
vars:
packages:
- software-properties-common
- linux-headers-{{ ansible_kernel }}
- name: (Ubuntu) Ensure WireGuard DKMS package is removed
ansible.builtin.apt:
name:
- "wireguard-dkms"
state: absent
- name: (Ubuntu) Install wireguard package
ansible.builtin.apt:
name: "wireguard"
state: present
- block:
- name: (Ubuntu) Install wireguard-tools package (for Ubuntu > 19.04)
apt:
name: "wireguard-tools"
state: present
tags:
- wg-install
when:
- ansible_lsb.major_release is version('19.04', '>')

123
templates/etc/wireguard/wg.conf.j2
View file

@ -1,123 +0,0 @@
#jinja2: lstrip_blocks:"True",trim_blocks:"True"
{# Copyright (C) 2018-2022 Robert Wimmer
# SPDX-License-Identifier: GPL-3.0-or-later
#}
# {{ ansible_managed }}
[Interface]
# {{ inventory_hostname }}
{% if wireguard_address is defined %}
Address = {{ wireguard_address }}
{% endif %}
{% if wireguard_addresses is defined %}
{% for wg_addr in wireguard_addresses %}
Address = {{ wg_addr }}
{% endfor %}
{% endif %}
PrivateKey = {{ wireguard_private_key }}
ListenPort = {{ wireguard_port }}
{% if wireguard_dns is defined %}
DNS = {{ wireguard_dns }}
{% endif %}
{% if wireguard_fwmark is defined %}
FwMark = {{ wireguard_fwmark }}
{% endif %}
{% if wireguard_mtu is defined %}
MTU = {{ wireguard_mtu }}
{% endif %}
{% if wireguard_table is defined %}
Table = {{ wireguard_table }}
{% endif %}
{% if wireguard_preup is defined %}
{% for wg_preup in wireguard_preup %}
PreUp = {{ wg_preup }}
{% endfor %}
{% endif %}
{% if wireguard_postup is defined %}
{% for wg_postup in wireguard_postup %}
PostUp = {{ wg_postup }}
{% endfor %}
{% endif %}
{% if wireguard_predown is defined %}
{% for wg_predown in wireguard_predown %}
PreDown = {{ wg_predown }}
{% endfor %}
{% endif %}
{% if wireguard_postdown is defined %}
{% for wg_postdown in wireguard_postdown %}
PostDown = {{ wg_postdown }}
{% endfor %}
{% endif %}
{% if wireguard_save_config is defined %}
SaveConfig = {{ wireguard_save_config }}
{% endif %}
{% for host in ansible_play_hosts %}
{% if host != inventory_hostname %}
[Peer]
# {{ host }}
PublicKey = {{hostvars[host].wireguard__fact_public_key}}
{% if hostvars[host].wireguard_allowed_ips is defined %}
AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
{% else %}
{% if wireguard_address is defined %}
AllowedIPs = {{ hostvars[host].wireguard_address.split('/')[0] }}/32
{% endif %}
{% if wireguard_addresses is defined %}
{% for wg_addr in hostvars[host].wireguard_addresses %}
{% if (wg_addr | ansible.utils.ipv4) %}
AllowedIPs = {{ wg_addr.split('/')[0] }}/32
{% elif (wg_addr | ansible.utils.ipv6) %}
AllowedIPs = {{ wg_addr.split('/')[0] }}/128
{% endif %}
{% endfor %}
{% endif %}
{% endif %}
{% if hostvars[host].wireguard_persistent_keepalive is defined %}
PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
{% endif %}
{% if (
hostvars[host].wireguard_dc is defined and
wireguard_dc is defined and
wireguard_dc['name'] != hostvars[host].wireguard_dc['name']
)
%}
Endpoint = {{hostvars[host].wireguard_dc['endpoint']}}:{{hostvars[host].wireguard_dc['port']}}
{% elif hostvars[host].wireguard_port is defined %}
{% if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}
{% else %}
Endpoint = {{host}}:{{hostvars[host].wireguard_port}}
{% endif %}
{% elif hostvars[host].wireguard_endpoint is defined %}
{% if hostvars[host].wireguard_endpoint != "" %}
Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
{% else %}
# No endpoint defined for this peer
{% endif %}
{% else %}
Endpoint = {{host}}:{{wireguard_port}}
{% endif %}
{% endif %}
{% endfor %}
{% if wireguard_unmanaged_peers is defined %}
# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
{% for peer in wireguard_unmanaged_peers.keys() %}
[Peer]
# {{ peer }}
PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
{% if wireguard_unmanaged_peers[peer].preshared_key is defined %}
PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].endpoint is defined %}
Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
{% endif %}
{% if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
{% endif %}
{% endfor %}
{% endif %}

70
templates/wg.conf.j2 Normal file
View file

@ -0,0 +1,70 @@
#jinja2: lstrip_blocks:"True",trim_blocks:"True"
[Interface]
# {{ inventory_hostname }}
Address = {{hostvars[inventory_hostname].wireguard_address}}
PrivateKey = {{private_key}}
ListenPort = {{wireguard_port}}
{% if hostvars[inventory_hostname].wireguard_dns is defined %}
DNS = {{hostvars[inventory_hostname].wireguard_dns}}
{% endif %}
{% if hostvars[inventory_hostname].wireguard_fwmark is defined %}
FwMark = {{hostvars[inventory_hostname].wireguard_fwmark}}
{% endif %}
{% if hostvars[inventory_hostname].wireguard_mtu is defined %}
MTU = {{hostvars[inventory_hostname].wireguard_mtu}}
{% endif %}
{% if hostvars[inventory_hostname].wireguard_table is defined %}
Table = {{hostvars[inventory_hostname].wireguard_table}}
{% endif %}
{% if hostvars[inventory_hostname].wireguard_preup is defined %}
{% for wg_preup in hostvars[inventory_hostname].wireguard_preup %}
PreUp = {{ wg_preup }}
{% endfor %}
{% endif %}
{% if hostvars[inventory_hostname].wireguard_predown is defined %}
{% for wg_predown in hostvars[inventory_hostname].wireguard_predown %}
PreDown = {{ wg_predown }}
{% endfor %}
{% endif %}
{% if hostvars[inventory_hostname].wireguard_postup is defined %}
{% for wg_postup in hostvars[inventory_hostname].wireguard_postup %}
PostUp = {{ wg_postup }}
{% endfor %}
{% endif %}
{% if hostvars[inventory_hostname].wireguard_postdown is defined %}
{% for wg_postdown in hostvars[inventory_hostname].wireguard_postdown %}
PostDown = {{ wg_postdown }}
{% endfor %}
{% endif %}
{% if hostvars[inventory_hostname].wireguard_save_config is defined %}
SaveConfig = true
{% endif %}
{% for host in ansible_play_hosts %}
{% if host != inventory_hostname %}
[Peer]
# {{ host }}
PublicKey = {{hostvars[host].public_key}}
{% if hostvars[host].wireguard_allowed_ips is defined %}
AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
{% else %}
AllowedIPs = {{hostvars[host].wireguard_ip}}/32
{% endif %}
{% if hostvars[host].wireguard_persistent_keepalive is defined %}
PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
{% endif %}
{% if hostvars[host].wireguard_port is defined and hostvars[host].wireguard_port is number %}
{% if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}
{% else %}
Endpoint = {{host}}:{{hostvars[host].wireguard_port}}
{% endif %}
{% elif hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
{% elif hostvars[host].wireguard_endpoint == "" %}
# No endpoint defined for this peer
{% else %}
Endpoint = {{host}}:{{wireguard_port}}
{% endif %}
{% endif %}
{% endfor %}

4
vars/mobile01.yml Normal file
View file

@ -0,0 +1,4 @@
wireguard_address: "10.8.0.11"
wireguard_port: "51820"
wireguard_dns: "1.1.1.1"
wireguard_mtu: "1492"

4
vars/tablet01.yml Normal file
View file

@ -0,0 +1,4 @@
wireguard_address: "10.8.0.10"
wireguard_port: "51820"
wireguard_dns: "1.1.1.1"
wireguard_mtu: "1492"