remove wg-unmanaged.conf.j2

skeleton for unmanged hosts
42 changed files with 567 additions and 2619 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -1,39 +0,0 @@
 ---
 # This workflow requires a GALAXY_API_KEY secret present in the GitHub
 # repository or organization.
 #
 # See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
 # See: https://github.com/ansible/galaxy/issues/46
 name: Release
 on:
  push:
    tags:
      - '*'
 defaults:
  run:
    working-directory: 'githubixx.ansible_role_wireguard'
 jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    steps:
      - name: Check out the codebase.
        uses: actions/checkout@v2
        with:
          path: 'githubixx.ansible_role_wireguard'
      - name: Set up Python 3.
        uses: actions/setup-python@v2
        with:
          python-version: '3.x'
      - name: Install Ansible.
        run: pip3 install ansible-core
      - name: Trigger a new import on Galaxy.
        run: >-
          ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}
          $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +0,0 @@
 # Copyright (C) 2018-2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 molecule/kvm/.vagrant
--- a/.reuse/dep5
+++ b/.reuse/dep5
@ -1,10 +0,0 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: ansible-role-wireguard
 Upstream-Contact: Robert Wimmer <>
 Source: https://github.com/githubixx/ansible-role-wireguard
 # Sample paragraph, commented out:
 #
 # Files: src/*
 # Copyright: $YEAR $NAME <$CONTACT>
 # License: ...
--- a/.yamllint
+++ b/.yamllint
@ -1,9 +0,0 @@
 ---
 extends: default
 rules:
  line-length:
    max: 150
    level: warning
  comments-indentation: disable
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,209 +1,25 @@
-<!--
+Changelog
-Copyright (C) 2018-2023 Robert Wimmer
+---------
 SPDX-License-Identifier: GPL-3.0-or-later
 -->
-# Changelog
+**6.3.1**
 ## 14.0.0
 - **BREAKING** CentOS7: Introduce `wireguard_centos7_kernel_plus_reboot` and `wireguard_centos7_standard_reboot` variables. Both are set to "true" by default. This will cause the host to be rebooted in case the "wireguard" kernel module was installed the very first time. If `wireguard_centos7_installation_method: "kernel-plus"` is set and the host wasn't booted with a `kernel-plus` kernel already you most probably need to reboot. For the `standard` kernel this might not be needed.
 - CentOS7: Add reboot to the standard mode to make sure the WireGuard kernel module is available (contribution by @mofelee)
 - **BREAKING** Introduce `wireguard_update_cache` variable to control if package manager caches should be updated before the installation (contribution by @sebix). Before this release the package manager cache wasn't updated for AlmaLinux 9, Archlinux, Fedora and openSUSE. With `wireguard_update_cache` set to `true` by default those OSes are now also update the package manager cache. If you don't want that set `wireguard_update_cache` to `false` for the host in question.
 - variable `wireguard_ubuntu_update_cache` is deprecated
 - add support for Oracle Linux 9 (contribution by @cola-zero)
 ## 13.0.1
 - [fix](https://github.com/githubixx/ansible-role-wireguard/pull/182) in README
 ## 13.0.0
 - add IPv6 support (contribution by @DiscowZombie)
 - introduce `wireguard_addresses` variable (contribution by @DiscowZombie)
 ## 12.0.0
 - remove Fedora 35 support (reached EOL)
 - remove openSUSE 15.3 support (reached EOL)
 - remove Debian 10 (Buster) support (reached EOL)
 - fix Molecule prepare for Archlinux
 - fix `ansible-lint` issue in `tasks/setup-debian-raspbian-buster.yml`
 ## 11.1.0
 - add support for elementary OS 6
 - ignore some minor linter warnings
 ## 11.0.0
 - add support for Rocky Linux 9 (original PR from @vincentDcmps: https://github.com/githubixx/ansible-role-wireguard/pull/163)
 - add support for AlmaLinux 9 (original PR from @trunet: https://github.com/githubixx/ansible-role-wireguard/pull/164)
 - add `EL9` to `meta/main.yml`
 - require Ansible >= `2.11` as Rocky Linux is only supported with this version or above
 - `ansible-lint`: use `community.general.pacman` module instead of `ansible.builtin.pacman` for Archlinux setup
 ## 10.0.0
 - remove Fedora 34 + add Fedora 36 to Molecule test
 - remove support for Fedora 35 / add support for Fedora 36
 - add Molecule setup for openSUSE 15.4
 - add Github release action to push new release to Ansible Galaxy
 - add `.yamllint`
 - `tasks/main.yml`: names should start with an uppercase letter
 - `handlers/main.yml`: names should start with an uppercase letter
 - improve the task key order to: name, when, tags, block
 - fix Jinja2 spacing
 ## 9.3.0
 - add support for Ubuntu 22.04 (Jammy Jellyfish)
 ## 9.2.0
 - add `wireguard_interface_restart` variable. This allows the user to decide if the WireGuard interface should be restarted or not in case of changes to the interface. The default is (and was) to use `wg syncconf` which applies the changes to the interface without the need to restart the interface. Restarting the interface was only done if `wg`'s `syncconf` command wasn't available. But that's basically only true for very old (and outdated) WireGuard tools. For more information on this have a look at the README (initial [PR](https://github.com/githubixx/ansible-role-wireguard/pull/152) by @lmm-git)
 - on Debian `lsb-release` is no longer needed (contribution by @blackandred)
 - WireGuard is directly supported by `Raspbian 11` (Bullseye) and higher. So `Raspbian 11` and `Raspbian 10 (Buster)` (and lower) needs to be handled a little bit differently. (contribution by @penguineer)
 - implement a very basic Molecule unit test
 ## 9.1.0
 - For `Rocky Linux 8` only: Added variable `wireguard_rockylinux8_installation_method`. Set `wireguard_rockylinux8_installation_method` to `dkms` to build WireGuard module from source, with wireguard-dkms. This is required if you use a custom kernel and/or your arch is not `x86_64`. The default of `standard` will install the kernel module with kmod-wireguard from ELRepo (contribution by @gitouche-sur-osm)
 ## 9.0.1
 - FIX: The template rendering the WireGuard configuration only checked if `wireguard_save_config` was set and if so sets `SaveConfig = true`. So setting `wireguard_save_config: "false"` had no effect.
 ## 9.0.0
 - set minimally required Ansible version to `2.9` (contribution by @8ware)
 - fully qualify modules names (requires Ansible >= 2.9) (contribution by @8ware)
 - rearrange hooks to match lifecycle order (contribution by @8ware)
 - remove `CentOS 8` support (reached end of life) - use AlmaLinux or Rocky Linux instead
 - remove `Fedora 33` support (reached end of life)
 - remove `openSUSE Leap 15.2` support (reached end of life)
 - add `openSUSE 15.3` support
 - add `Fedora 35` support
 - remove Proxmox from Molecule test (Vagrant boxes for Proxmox are not useable)
 - Remove unnecessary check if value is an integer on `wireguard_port` (see [#112](https://github.com/githubixx/ansible-role-wireguard/pull/112) (contribution by @abelfodil)
 ## 8.4.0
 - add support for installing wireguard in pve lxc guest (contribution by @tobias-richter)
 ## 8.3.0
 - add Molecule test for CentOS 7 `kernel-plus`
 ## 8.2.0
 - add support for `kernel-plus` for CentOS 7 (contribution by @john-p-potter)
 ## 8.1.0
 - add Rocky Linux support
 - add AlmaLinux support
 - add Molecule tests for Rocky Linux and AlmaLinux
 ## 8.0.0
 - add `Debian 11 (Bullseye)` support
 - add 'Fedora 34` support
 - remove `Fedora 32` support (EOL was in May 2021)
 - fix various issues reported by `ansible-lint`
 - Archlinux: As `linux-lts` is using kernel `5.10` now there is no need to install `wireguard-lts` + WireGuard DKMS packages any longer (and this packages are gone anyway)
 ## 7.12.0
 - Refactor `wg-install` tag handling. For more details see [Fix tag "wg-install" & Add no_log](https://github.com/githubixx/ansible-role-wireguard/pull/110) and [Tag wg-install is not applied properly](Tag wg-install is not applied properly) (contribution by @moonrail)
 - Default verbosity of 0 or slight increases up to 2 will now not print any private keys to output (contribution by @moonrail)
 ## 7.11.0
 - Introduce new variables `wireguard_service_enabled` and `wireguard_service_state` (contribution by @tjend)
 ## 7.10.0
 - Support for Proxmox
 - Check if `wireguard_endpoint` exists before checking if it is empty
 ## 7.9.0
 - Added support for `Fedora 33` (contribution by @wzzrd)
 - Removed support for `Fedora 31` (reached end of life)
 ## 7.8.0
 - Added support for `openSUSE Leap 15.2`
 ## 7.7.0
 - Use wireguard packages from Debian Backports instead of Debian Sid, these packages are more suitable for a stable distribution and have less impact on the system. Packages from unstable must be removed manually (including kernel) to make the switch on an existing system. Upgrading the role has no effect other than adding Debian Backports to the Apt repositories.
 - Fix reboot mechanism in Raspbian role, now also works without `molly-guard`
 ## 7.6.0
 - Added `wireguard_private_key` variable (contribution by @j8r)
 - Fix check mode for Debian (contribution by @j8r)
 ## 7.5.0
 - `wireguard` package is now available for Ubuntu 18.04 in universe repository. Before that `ppa:wireguard/wireguard` was used but that one isn't available anymore. The install procedure for Ubuntu 18.04 and 20.04 is now the same as both can use `wireguard` metapackage now. The role takes care to remove `wireguard-dkms` package in favour of `wireguard` metapackage but it leaves the configuration file for `ppa:wireguard/wireguard` repository untouched. So it's up to you to remove that PPA. Either use `apt-add-repository --remove ppa:wireguard/wireguard` or remove the file manually at `/etc/apt/sources.list.d/` directory (you man need to run `apt-get update` afterwards).
 ## 7.4.0
 - Added initial molecule infrastructure
 - Remove useless block for single task in `setup-debian-vanilla.yml` (contribution by @rubendibattista)
 ## 7.3.1
 - Debian only: Ensure the headers for the currently running kernel are installed instead of the latest one which might not be running yet. This allows DKMS to build the module for the current kernel version and avoids the need for an reboot to load the module. (contribution by @ldelelis and @ypid)
 ## 7.3.0
 - Fix spelling and typos in docs. (contribution by @ypid)
 - Drop Debian Stretch from the list of tested Linux distributions. Actual support was dropped/broken in 6.0.4 without updating the docs. (contribution by @ypid)
 - Remove obsolete `.reload-module-on-update` file. It does not serve any function anymore after support for module reloading has been removed from the postinst script in 0.0.20200215-2 on 2020-02-24. A module update is properly signaled via /run/reboot-required so that the admin can (automatically) schedule a reboot when convenient. This will also be more in line with future Debian releases because starting with Debian bullseye, the kernel ships the module. (contribution by @ypid)
 - Add `ansible_managed` header to WireGuard configuration file (`wg0.conf` by default). This will most probably change the WireGuard configuration file but only the formatting. But since the Ansible registers this file as changed Ansible will sync/restart WireGuard service. For newer WireGuard versions (since Nov. 2019) this isn't a problem normally as `wg syncconf` command is used (also see `handlers/main.yml`). (contribution by @ypid)
 - Behind the scenes coding style improvements and cleanup without user impact. (contribution by @ypid)
 ## 7.2.0
 - Basic MacOS X support (contribution by @rubendibattista)
 - Introduce variables `wireguard_conf_owner`, `wireguard_conf_group` and `wireguard_conf_mode` (contribution by @rubendibattista)
 - Fixed a typo bug in `handlers/main.yml` (contribution by @gabriel-v). But it looks like this had no impact on the "sync/restart" functionality.
 - Proper formatting of WireGuard configuration file (`wg0.conf` by default). This will most probably change the WireGuard configuration file but only the formatting. But since the Ansible registers this file as changed Ansible will sync/restart WireGuard service. For newer WireGuard versions (since Nov. 2019) this isn't a problem normally as `wg syncconf` command is used (also see `handlers/main.yml`).
 - Introduce `wireguard_dc` variable. This is an alpha feature and subject to change and may be even removed in future releases again. Therefore no documentation for this variable yet.
 ## 7.1.0
 - Add support for unmanaged peers with `wireguard_unmanaged_peers` (contribution by @joneskoo)
 ## 7.0.0
 - Switched to install from ELRepo KMOD package for CentOS (see [WireGuard installation](https://www.wireguard.com/install/)). This change may break installation for systems with custom kernels. The role previously supported custom kernel implicitly because it was using DKMS package (contribution by @elcomtik)
 - Role removes DKMS WireGuard package, however it doesn't remove jdoss-wireguard-epel-7 repository. If you don't need this repository, do cleanup by removing `/etc/yum.repos.d/wireguard.repo`
 ## 6.3.1
 - Support Openstack Debian images (contribution by @pallinger)
-## 6.3.0
+**6.3.0**
 - Support Raspbian (contribution by @penguineer)
-## 6.2.0
+**6.2.0**
 - Support Ubuntu 20.04 (Focal Fossa)
- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specify individual Ubuntu package cache settings. Default values are the same as before.
+- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specifiy individual Ubuntu package cache settings. Default values are the same as before.
 - As kernel >= 5.6 (and kernel 5.4 in Ubuntu 20.04) now have `wireguard` module included `wireguard-dkms` package is no longer needed in that case. That's why WireGuard package installation is now part of the includes for the specific OS to make it easier to handle various cases.
-## 6.1.0
+**6.1.0**
 - Archlinux: Linux kernel >= 5.6 contains `wireguard` module now. No need to install `wireguard-dkms` anymore in this case. Installations with LTS kernel installs `wireguard-lts` package now instead of `wireguard-dkms`. Installations with kernel <= 5.6 will still install `wireguard-dkms` package.
-## 6.0.4
+**6.0.4**
 - Use the buster-backports repository on Debian Buster (or older), use package standard repositories on sid/bullseye.
  standard repositories on sid/bullseye.
@ -213,94 +29,95 @@ SPDX-License-Identifier: GPL-3.0-or-later
  If you remove the apt preference (`/etc/apt/preferences.d/limit-unstable`) updates from `unstable` are accepted by apt. This likely is not what you want and may lead to an unstable state.
  If you want to clean up:
-  - remove `/etc/apt/preferences.d/limit-unstable` and
+    * remove `/etc/apt/preferences.d/limit-unstable` and
-  - remove `deb http://deb.debian.org/debian/ unstable main` from `/etc/apt/sources.list.d/deb_debian_org_debian.list`.
+    * remove `deb http://deb.debian.org/debian/ unstable main` from `/etc/apt/sources.list.d/deb_debian_org_debian.list`.
  The backports repository has a lower priority and does not need an apt preference.
-## 6.0.3
+**6.0.3**
 - If `wg syncconf` command is not available do stop/start service instead of restart (contribution by @cristichiru)
-## 6.0.2
+**6.0.2**
 - Debian: install `gnupg` package instead of `gpg`. (contribution by @zinefer)
-## 6.0.1
+**6.0.1**
 - add shell options to syncconf handler to fail fast in case of error
-## 6.0.0
+**6.0.0**
 - Newer versions of WireGuard (around November 2019) introduced `wg syncconf` subcommand. This has the advantage that changes to the WireGuard configuration can be applied without disturbing existing connections. With this change this role tries to use `wg syncconf` subcommand when available. This even works if you have hosts with older and newer WireGuard versions.
-## 5.0.0
+**5.0.0**
 - `wireguard_(preup|postdown|preup|predown)` settings are now a list. If more `iptables` commands needs to be specified e.g. then this changes makes it more readable. The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8). Also see README for more examples. (contribution by @Madic-)
-## 4.2.0
+**4.2.0**
 - Add support for Fedora (contribution by @ties)
-## 4.1.1
+
 **4.1.1**
 - Install GPG to be able to import WireGuard key (Debian)
-## 4.1.0
+**4.1.0**
- Allow to specify additional Wireguard interface options: `fwmark`, `mtu`, `table`, `preup` and `predown` (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8))
+- Allow to specifiy additional Wireguard interface options: `fwmark`, `mtu`, `table`, `preup` and `predown` (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8))
 - Add host comments in Wireguard config file
-## 4.0.0
+**4.0.0**
 - While the changes introduced are backwards compatible in general if you stay with your current settings some variables are no longer needed. So this is partly a breaking change and therefore justifies a new major version.
 - Support multiple Wireguard interfaces. See README for examples (contribution by fbourqui)
 - Make role stateless: In the previous versions the private and public keys of the Wireguard hosts were stored locally in the directory defined with the `wireguard_cert_directory` variable. This is no longer the case. The variables `wireguard_cert_directory`, `wireguard_cert_owner` and `wireguard_cert_group` are no longer needed and were removed. If you used this role before this release it's safe to remove them from your settings. The directory that was defined with the `wireguard_cert_directory` variable will be kept. While not tested it may enable you to go back to an older version of this role and it should still work (contribution by fbourqui)
 - Reminder: `wireguard_cert_directory` default was `~/wireguard/certs`. Public and Private keys where stored on the host running ansible playbook. As a security best practice private keys of all your WireGuard endpoints should not be kept locally.
-## 3.2.2
+**3.2.2**
- remove unneeded `with_inventory_hostnames` loops (thanks to @pierreozoux for initial PR)
+- remove unneeded `with_inventory_hostnames` loops (thanks to pierreozoux for initial PR)
-## 3.2.1
+**3.2.1**
- remove unnecessary files (contribution by @pierreozoux)
+- remove unecessary files (contribution by pierreozoux)
-## 3.2.0
+**3.2.0**
- add support for RHEL/CentOS (contribution by @ahanselka)
+- add support for RHEL/CentOS (contribution by ahanselka)
-## 3.1.0
+**3.1.0**
- pass package list directly to some modules by using the new and preferred syntax instead `loop` or `with_items` (contribution by @ahanselka)
+- pass package list directly to some modules by using the new and prefered syntax instead `loop` or `with_items` (contribution by ahanselka)
-## 3.0.1
+**3.0.1**
 - fix address in README
-## 3.0.0
+**3.0.0**
- support for Debian added (contribution by @ties)
+- support for Debian added (contribution by ties)
-## 2.0.1
+**2.0.1**
 - make Ansible linter happy
-## 2.0.0
+**2.0.0**
- use correct semantic versioning as described in [Semantic versioning](https://semver.org). Needed for Ansible Galaxy importer as it now insists on using semantic versioning.
+- use correct semantic versioning as described in https://semver.org. Needed for Ansible Galaxy importer as it now insists on using semantic versioning.
 - moved changelog entries to separate file
 - make Ansible linter happy
 - no major changes but decided to start a new major release as versioning scheme changed quite heavily
-## v1.0.2
+**v1.0.2**
 - update README
-## v1.0.1
+**v1.0.1**
 - update README
-## v1.0.0
+**v1.0.0**
 - initial implementation
--- a/LICENSES/GPL-3.0-or-later.txt
+++ b/LICENSES/GPL-3.0-or-later.txt
@ -1,625 +0,0 @@
 GNU GENERAL PUBLIC LICENSE
 Version 3, 29 June 2007
 Copyright © 2007 Free Software Foundation, Inc. <https://fsf.org/>
 Everyone is permitted to copy and distribute verbatim copies of this license
 document, but changing it is not allowed.
 Preamble
 The GNU General Public License is a free, copyleft license for software and
 other kinds of works.
 The licenses for most software and other practical works are designed to take
 away your freedom to share and change the works. By contrast, the GNU General
 Public License is intended to guarantee your freedom to share and change all
 versions of a program--to make sure it remains free software for all its users.
 We, the Free Software Foundation, use the GNU General Public License for most
 of our software; it applies also to any other work released this way by its
 authors. You can apply it to your programs, too.
 When we speak of free software, we are referring to freedom, not price. Our
 General Public Licenses are designed to make sure that you have the freedom
 to distribute copies of free software (and charge for them if you wish), that
 you receive source code or can get it if you want it, that you can change
 the software or use pieces of it in new free programs, and that you know you
 can do these things.
 To protect your rights, we need to prevent others from denying you these rights
 or asking you to surrender the rights. Therefore, you have certain responsibilities
 if you distribute copies of the software, or if you modify it: responsibilities
 to respect the freedom of others.
 For example, if you distribute copies of such a program, whether gratis or
 for a fee, you must pass on to the recipients the same freedoms that you received.
 You must make sure that they, too, receive or can get the source code. And
 you must show them these terms so they know their rights.
 Developers that use the GNU GPL protect your rights with two steps: (1) assert
 copyright on the software, and (2) offer you this License giving you legal
 permission to copy, distribute and/or modify it.
 For the developers' and authors' protection, the GPL clearly explains that
 there is no warranty for this free software. For both users' and authors'
 sake, the GPL requires that modified versions be marked as changed, so that
 their problems will not be attributed erroneously to authors of previous versions.
 Some devices are designed to deny users access to install or run modified
 versions of the software inside them, although the manufacturer can do so.
 This is fundamentally incompatible with the aim of protecting users' freedom
 to change the software. The systematic pattern of such abuse occurs in the
 area of products for individuals to use, which is precisely where it is most
 unacceptable. Therefore, we have designed this version of the GPL to prohibit
 the practice for those products. If such problems arise substantially in other
 domains, we stand ready to extend this provision to those domains in future
 versions of the GPL, as needed to protect the freedom of users.
 Finally, every program is threatened constantly by software patents. States
 should not allow patents to restrict development and use of software on general-purpose
 computers, but in those that do, we wish to avoid the special danger that
 patents applied to a free program could make it effectively proprietary. To
 prevent this, the GPL assures that patents cannot be used to render the program
 non-free.
 The precise terms and conditions for copying, distribution and modification
 follow.
 TERMS AND CONDITIONS
   0. Definitions.
   "This License" refers to version 3 of the GNU General Public License.
 "Copyright" also means copyright-like laws that apply to other kinds of works,
 such as semiconductor masks.
 "The Program" refers to any copyrightable work licensed under this License.
 Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals
 or organizations.
 To "modify" a work means to copy from or adapt all or part of the work in
 a fashion requiring copyright permission, other than the making of an exact
 copy. The resulting work is called a "modified version" of the earlier work
 or a work "based on" the earlier work.
 A "covered work" means either the unmodified Program or a work based on the
 Program.
 To "propagate" a work means to do anything with it that, without permission,
 would make you directly or secondarily liable for infringement under applicable
 copyright law, except executing it on a computer or modifying a private copy.
 Propagation includes copying, distribution (with or without modification),
 making available to the public, and in some countries other activities as
 well.
 To "convey" a work means any kind of propagation that enables other parties
 to make or receive copies. Mere interaction with a user through a computer
 network, with no transfer of a copy, is not conveying.
 An interactive user interface displays "Appropriate Legal Notices" to the
 extent that it includes a convenient and prominently visible feature that
 (1) displays an appropriate copyright notice, and (2) tells the user that
 there is no warranty for the work (except to the extent that warranties are
 provided), that licensees may convey the work under this License, and how
 to view a copy of this License. If the interface presents a list of user commands
 or options, such as a menu, a prominent item in the list meets this criterion.
   1. Source Code.
 The "source code" for a work means the preferred form of the work for making
 modifications to it. "Object code" means any non-source form of a work.
 A "Standard Interface" means an interface that either is an official standard
 defined by a recognized standards body, or, in the case of interfaces specified
 for a particular programming language, one that is widely used among developers
 working in that language.
 The "System Libraries" of an executable work include anything, other than
 the work as a whole, that (a) is included in the normal form of packaging
 a Major Component, but which is not part of that Major Component, and (b)
 serves only to enable use of the work with that Major Component, or to implement
 a Standard Interface for which an implementation is available to the public
 in source code form. A "Major Component", in this context, means a major essential
 component (kernel, window system, and so on) of the specific operating system
 (if any) on which the executable work runs, or a compiler used to produce
 the work, or an object code interpreter used to run it.
 The "Corresponding Source" for a work in object code form means all the source
 code needed to generate, install, and (for an executable work) run the object
 code and to modify the work, including scripts to control those activities.
 However, it does not include the work's System Libraries, or general-purpose
 tools or generally available free programs which are used unmodified in performing
 those activities but which are not part of the work. For example, Corresponding
 Source includes interface definition files associated with source files for
 the work, and the source code for shared libraries and dynamically linked
 subprograms that the work is specifically designed to require, such as by
 intimate data communication or control flow between those subprograms and
 other parts of the work.
 The Corresponding Source need not include anything that users can regenerate
 automatically from other parts of the Corresponding Source.
   The Corresponding Source for a work in source code form is that same work.
   2. Basic Permissions.
 All rights granted under this License are granted for the term of copyright
 on the Program, and are irrevocable provided the stated conditions are met.
 This License explicitly affirms your unlimited permission to run the unmodified
 Program. The output from running a covered work is covered by this License
 only if the output, given its content, constitutes a covered work. This License
 acknowledges your rights of fair use or other equivalent, as provided by copyright
 law.
 You may make, run and propagate covered works that you do not convey, without
 conditions so long as your license otherwise remains in force. You may convey
 covered works to others for the sole purpose of having them make modifications
 exclusively for you, or provide you with facilities for running those works,
 provided that you comply with the terms of this License in conveying all material
 for which you do not control copyright. Those thus making or running the covered
 works for you must do so exclusively on your behalf, under your direction
 and control, on terms that prohibit them from making any copies of your copyrighted
 material outside their relationship with you.
 Conveying under any other circumstances is permitted solely under the conditions
 stated below. Sublicensing is not allowed; section 10 makes it unnecessary.
   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
 No covered work shall be deemed part of an effective technological measure
 under any applicable law fulfilling obligations under article 11 of the WIPO
 copyright treaty adopted on 20 December 1996, or similar laws prohibiting
 or restricting circumvention of such measures.
 When you convey a covered work, you waive any legal power to forbid circumvention
 of technological measures to the extent such circumvention is effected by
 exercising rights under this License with respect to the covered work, and
 you disclaim any intention to limit operation or modification of the work
 as a means of enforcing, against the work's users, your or third parties'
 legal rights to forbid circumvention of technological measures.
   4. Conveying Verbatim Copies.
 You may convey verbatim copies of the Program's source code as you receive
 it, in any medium, provided that you conspicuously and appropriately publish
 on each copy an appropriate copyright notice; keep intact all notices stating
 that this License and any non-permissive terms added in accord with section
 7 apply to the code; keep intact all notices of the absence of any warranty;
 and give all recipients a copy of this License along with the Program.
 You may charge any price or no price for each copy that you convey, and you
 may offer support or warranty protection for a fee.
   5. Conveying Modified Source Versions.
 You may convey a work based on the Program, or the modifications to produce
 it from the Program, in the form of source code under the terms of section
 4, provided that you also meet all of these conditions:
 a) The work must carry prominent notices stating that you modified it, and
 giving a relevant date.
 b) The work must carry prominent notices stating that it is released under
 this License and any conditions added under section 7. This requirement modifies
 the requirement in section 4 to "keep intact all notices".
 c) You must license the entire work, as a whole, under this License to anyone
 who comes into possession of a copy. This License will therefore apply, along
 with any applicable section 7 additional terms, to the whole of the work,
 and all its parts, regardless of how they are packaged. This License gives
 no permission to license the work in any other way, but it does not invalidate
 such permission if you have separately received it.
 d) If the work has interactive user interfaces, each must display Appropriate
 Legal Notices; however, if the Program has interactive interfaces that do
 not display Appropriate Legal Notices, your work need not make them do so.
 A compilation of a covered work with other separate and independent works,
 which are not by their nature extensions of the covered work, and which are
 not combined with it such as to form a larger program, in or on a volume of
 a storage or distribution medium, is called an "aggregate" if the compilation
 and its resulting copyright are not used to limit the access or legal rights
 of the compilation's users beyond what the individual works permit. Inclusion
 of a covered work in an aggregate does not cause this License to apply to
 the other parts of the aggregate.
   6. Conveying Non-Source Forms.
 You may convey a covered work in object code form under the terms of sections
 4 and 5, provided that you also convey the machine-readable Corresponding
 Source under the terms of this License, in one of these ways:
 a) Convey the object code in, or embodied in, a physical product (including
 a physical distribution medium), accompanied by the Corresponding Source fixed
 on a durable physical medium customarily used for software interchange.
 b) Convey the object code in, or embodied in, a physical product (including
 a physical distribution medium), accompanied by a written offer, valid for
 at least three years and valid for as long as you offer spare parts or customer
 support for that product model, to give anyone who possesses the object code
 either (1) a copy of the Corresponding Source for all the software in the
 product that is covered by this License, on a durable physical medium customarily
 used for software interchange, for a price no more than your reasonable cost
 of physically performing this conveying of source, or (2) access to copy the
 Corresponding Source from a network server at no charge.
 c) Convey individual copies of the object code with a copy of the written
 offer to provide the Corresponding Source. This alternative is allowed only
 occasionally and noncommercially, and only if you received the object code
 with such an offer, in accord with subsection 6b.
 d) Convey the object code by offering access from a designated place (gratis
 or for a charge), and offer equivalent access to the Corresponding Source
 in the same way through the same place at no further charge. You need not
 require recipients to copy the Corresponding Source along with the object
 code. If the place to copy the object code is a network server, the Corresponding
 Source may be on a different server (operated by you or a third party) that
 supports equivalent copying facilities, provided you maintain clear directions
 next to the object code saying where to find the Corresponding Source. Regardless
 of what server hosts the Corresponding Source, you remain obligated to ensure
 that it is available for as long as needed to satisfy these requirements.
 e) Convey the object code using peer-to-peer transmission, provided you inform
 other peers where the object code and Corresponding Source of the work are
 being offered to the general public at no charge under subsection 6d.
 A separable portion of the object code, whose source code is excluded from
 the Corresponding Source as a System Library, need not be included in conveying
 the object code work.
 A "User Product" is either (1) a "consumer product", which means any tangible
 personal property which is normally used for personal, family, or household
 purposes, or (2) anything designed or sold for incorporation into a dwelling.
 In determining whether a product is a consumer product, doubtful cases shall
 be resolved in favor of coverage. For a particular product received by a particular
 user, "normally used" refers to a typical or common use of that class of product,
 regardless of the status of the particular user or of the way in which the
 particular user actually uses, or expects or is expected to use, the product.
 A product is a consumer product regardless of whether the product has substantial
 commercial, industrial or non-consumer uses, unless such uses represent the
 only significant mode of use of the product.
 "Installation Information" for a User Product means any methods, procedures,
 authorization keys, or other information required to install and execute modified
 versions of a covered work in that User Product from a modified version of
 its Corresponding Source. The information must suffice to ensure that the
 continued functioning of the modified object code is in no case prevented
 or interfered with solely because modification has been made.
 If you convey an object code work under this section in, or with, or specifically
 for use in, a User Product, and the conveying occurs as part of a transaction
 in which the right of possession and use of the User Product is transferred
 to the recipient in perpetuity or for a fixed term (regardless of how the
 transaction is characterized), the Corresponding Source conveyed under this
 section must be accompanied by the Installation Information. But this requirement
 does not apply if neither you nor any third party retains the ability to install
 modified object code on the User Product (for example, the work has been installed
 in ROM).
 The requirement to provide Installation Information does not include a requirement
 to continue to provide support service, warranty, or updates for a work that
 has been modified or installed by the recipient, or for the User Product in
 which it has been modified or installed. Access to a network may be denied
 when the modification itself materially and adversely affects the operation
 of the network or violates the rules and protocols for communication across
 the network.
 Corresponding Source conveyed, and Installation Information provided, in accord
 with this section must be in a format that is publicly documented (and with
 an implementation available to the public in source code form), and must require
 no special password or key for unpacking, reading or copying.
   7. Additional Terms.
 "Additional permissions" are terms that supplement the terms of this License
 by making exceptions from one or more of its conditions. Additional permissions
 that are applicable to the entire Program shall be treated as though they
 were included in this License, to the extent that they are valid under applicable
 law. If additional permissions apply only to part of the Program, that part
 may be used separately under those permissions, but the entire Program remains
 governed by this License without regard to the additional permissions.
 When you convey a copy of a covered work, you may at your option remove any
 additional permissions from that copy, or from any part of it. (Additional
 permissions may be written to require their own removal in certain cases when
 you modify the work.) You may place additional permissions on material, added
 by you to a covered work, for which you have or can give appropriate copyright
 permission.
 Notwithstanding any other provision of this License, for material you add
 to a covered work, you may (if authorized by the copyright holders of that
 material) supplement the terms of this License with terms:
 a) Disclaiming warranty or limiting liability differently from the terms of
 sections 15 and 16 of this License; or
 b) Requiring preservation of specified reasonable legal notices or author
 attributions in that material or in the Appropriate Legal Notices displayed
 by works containing it; or
 c) Prohibiting misrepresentation of the origin of that material, or requiring
 that modified versions of such material be marked in reasonable ways as different
 from the original version; or
 d) Limiting the use for publicity purposes of names of licensors or authors
 of the material; or
 e) Declining to grant rights under trademark law for use of some trade names,
 trademarks, or service marks; or
 f) Requiring indemnification of licensors and authors of that material by
 anyone who conveys the material (or modified versions of it) with contractual
 assumptions of liability to the recipient, for any liability that these contractual
 assumptions directly impose on those licensors and authors.
 All other non-permissive additional terms are considered "further restrictions"
 within the meaning of section 10. If the Program as you received it, or any
 part of it, contains a notice stating that it is governed by this License
 along with a term that is a further restriction, you may remove that term.
 If a license document contains a further restriction but permits relicensing
 or conveying under this License, you may add to a covered work material governed
 by the terms of that license document, provided that the further restriction
 does not survive such relicensing or conveying.
 If you add terms to a covered work in accord with this section, you must place,
 in the relevant source files, a statement of the additional terms that apply
 to those files, or a notice indicating where to find the applicable terms.
 Additional terms, permissive or non-permissive, may be stated in the form
 of a separately written license, or stated as exceptions; the above requirements
 apply either way.
   8. Termination.
 You may not propagate or modify a covered work except as expressly provided
 under this License. Any attempt otherwise to propagate or modify it is void,
 and will automatically terminate your rights under this License (including
 any patent licenses granted under the third paragraph of section 11).
 However, if you cease all violation of this License, then your license from
 a particular copyright holder is reinstated (a) provisionally, unless and
 until the copyright holder explicitly and finally terminates your license,
 and (b) permanently, if the copyright holder fails to notify you of the violation
 by some reasonable means prior to 60 days after the cessation.
 Moreover, your license from a particular copyright holder is reinstated permanently
 if the copyright holder notifies you of the violation by some reasonable means,
 this is the first time you have received notice of violation of this License
 (for any work) from that copyright holder, and you cure the violation prior
 to 30 days after your receipt of the notice.
 Termination of your rights under this section does not terminate the licenses
 of parties who have received copies or rights from you under this License.
 If your rights have been terminated and not permanently reinstated, you do
 not qualify to receive new licenses for the same material under section 10.
   9. Acceptance Not Required for Having Copies.
 You are not required to accept this License in order to receive or run a copy
 of the Program. Ancillary propagation of a covered work occurring solely as
 a consequence of using peer-to-peer transmission to receive a copy likewise
 does not require acceptance. However, nothing other than this License grants
 you permission to propagate or modify any covered work. These actions infringe
 copyright if you do not accept this License. Therefore, by modifying or propagating
 a covered work, you indicate your acceptance of this License to do so.
   10. Automatic Licensing of Downstream Recipients.
 Each time you convey a covered work, the recipient automatically receives
 a license from the original licensors, to run, modify and propagate that work,
 subject to this License. You are not responsible for enforcing compliance
 by third parties with this License.
 An "entity transaction" is a transaction transferring control of an organization,
 or substantially all assets of one, or subdividing an organization, or merging
 organizations. If propagation of a covered work results from an entity transaction,
 each party to that transaction who receives a copy of the work also receives
 whatever licenses to the work the party's predecessor in interest had or could
 give under the previous paragraph, plus a right to possession of the Corresponding
 Source of the work from the predecessor in interest, if the predecessor has
 it or can get it with reasonable efforts.
 You may not impose any further restrictions on the exercise of the rights
 granted or affirmed under this License. For example, you may not impose a
 license fee, royalty, or other charge for exercise of rights granted under
 this License, and you may not initiate litigation (including a cross-claim
 or counterclaim in a lawsuit) alleging that any patent claim is infringed
 by making, using, selling, offering for sale, or importing the Program or
 any portion of it.
   11. Patents.
 A "contributor" is a copyright holder who authorizes use under this License
 of the Program or a work on which the Program is based. The work thus licensed
 is called the contributor's "contributor version".
 A contributor's "essential patent claims" are all patent claims owned or controlled
 by the contributor, whether already acquired or hereafter acquired, that would
 be infringed by some manner, permitted by this License, of making, using,
 or selling its contributor version, but do not include claims that would be
 infringed only as a consequence of further modification of the contributor
 version. For purposes of this definition, "control" includes the right to
 grant patent sublicenses in a manner consistent with the requirements of this
 License.
 Each contributor grants you a non-exclusive, worldwide, royalty-free patent
 license under the contributor's essential patent claims, to make, use, sell,
 offer for sale, import and otherwise run, modify and propagate the contents
 of its contributor version.
 In the following three paragraphs, a "patent license" is any express agreement
 or commitment, however denominated, not to enforce a patent (such as an express
 permission to practice a patent or covenant not to sue for patent infringement).
 To "grant" such a patent license to a party means to make such an agreement
 or commitment not to enforce a patent against the party.
 If you convey a covered work, knowingly relying on a patent license, and the
 Corresponding Source of the work is not available for anyone to copy, free
 of charge and under the terms of this License, through a publicly available
 network server or other readily accessible means, then you must either (1)
 cause the Corresponding Source to be so available, or (2) arrange to deprive
 yourself of the benefit of the patent license for this particular work, or
 (3) arrange, in a manner consistent with the requirements of this License,
 to extend the patent license to downstream recipients. "Knowingly relying"
 means you have actual knowledge that, but for the patent license, your conveying
 the covered work in a country, or your recipient's use of the covered work
 in a country, would infringe one or more identifiable patents in that country
 that you have reason to believe are valid.
 If, pursuant to or in connection with a single transaction or arrangement,
 you convey, or propagate by procuring conveyance of, a covered work, and grant
 a patent license to some of the parties receiving the covered work authorizing
 them to use, propagate, modify or convey a specific copy of the covered work,
 then the patent license you grant is automatically extended to all recipients
 of the covered work and works based on it.
 A patent license is "discriminatory" if it does not include within the scope
 of its coverage, prohibits the exercise of, or is conditioned on the non-exercise
 of one or more of the rights that are specifically granted under this License.
 You may not convey a covered work if you are a party to an arrangement with
 a third party that is in the business of distributing software, under which
 you make payment to the third party based on the extent of your activity of
 conveying the work, and under which the third party grants, to any of the
 parties who would receive the covered work from you, a discriminatory patent
 license (a) in connection with copies of the covered work conveyed by you
 (or copies made from those copies), or (b) primarily for and in connection
 with specific products or compilations that contain the covered work, unless
 you entered into that arrangement, or that patent license was granted, prior
 to 28 March 2007.
 Nothing in this License shall be construed as excluding or limiting any implied
 license or other defenses to infringement that may otherwise be available
 to you under applicable patent law.
   12. No Surrender of Others' Freedom.
 If conditions are imposed on you (whether by court order, agreement or otherwise)
 that contradict the conditions of this License, they do not excuse you from
 the conditions of this License. If you cannot convey a covered work so as
 to satisfy simultaneously your obligations under this License and any other
 pertinent obligations, then as a consequence you may not convey it at all.
 For example, if you agree to terms that obligate you to collect a royalty
 for further conveying from those to whom you convey the Program, the only
 way you could satisfy both those terms and this License would be to refrain
 entirely from conveying the Program.
   13. Use with the GNU Affero General Public License.
 Notwithstanding any other provision of this License, you have permission to
 link or combine any covered work with a work licensed under version 3 of the
 GNU Affero General Public License into a single combined work, and to convey
 the resulting work. The terms of this License will continue to apply to the
 part which is the covered work, but the special requirements of the GNU Affero
 General Public License, section 13, concerning interaction through a network
 will apply to the combination as such.
   14. Revised Versions of this License.
 The Free Software Foundation may publish revised and/or new versions of the
 GNU General Public License from time to time. Such new versions will be similar
 in spirit to the present version, but may differ in detail to address new
 problems or concerns.
 Each version is given a distinguishing version number. If the Program specifies
 that a certain numbered version of the GNU General Public License "or any
 later version" applies to it, you have the option of following the terms and
 conditions either of that numbered version or of any later version published
 by the Free Software Foundation. If the Program does not specify a version
 number of the GNU General Public License, you may choose any version ever
 published by the Free Software Foundation.
 If the Program specifies that a proxy can decide which future versions of
 the GNU General Public License can be used, that proxy's public statement
 of acceptance of a version permanently authorizes you to choose that version
 for the Program.
 Later license versions may give you additional or different permissions. However,
 no additional obligations are imposed on any author or copyright holder as
 a result of your choosing to follow a later version.
   15. Disclaimer of Warranty.
 THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE
 LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
 OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
 EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
 TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM
 PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
 CORRECTION.
   16. Limitation of Liability.
 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL
 ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM
 AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,
 INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO
 USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
 INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
 PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
 PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   17. Interpretation of Sections 15 and 16.
 If the disclaimer of warranty and limitation of liability provided above cannot
 be given local legal effect according to their terms, reviewing courts shall
 apply local law that most closely approximates an absolute waiver of all civil
 liability in connection with the Program, unless a warranty or assumption
 of liability accompanies a copy of the Program in return for a fee. END OF
 TERMS AND CONDITIONS
 How to Apply These Terms to Your New Programs
 If you develop a new program, and you want it to be of the greatest possible
 use to the public, the best way to achieve this is to make it free software
 which everyone can redistribute and change under these terms.
 To do so, attach the following notices to the program. It is safest to attach
 them to the start of each source file to most effectively state the exclusion
 of warranty; and each file should have at least the "copyright" line and a
 pointer to where the full notice is found.
 <one line to give the program's name and a brief idea of what it does.>
 Copyright (C) <year> <name of author>
 This program is free software: you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free Software
 Foundation, either version 3 of the License, or (at your option) any later
 version.
 This program is distributed in the hope that it will be useful, but WITHOUT
 ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
 You should have received a copy of the GNU General Public License along with
 this program. If not, see <https://www.gnu.org/licenses/>.
 Also add information on how to contact you by electronic and paper mail.
 If the program does terminal interaction, make it output a short notice like
 this when it starts in an interactive mode:
 <program> Copyright (C) <year> <name of author>
 This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
 This is free software, and you are welcome to redistribute it under certain
 conditions; type `show c' for details.
 The hypothetical commands `show w' and `show c' should show the appropriate
 parts of the General Public License. Of course, your program's commands might
 be different; for a GUI interface, you would use an "about box".
 You should also get your employer (if you work as a programmer) or school,
 if any, to sign a "copyright disclaimer" for the program, if necessary. For
 more information on this, and how to apply and follow the GNU GPL, see <https://www.gnu.org/licenses/>.
 The GNU General Public License does not permit incorporating your program
 into proprietary programs. If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
 library. If this is what you want to do, use the GNU Lesser General Public
 License instead of this License. But first, please read <https://www.gnu.org/
 licenses /why-not-lgpl.html>.
--- a/README.md
+++ b/README.md
@ -1,55 +1,13 @@
 <!--
 Copyright (C) 2018-2023 Robert Wimmer
 Copyright (C) 2019 fbourqui
 SPDX-License-Identifier: GPL-3.0-or-later
 -->
 ansible-role-wireguard
 ======================
-This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. The latest release is [available via Ansible Galaxy](https://galaxy.ansible.com/githubixx/ansible_role_wireguard).  I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster.
+This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster. This VPN also includes two clients so that I can communicate securly with the Kubernetes API server. Also my Postfix mailserver running as K8s DaemonSet forwards mails to my internal Postfix through WireGuard VPN.
 In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/).
 Linux
 -----
 This role should work with:
 - Ubuntu 18.04 (Bionic Beaver)
 - Ubuntu 20.04 (Focal Fossa)
 - Ubuntu 22.04 (Jammy Jellyfish)
 - Archlinux
 - Debian 11 (Bullseye)
 - Fedora 36
 - CentOS 7
 - AlmaLinux
 - Rocky Linux
 - openSUSE Leap 15.4
 - Oracle Linux 9
 Best effort:
 - elementary OS 6
 Molecule tests are [available](https://github.com/githubixx/ansible-role-wireguard#testing) (see further down below). It should also work with `Raspbian Buster` but for this one there is no test available. MacOS (see below) should also work partitially but is only best effort.
-MacOS
+I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a while. As I moved my cloud hosts from Scaleway to Hetzner cloud it was a good time to switch the VPN solution ;-) In general PeerVPN still works perfectly fine esp. if you need a easy to setup fully meshed network (where every node is able to talk to all other nodes and even if node `A` should be able to talk to Node `C` via node `B` ;-) ). But PeerVPN needs also lot of CPU resources and throuhput could be better. That's solved with [WireGuard](https://www.wireguard.io/).
 -----
-While this playbook configures, enables and starts a `systemd` service on Linux in a such a way that no additional action is needed, on MacOS it installs the required packages and it just generates the correct `wg0.conf` file that is then placed in the specified `wireguard_remote_directory` (`/opt/local/etc/wireguard` by default). In order to run the VPN, then, you need to:
+In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/).
 ```bash
 sudo wg-quick up wg0
 ```
 and to deactivate it
 ```bash
 sudo wg-quick down wg0
 ```
-or you can install the [official app](https://apps.apple.com/it/app/wireguard/id1451685025?l=en&mt=12) and import the `wg0.conf` file.
+This role is tested with Ubuntu 18.04 (Bionic Beaver), Ubuntu 20 (Focal Fossa) and Archlinux. Ubuntu 16.04 (Xenial Xerus), Debian 9 (Stretch), Debian 10 (Buster), Fedora 31 (or later) and CentOS 7 might also work or other distributions but haven't tested it (code for this operating systems was submitted by other contributors). If someone tested it let me please know if it works or send a pull request to make it work ;-)
 Versions
 --------
@ -59,9 +17,7 @@ I tag every release and try to stay with [semantic versioning](http://semver.org
 Requirements
 ------------
-By default port `51820` (protocol UDP) should be accessible from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward`. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere.
+By default port `51820` (protocol UDP) should be accessable from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward `. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere. You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things. Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down.
 You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things.
 Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down.
 Changelog
 ---------
@ -71,168 +27,49 @@ see [CHANGELOG.md](https://github.com/githubixx/ansible-role-wireguard/blob/mast
 Role Variables
 --------------
-These variables can be changed in `group_vars/` e.g.:
+These variables can be changed in `group_vars/`:
-```yaml
+```
 # Directory to store WireGuard configuration on the remote hosts
-wireguard_remote_directory: "/etc/wireguard"              # On Linux
+wireguard_remote_directory: "/etc/wireguard"
 # wireguard_remote_directory: "/opt/local/etc/wireguard"  # On MacOS
 # The default port WireGuard will listen if not specified otherwise.
 wireguard_port: "51820"
-# The default interface name that WireGuard should use if not specified otherwise.
+# The default interface name that wireguard should use if not specified otherwise.
 wireguard_interface: "wg0"
 ```
 The following variable is mandatory and needs to be configured for every host in `host_vars/`:
-# The default owner of the wg.conf file
+```
-wireguard_conf_owner: root
+wireguard_address: "10.8.0.101/24"
-
+```
-# The default group of the wg.conf file
+
-wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'wheel' }}"
+Of course all IP's should be in the same subnet like `/24` we see in the example above. If `wireguard_allowed_ips` is not set then the default value is the value from `wireguard_address` without the CIDR but instead with `/32` which is basically a host route (have a look `templates/wg.conf.j2`). Let's see this example and let's assume you don't set `wireguard_allowed_ips` explicitly:
-
+
-# The default mode of the wg.conf file
+```
 wireguard_conf_mode: 0600
 # The default state of the wireguard service
 wireguard_service_enabled: "yes"
 wireguard_service_state: "started"
 # By default "wg syncconf" is used to apply WireGuard interface settings if
 # they've changed. Older WireGuard tools doesn't provide this option. In that
 # case as a fallback the WireGuard interface will be restarted. This causes a
 # short interruption of network connections.
 #
 # So even if "false" is the default, the role figures out if the "syncconf"
 # option of the "wg" utility is available and if not falls back to "true"
 # (which means interface will be restarted as this is the only possible option
 # in this case).
 #
 # Possible options:
 # - false (default)
 # - true
 #
 # Both options have their pros and cons. The default "false" option (do not
 # restart interface)
 # - does not need to restart the WireGuard interface to apply changes
 # - does not cause a short VPN connection interruption when changes are applied
 # - might cause network routes are not properly reloaded
 #
 # Setting the option value to "true" will
 # - restart the WireGuard interface as the name suggests in case of changes
 # - cause a short VPN connection interruption when changes are applied
 # - make sure that network routes are properly reloaded
 #
 # So it depends a little bit on your setup which option works best. If you
 # don't have an overly complicated routing that changes very often or at all
 # using "false" here is most properly good enough for you. E.g. if you just
 # want to connect a few servers via VPN and it normally stays this way.
 #
 # If you have a more dynamic routing setup then setting this to "true" might be
 # the safest way to go. Also if you want to avoid the possibility creating some
 # hard to detect side effects this option should be considered.
 wireguard_interface_restart: false
 # Normally the role automatically creates a private key the very first time
 # if there isn't already a WireGuard configuration. But this option allows
 # to provide your own WireGuard private key if really needed. As this is of
 # course a very sensitive value you might consider a tool like Ansible Vault
 # to store it encrypted.
 # wireguard_private_key:
 # Set to "false" if package cache should not be updated (only relevant if
 # the package manager in question supports this option)
 wireguard_update_cache: "true"
 ```
 There are also a few Linux distribution specific settings:
 ```yaml
 #######################################
 # Settings only relevant for:
 # - Ubuntu
 # - elementary OS
 #######################################
 # DEPRECATED: Please use "wireguard_update_cache" instead.
 # Set to "false" if package cache should not be updated.
 wireguard_ubuntu_update_cache: "{{ wireguard_update_cache }}"
 # Set package cache valid time
 wireguard_ubuntu_cache_valid_time: "3600"
 #######################################
 # Settings only relevant for CentOS 7
 #######################################
 # Set wireguard_centos7_installation_method to "kernel-plus"
 # to use the kernel-plus kernel, which includes a built-in,
 # signed WireGuard module.
 #
 # The default of "standard" will use the standard kernel and
 # the ELRepo module for WireGuard.
 wireguard_centos7_installation_method: "standard"
 # Reboot host if necessary if the "kernel-plus" kernel is in use
 wireguard_centos7_kernel_plus_reboot: true
 # The default seconds to wait for machine to reboot and respond
 # if "kernel-plus" is in use. Is only relevant if
 # "wireguard_centos7_kernel_plus_reboot" is set to "true".
 wireguard_centos7_kernel_plus_reboot_timeout: "600"
 # Reboot host if necessary if the standard kernel is in use
 wireguard_centos7_standard_reboot: true
 # The default seconds to wait for machine to reboot and respond
 # if "standard" kernel is in use. Is only relevant if
 # "wireguard_centos7_standard_reboot" is set to "true".
 wireguard_centos7_standard_reboot_timeout: "600"
 #########################################
 # Settings only relevant for RockyLinux 8
 #########################################
 # Set wireguard_rockylinux8_installation_method to "dkms"
 # to build WireGuard module from source, with wireguard-dkms.
 # This is required if you use a custom kernel and/or your arch
 # is not x86_64.
 #
 # The default of "standard" will install the kernel module
 # with kmod-wireguard from ELRepo.
 wireguard_rockylinux8_installation_method: "standard"
 ```
 Every host in `host_vars/` should configure at least one address via `wireguard_address` or `wireguard_addresses`. The `wireguard_address` can only contain one IPv4, thus it's recommended to use the `wireguard_addresses` variable that can contain an array of both IPv4 and IPv6 addresses.
 ```yaml
 wireguard_addresses:
  - "10.8.0.101/24"
 ```
 Of course all IP's should be in the same subnet like `/24` we see in the example above. If `wireguard_allowed_ips` is not set then the default values are IPs defined in `wireguard_address` and `wireguard_addresses` without the CIDR but instead with `/32` (IPv4) or `/128` (IPv6) which is basically a host route (have a look `templates/wg.conf.j2`). Let's see this example and let's assume you don't set `wireguard_allowed_ips` explicitly:
 ```ini
 [Interface]
 Address = 10.8.0.2/24
 PrivateKey = ....
 ListenPort = 51820
 [Peer]
-PublicKey = ....
+PrivateKey = ....
 AllowedIPs = 10.8.0.101/32
 Endpoint = controller01.p.domain.tld:51820
 ```
-This is part of the WireGuard config from my workstation. It has the VPN IP `10.8.0.2` and we've a `/24` subnet in which all my WireGuard hosts are located. Also you can see we've a peer here that has the endpoint `controller01.p.domain.tld:51820`. When `wireguard_allowed_ips` is not explicitly set the Ansible template will add an `AllowedIPs` entry with the IP of that host plus `/32` or `/128`. In WireGuard this basically specifies the routing. The config above says: On my workstation with the IP `10.8.0.2` I want send all traffic to `10.8.0.101/32` to the endpoint `controller01.p.domain.tld:51820`. Now let's assume we set `wireguard_allowed_ips: "0.0.0.0/0"`. Then the resulting config looks like this.
+This is part of the WireGuard config from my workstation. It has the VPN IP `10.8.0.2` and we've a `/24` subnet in which all my WireGuard hosts are located. Also you can see we've a peer here that has the endpoint `controller01.p.domain.tld:51820`. When `wireguard_allowed_ips` is not explicitly set the Ansible template will add an `AllowedIPs` entry with the IP of that host plus `/32`. In WireGuard this basically specifies the routing. The config above says: On my workstation with the IP `10.8.0.2` I want send all traffic to `10.8.0.101/32` to the endpoint `controller01.p.domain.tld:51820`. Now let's assume we set `wireguard_allowed_ips: "0.0.0.0/0"`. Then the resulting config looks like this.
-```ini
+```
 [Interface]
 Address = 10.8.0.2/24
 PrivateKey = ....
 ListenPort = 51820
 [Peer]
-PublicKey = ....
+PrivateKey = ....
 AllowedIPs = 0.0.0.0/0
 Endpoint = controller01.p.domain.tld:51820
 ```
@ -241,7 +78,7 @@ Now this is basically the same as above BUT now the config says: I want to route
 You can specify further optional settings (they don't have a default and won't be set if not specified besides `wireguard_allowed_ips` as already mentioned) also per host in `host_vars/` (or in your Ansible hosts file if you like). The values for the following variables are just examples and no defaults (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8)):
-```yaml
+```
 wireguard_allowed_ips: ""
 wireguard_endpoint: "host1.domain.tld"
 wireguard_persistent_keepalive: "30"
@ -258,25 +95,18 @@ wireguard_postup:
 wireguard_postdown:
  - ...
 wireguard_save_config: "true"
 wireguard_unmanaged_peers:
  client.example.com:
    public_key: 5zsSBeZZ8P9pQaaJvY9RbELQulcwC5VBXaZ93egzOlI=
    # preshared_key: ... e.g. from ansible-vault?
    allowed_ips: 10.0.0.3/32
    endpoint: client.example.com:51820
    persistent_keepalive: 0
 ```
 `wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples:
-```yaml
+```
 wireguard_postup:
  - iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE
  - iptables -A FORWARD -i %i -j ACCEPT
  - iptables -A FORWARD -o %i -j ACCEPT
 ```
-```yaml
+```
 wireguard_preup:
  - echo 1 > /proc/sys/net/ipv4/ip_forward
  - ufw allow 51820/udp
@ -284,13 +114,13 @@ wireguard_preup:
 The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8).
-One of `wireguard_address` (deprecated) or `wireguard_addresses` (recommended) is required as already mentioned. It's the IPs of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs at least one unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).
+`wireguard_address` is required as already mentioned. It's the IP of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs a unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).
-Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
+Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already) mentioned I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
 First, here is a part of my Ansible `hosts` file:
-```ini
+```
 [vpn]
 controller0[1:3].i.domain.tld
 worker0[1:2].i.domain.tld
@ -304,53 +134,45 @@ controller0[1:3].i.domain.tld
 worker0[1:2].i.domain.tld
 ```
-As you can see I've three groups here: `vpn` (all hosts on that will get WireGuard installed), `k8s_controller` (the Kubernetes controller nodes) and `k8s_worker` (the Kubernetes worker nodes). The `i` in the domainname is for `internal`. All the `i.domain.tld` DNS entries have a `A` record that points to the WireGuard IP that we define shortly for every host e.g.: `controller01.i.domain.tld. IN A 10.8.0.101`. The reason for that is that all Kubernetes components only binds and listen on the WireGuard interface in my setup. And since I need this internal IPs for all my Kubernetes components I specify the internal DNS entries in my Ansible `hosts` file. That way I can use the Ansible inventory hostnames and variables very easy in the playbooks and templates.
+As you can see I've three gropus here: `vpn` (all hosts on that will get WireGuard installed), `k8s_controller` (the Kubernetes controller nodes) and `k8s_worker` (the Kubernetes worker nodes). The `i` in the domainname is for `internal`. All the `i.domain.tld` DNS entries have a `A` record that points to the WireGuard IP that we define shortly for every host e.g.: ` controller01.i.domain.tld. IN A 10.8.0.101`. The reason for that is that all Kubernetes components only binds and listen on the WireGuard interface in my setup. And since I need this internal IPs for all my Kubernetes components I specify the internal DNS entries in my Ansible `hosts` file. That way I can use the Ansible inventory hostnames and variables very easy in the playbooks and templates.
 For the Kubernetes controller nodes I've defined the following host variables:
 Ansible host file: `host_vars/controller01.i.domain.tld`
-
+```
 ```yaml
 ---
-wireguard_addresses:
+wireguard_address: "10.8.0.101/24"
  - "10.8.0.101/24"
 wireguard_endpoint: "controller01.p.domain.tld"
 ansible_host: "controller01.p.domain.tld"
 ansible_python_interpreter: /usr/bin/python3
 ```
 Ansible host file: `host_vars/controller02.i.domain.tld`:
-
+```
 ```yaml
 ---
-wireguard_addresses:
+wireguard_address: "10.8.0.102/24"
  - "10.8.0.102/24"
 wireguard_endpoint: "controller02.p.domain.tld"
 ansible_host: "controller02.p.domain.tld"
 ansible_python_interpreter: /usr/bin/python3
 ```
 Ansible host file: `host_vars/controller03.i.domain.tld`:
-
+```
 ```yaml
 ---
-wireguard_addresses:
+wireguard_address: "10.8.0.103/24"
  - "10.8.0.103/24"
 wireguard_endpoint: "controller03.p.domain.tld"
 ansible_host: "controller03.p.domain.tld"
 ansible_python_interpreter: /usr/bin/python3
 ```
-I've specified `ansible_python_interpreter` here for every node as the controller nodes use Ubuntu 18.04 which has Python 3 installed by default. `ansible_host` is set to the public DNS of that host. Ansible will use this hostname to connect to the host via SSH. I use the same value also for `wireguard_endpoint` because of the same reason. The WireGuard peers needs to connect to the other peers via a public IP (well at least via a IP that the WireGuard hosts can connect to - that could be of course also a internal IP if it works for you). IPs specified by `wireguard_address` or `wireguard_addresses` needs to be unique of course for every host.
+I've specified `ansible_python_interpreter` here for every node as the controller nodes use Ubuntu 18.04 which has Python 3 installed by default. `ansible_host` is set to the public DNS of that host. Ansible will use this hostname to connect to the host via SSH. I use the same value also for `wireguard_endpoint` because of the same reason. The WireGuard peers needs to connect to the other peers via a public IP (well at least via a IP that the WireGuard hosts can connect to - that could be of course also a internal IP if it works for you). The `wireguard_address` needs to be unique of course for every host. 
 For the Kubernetes worker I've defined the following variables:
 Ansible host file: `host_vars/worker01.i.domain.tld`
-
+```
 ```yaml
 ---
-wireguard_addresses:
+wireguard_address: "10.8.0.111/24"
  - "10.8.0.111/24"
 wireguard_endpoint: "worker01.p.domain.tld"
 wireguard_persistent_keepalive: "30"
 ansible_host: "worker01.p.domain.tld"
@ -358,11 +180,9 @@ ansible_python_interpreter: /usr/bin/python3
 ```
 Ansible host file: `host_vars/worker02.i.domain.tld`:
-
+```
 ```yaml
 ---
-wireguard_addresses:
+wireguard_address: "10.8.0.112/24"
  - "10.8.0.112/24"
 wireguard_endpoint: "worker02.p.domain.tld"
 wireguard_persistent_keepalive: "30"
 ansible_host: "worker02.p.domain.tld"
@ -373,23 +193,21 @@ As you can see the variables are basically the same as the controller nodes have
 For my internal server at home (connected via DSL router to the internet) we've this configuration:
-```yaml
+```
 ---
-wireguard_addresses:
+wireguard_address: "10.8.0.1/24"
  - "10.8.0.1/24"
 wireguard_endpoint: "server.at.home.p.domain.tld"
 wireguard_persistent_keepalive: "30"
 ansible_host: 192.168.2.254
 ansible_port: 22
 ```
-By default the SSH daemon is listening on a different port than 22 on all of my public nodes but internally I use `22` and that's the reason to set `ansible_port: 22` here. Also `ansible_host` is of course a internal IP for that host. The `wireguard_endpoint` value is a dynamic DNS entry. Since my IP at home isn't static I need to run a script every minute at my home server that checks if the IP has changed and if so adjusts my DNS record. I use OVH's DynHost feature to accomplish this but you can use and DynDNS provider you want of course. Also I forward incoming traffic on port `51820/UDP` to my internal server to allow incoming WireGuard traffic. IPs from `wireguard_address` and `wireguard_addresses` needs to be of course part of our WireGuard subnet.
+By default the SSH daemon is listening on a different port than 22 on all of my public nodes but internally I use `22` and that's the reason to set `ansible_port: 22` here. Also `ansible_host` is of course a internal IP for that host. The `wireguard_endpoint` value is a dynamic DNS entry. Since my IP at home isn't static I need to run a script every minute at my home server that checks if the IP has changed and if so adjusts my DNS record. I use OVH's DynHost feature to accomplish this but you can use and DynDNS provider you want of course. Also I forward incoming traffic on port `51820/UDP` to my internal server to allow incoming WireGuard traffic. The `wireguard_address` needs to be of course part of our WireGuard subnet.
 And finally for my workstation (on which I run all `ansible-playbook` commands):
-```yaml
+```
-wireguard_addresses:
+wireguard_address: "10.8.0.2/24"
  - "10.8.0.2/24"
 wireguard_endpoint: ""
 ansible_connection: local
 ansible_become: false
@ -397,41 +215,41 @@ ansible_become: false
 As you can see `wireguard_endpoint: ""` is a empty string here. That means the Ansible role won't set an endpoint for my workstation. Since there is no need for the other hosts to connect to my workstation it doesn't makes sense to have a endpoint defined. So in this case I can access all hosts defined in the Ansible group `vpn` from my workstation but not the other way round. So the resulting WireGuard config for my workstation looks like this:
-```ini
+```
 [Interface]
 Address = 10.8.0.2/24
 PrivateKey = ....
 ListenPort = 51820
 [Peer]
-PublicKey = ....
+PrivateKey = ....
 AllowedIPs = 10.8.0.101/32
 Endpoint = controller01.p.domain.tld:51820
 [Peer]
-PublicKey = ....
+PrivateKey = ....
 AllowedIPs = 10.8.0.102/32
 Endpoint = controller02.p.domain.tld:51820
 [Peer]
-PublicKey = ....
+PrivateKey = ....
 AllowedIPs = 10.8.0.103/32
 Endpoint = controller03.p.domain.tld:51820
 [Peer]
-PublicKey = ....
+PrivateKey = ....
 AllowedIPs = 10.8.0.111/32
 PersistentKeepalive = 30
 Endpoint = worker01.p.domain.tld:51820
 [Peer]
-PublicKey = ....
+PrivateKey = ....
 AllowedIPs = 10.8.0.112/32
 PersistentKeepalive = 30
 Endpoint = worker02.p.domain.tld:51820
 [Peer]
-PublicKey = ....
+PrivateKey = ....
 AllowedIPs = 10.8.0.1/32
 PersistentKeepalive = 30
 Endpoint = server.at.home.p.domain.tld:51820
@ -439,42 +257,32 @@ Endpoint = server.at.home.p.domain.tld:51820
 The other WireGuard config files (`wg0.conf` by default) looks similar but of course `[Interface]` includes the config of that specific host and the `[Peer]` entries lists the config of the other hosts.
-Example Playbooks
+Example Playbook
-----------------
+----------------
 ```yaml
 - hosts: vpn
  roles:
    - githubixx.ansible_role_wireguard
 ```
-
+- hosts: vpn
 ```yaml
  hosts: vpn
  roles:
-    -
+    - wireguard
      role: githubixx.ansible_role_wireguard
      tags: role-wireguard
 ```
-Example inventory using two different WireGuard interfaces on host "multi"
+Example Inventory using two different WireGuard interfaces on host "multi"
 --------------------------------------------------------------------------
 This is a complex example using yaml inventory format:
-```yaml
+```
 vpn1:
  hosts:
    multi:
-      wireguard_addresses:
+      wireguard_address: 10.9.0.1/32
        - "10.9.0.1/32"
      wireguard_allowed_ips: "10.9.0.1/32, 192.168.2.0/24"
-      wireguard_endpoint: multi.example.com
+      wireguard_endpoint: multi.exemple.com
    nated:
-      wireguard_addresses:
+      wireguard_address: 10.9.0.2/32
        - "10.9.0.2/32"
      wireguard_allowed_ips: "10.9.0.2/32, 192.168.3.0/24"
      wireguard_persistent_keepalive: 15
-      wireguard_endpoint: nated.example.com
+      wireguard_endpoint: nated.exemple.com
      wireguard_postup:
        - iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE
        - iptables -A FORWARD -i %i -j ACCEPT
@ -493,62 +301,32 @@ vpn2:
      wireguard_interface: wg1
      # when using several interface on one host, we must use different ports
      wireguard_port: 51821
-      wireguard_addresses:
+      wireguard_address: 10.9.1.1/32
-        - "10.9.1.1/32"
+      wireguard_endpoint: multi.exemple.com
      wireguard_endpoint: multi.example.com
    another:
-      wireguard_address:
+      wireguard_address: 10.9.1.2/32
-        - "10.9.1.2/32"
+      wireguard_endpoint: another.exemple.com
      wireguard_endpoint: another.example.com
 ```
-Sample playbooks for example above:
+Playbooks
 ---------
-```yaml
+```
 - hosts: vpn1
  roles:
-    - githubixx.ansible_role_wireguard
+    - wireguard
 ```
-```yaml
+```
 - hosts: vpn2
  roles:
-    - githubixx.ansible_role_wireguard
+    - wireguard
 ```
 Testing
 -------
 This role has a small test setup that is created using [Molecule](https://github.com/ansible-community/molecule), libvirt (vagrant-libvirt) and QEMU/KVM. Please see my blog post [Testing Ansible roles with Molecule, libvirt (vagrant-libvirt) and QEMU/KVM](https://www.tauceti.blog/posts/testing-ansible-roles-with-molecule-libvirt-vagrant-qemu-kvm/) how to setup. The test configuration is [here](https://github.com/githubixx/ansible-role-wireguard/tree/master/molecule/kvm).
 Afterwards molecule can be executed:
 ```bash
 molecule converge -s kvm
 ```
 This will setup quite a few virtual machines (VM) with different supported Linux operating systems. To run a few tests:
 ```bash
 molecule verify -s kvm
 ```
 To clean up run
 ```bash
 molecule destroy -s kvm
 ```
 There is also a small Molecule setup that mimics a central WireGuard server with a few clients:
 ```bash
 molecule converge -s kvm-single-server
 ```
 License
 -------
-[GNU General Public License v3.0 or later](https://spdx.org/licenses/GPL-3.0-or-later.html)
+GNU GENERAL PUBLIC LICENSE Version 3
 Author Information
 ------------------
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,126 +1,41 @@
 ---
-# Copyright (C) 2018-2022 Robert Wimmer
+################################################################################
 # SPDX-License-Identifier: GPL-3.0-or-later
 #######################################
 # General settings
-#######################################
+################################################################################
 # Directory to store WireGuard configuration on the remote hosts
-wireguard_remote_directory: "{{ '/etc/wireguard' if not ansible_os_family == 'Darwin' else '/opt/local/etc/wireguard' }}"
+wireguard_remote_directory: "/etc/wireguard"
 # The default port WireGuard will listen if not specified otherwise.
 wireguard_port: "51820"
-# The default interface name that WireGuard should use if not specified otherwise.
+# The default interface name that wireguard should use if not specified otherwise.
 wireguard_interface: "wg0"
 # The default owner of the wg.conf file
 wireguard_conf_owner: root
 # The default group of the wg.conf file
 wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'wheel' }}"
-# The default mode of the wg.conf file
+################################################################################
-wireguard_conf_mode: 0600
+# Settings for devices like laptops, tablets, mobiles, etc. not managed by
 # Ansible. If you don't have such devices just leave the variables commented.
 ################################################################################
-# The default state of the wireguard service
+# Directory to store configurations for unmanaged hosts
-wireguard_service_enabled: "yes"
+wireguard_unmanaged_hosts_directory: "{{ '~/wireguard_unmanaged_hosts' | expanduser }}"
 wireguard_service_state: "started"
 # By default "wg syncconf" is used to apply WireGuard interface settings if
 # they've changed. Older WireGuard tools doesn't provide this option. In that
 # case as a fallback the WireGuard interface will be restarted. This causes a
 # short interruption of network connections.
 #
 # So even if "false" is the default, the role figures out if the "syncconf"
 # option of the "wg" utility is available and if not falls back to "true"
 # (which means interface will be restarted as this is the only possible option
 # in this case).
 #
 # Possible options:
 # - false (default)
 # - true
 #
 # Both options have their pros and cons. The default "false" option (do not
 # restart interface)
 # - does not need to restart the WireGuard interface to apply changes
 # - does not cause a short VPN connection interruption when changes are applied
 # - might cause network routes are not properly reloaded
 # 
-# Setting the option value to "true" will
+wireguard_unmanaged_hosts_list:
-# - restart the WireGuard interface as the name suggests in case of changes
+  - tablet01
-# - cause a short VPN connection interruption when changes are applied
+  - mobile01
 # - make sure that network routes are properly reloaded
 #
 # So it depends a little bit on your setup which option works best. If you
 # don't have an overly complicated routing that changes very often or at all
 # using "false" here is most properly good enough for you. E.g. if you just
 # want to connect a few servers via VPN and it normally stays this way.
 #
 # If you have a more dynamic routing setup then setting this to "true" might be
 # the safest way to go. Also if you want to avoid the possibility creating some
 # hard to detect side effects this option should be considered.
 wireguard_interface_restart: false
-# This is sensitive: encrypt it with a tool like Ansible Vault.
+#
-# If not set, a new one is generated on a blank configuration.
+wireguard_unmanaged_delegate_to: "127.0.0.1"
 # wireguard_private_key:
 # Set to "false" if package cache should not be updated (only relevant if
 # the package manager in question supports this option)
 wireguard_update_cache: "true"
-#######################################
+###############################################################################
-# Settings only relevant for:
+# Settings only relevant for Ubuntu
-# - Ubuntu
+###############################################################################
 # - elementary OS
 #######################################
-# DEPRECATED: Please use "wireguard_update_cache" instead.
+# Set to "false" if package cache should not be updated
-# Set to "false" if package cache should not be updated.
+wireguard_ubuntu_update_cache: "true"
 wireguard_ubuntu_update_cache: "{{ wireguard_update_cache }}"
 # Set package cache valid time
 wireguard_ubuntu_cache_valid_time: "3600"
 #######################################
 # Settings only relevant for CentOS 7
 #######################################
 # Set wireguard_centos7_installation_method to "kernel-plus"
 # to use the kernel-plus kernel, which includes a built-in,
 # signed WireGuard module.
 #
 # The default of "standard" will use the standard kernel and
 # the ELRepo module for WireGuard.
 wireguard_centos7_installation_method: "standard"
 # Reboot host if necessary if the "kernel-plus" kernel is in use
 wireguard_centos7_kernel_plus_reboot: true
 # The default seconds to wait for machine to reboot and respond
 # if "kernel-plus" is in use. Is only relevant if
 # "wireguard_centos7_kernel_plus_reboot" is set to "true".
 wireguard_centos7_kernel_plus_reboot_timeout: "600"
 # Reboot host if necessary if the standard kernel is in use
 wireguard_centos7_standard_reboot: true
 # The default seconds to wait for machine to reboot and respond
 # if "standard" kernel is in use. Is only relevant if
 # "wireguard_centos7_standard_reboot" is set to "true".
 wireguard_centos7_standard_reboot_timeout: "600"
 #########################################
 # Settings only relevant for RockyLinux 8
 #########################################
 # Set wireguard_rockylinux8_installation_method to "dkms"
 # to build WireGuard module from source, with wireguard-dkms.
 # This is required if you use a custom kernel and/or your arch
 # is not x86_64.
 #
 # The default of "standard" will install the kernel module
 # with kmod-wireguard from ELRepo.
 wireguard_rockylinux8_installation_method: "standard"
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,32 +1,23 @@
 ---
-# Copyright (C) 2018-2022 Robert Wimmer
+- name: restart wireguard
-# SPDX-License-Identifier: GPL-3.0-or-later
+  service:
 - name: Restart wireguard
  ansible.builtin.service:
    name: "wg-quick@{{ wireguard_interface }}"
    state: "{{ item }}"
  loop:
-    - stopped
+  - stopped
-    - started
+  - started
-  when:
+  when: not wg_syncconf
    - wireguard__restart_interface
    - not ansible_os_family == 'Darwin'
    - wireguard_service_enabled == "yes"
  listen: "reconfigure wireguard"
- name: Syncconf wireguard
+- name: syncconf wireguard
-  ansible.builtin.shell: |
+  shell: |
-    set -o errexit
+      set -o errexit
-    set -o pipefail
+      set -o pipefail
-    set -o nounset
+      set -o nounset
-    systemctl is-active wg-quick@{{ wireguard_interface | quote }} || systemctl start wg-quick@{{ wireguard_interface | quote }}
+      systemctl is-active wg-quick@wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
-    wg syncconf {{ wireguard_interface | quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface | quote }}.conf)
+      wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
-    exit 0
+      exit 0
  args:
    executable: "/bin/bash"
-  when:
+  when: wg_syncconf
    - not wireguard__restart_interface
    - not ansible_os_family == 'Darwin'
    - wireguard_service_enabled == "yes"
  listen: "reconfigure wireguard"
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,35 +1,24 @@
 ---
 # Copyright (C) 2018-2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 galaxy_info:
  author: Robert Wimmer
  description: Installs Wireguard incl. systemd integration
-  license: GPL-3.0-or-later
+  license: GPLv3
-  min_ansible_version: "2.11"
+  min_ansible_version: 2.5
  namespace: githubixx
  role_name: ansible_role_wireguard
  platforms:
-    - name: ArchLinux
+  - name: ArchLinux
-    - name: Ubuntu
+  - name: Ubuntu
-      versions:
+    versions:
-        - "bionic"
+    - bionic
-        - "focal"
+    - focal
-        - "jammy"
+  - name: Debian
-    - name: Debian
+    versions:
-      versions:
+    - stretch
-        - "bullseye"
+    - buster
-    - name: EL
+  - name: EL
-      versions:
+    versions:
-        - "7"
+    - 7
-        - "8"
+  - name: Fedora
-        - "9"
+    versions:
-    - name: Fedora
+    - 31
      versions:
        - "36"
    - name: opensuse
      versions:
        - "15.4"
  galaxy_tags:
    - networking
    - security
--- a/molecule/kvm-single-server/converge.yml
+++ b/molecule/kvm-single-server/converge.yml
@ -1,12 +0,0 @@
 ---
 # Copyright (C) 2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - hosts: all
  remote_user: vagrant
  become: true
  gather_facts: true
  tasks:
    - name: Include WireGuard role
      ansible.builtin.include_role:
        name: githubixx.ansible_role_wireguard
--- a/molecule/kvm-single-server/molecule.yml
+++ b/molecule/kvm-single-server/molecule.yml
@ -1,95 +0,0 @@
 ---
 # Copyright (C) 2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 dependency:
  name: galaxy
 driver:
  name: vagrant
  provider:
    name: libvirt
    type: libvirt
    options:
      memory: 192
      cpus: 2
 platforms:
  - name: test-wg-ubuntu2004
    box: generic/ubuntu2004
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.10
    groups:
      - vpn
      - ubuntu
  - name: test-wg-ubuntu1804
    box: generic/ubuntu1804
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.20
    groups:
      - vpn
      - ubuntu
  - name: test-wg-debian11
    box: generic/debian11
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.30
    groups:
      - vpn
      - debian
  - name: test-wg-ubuntu2204
    box: alvistack/ubuntu-22.04
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.40
    groups:
      - vpn
      - ubuntu
 provisioner:
  name: ansible
  connection_options:
    ansible_ssh_user: vagrant
    ansible_become: true
  log: true
  lint:
    name: ansible-lint
  inventory:
    host_vars:
      test-wg-ubuntu2004:
        wireguard_address: "10.10.10.10/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.10"
      test-wg-ubuntu1804:
        wireguard_address: "10.10.10.20/24"
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: ""
      test-wg-debian11:
        wireguard_address: "10.10.10.30/24"
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: ""
        ansible_python_interpreter: "/usr/bin/python3"
      test-wg-ubuntu2204:
        wireguard_address: "10.10.10.40/24"
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: ""
 scenario:
  name: kvm-single-server
  test_sequence:
    - prepare
    - converge
 verifier:
  name: ansible
--- a/molecule/kvm-single-server/prepare.yml
+++ b/molecule/kvm-single-server/prepare.yml
@ -1,13 +0,0 @@
 ---
 # Copyright (C) 2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - hosts: ubuntu
  remote_user: vagrant
  become: true
  gather_facts: true
  tasks:
    - name: Update APT package cache
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 3600
--- a/molecule/kvm-single-server/verify.yml
+++ b/molecule/kvm-single-server/verify.yml
@ -1,33 +0,0 @@
 ---
 # Copyright (C) 2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: Verify setup
  hosts: all
  vars:
    hosts_count: "{{ groups['vpn'] | length }}"
  tasks:
    - name: Count WireGuard interfaces
      ansible.builtin.shell: |
        set -o errexit
        set -o pipefail
        set -o nounset
        wg | grep "peer: " | wc -l
        exit 0
      args:
        executable: "/bin/bash"
      register: wireguard__interfaces_count
      changed_when: false
    - name: Print WireGuard interface count
      ansible.builtin.debug:
        var: wireguard__interfaces_count.stdout
    - name: Print hosts count in vpn group
      ansible.builtin.debug:
        var: hosts_count
    - name: There should be as much WireGuard interfaces as hosts in vpn group minus one
      ansible.builtin.assert:
        that:
          - "hosts_count|int -1 == wireguard__interfaces_count.stdout|int"
--- a/molecule/kvm/converge.yml
+++ b/molecule/kvm/converge.yml
@ -1,12 +0,0 @@
 ---
 # Copyright (C) 2020-2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - hosts: all
  remote_user: vagrant
  become: true
  gather_facts: true
  tasks:
    - name: Include WireGuard role
      ansible.builtin.include_role:
        name: githubixx.ansible_role_wireguard
--- a/molecule/kvm/molecule.yml
+++ b/molecule/kvm/molecule.yml
@ -1,297 +0,0 @@
 ---
 # Copyright (C) 2020-2022 Robert Wimmer
 # Copyright (C) 2020 Pierre Ozoux
 # SPDX-License-Identifier: GPL-3.0-or-later
 dependency:
  name: galaxy
 driver:
  name: vagrant
  provider:
    name: libvirt
    type: libvirt
 platforms:
  - name: test-wg-ubuntu2004
    box: generic/ubuntu2004
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.10
    groups:
      - vpn
      - ubuntu
  - name: test-wg-ubuntu1804
    box: generic/ubuntu1804
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.20
    groups:
      - vpn
      - ubuntu
  - name: test-wg-fedora36
    box: generic/fedora36
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.40
    groups:
      - vpn
      - fedora
  - name: test-wg-centos7
    box: generic/centos7
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.50
    groups:
      - vpn
      - el7
  - name: test-wg-arch
    box: archlinux/archlinux
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.60
    groups:
      - vpn
      - archlinux
  - name: test-wg-debian11
    box: generic/debian11
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.70
    groups:
      - vpn
      - debian
  - name: test-wg-rocky8
    box: generic/rocky8
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.80
    groups:
      - vpn
      - el8
  - name: test-wg-alma8
    box: generic/alma8
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.90
    groups:
      - vpn
      - el8
  - name: test-wg-centos7-kernel-plus
    box: generic/centos7
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.100
    groups:
      - vpn
      - el7
  - name: test-wg-rocky8-dkms
    box: generic/rocky8
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.130
    groups:
      - vpn
      - el8
      - el8dkms
  - name: test-wg-ubuntu2204
    box: generic/ubuntu2004
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.140
    groups:
      - vpn
      - ubuntu
  - name: test-wg-opensuse-leap-15-4
    box: opensuse/Leap-15.4.x86_64
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.150
    groups:
      - vpn
      - opensuse
  - name: test-wg-rocky9
    box: generic/rocky9
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.160
    groups:
      - vpn
      - el9
  - name: test-wg-alma9
    box: generic/alma9
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.170
    groups:
      - vpn
      - el9
  - name: test-wg-oracle9
    box: generic/oracle9
    memory: 1024
    cpus: 2
    interfaces:
      - auto_config: true
        network_name: private_network
        type: static
        ip: 192.168.10.180
    groups:
      - vpn
      - el9
 provisioner:
  name: ansible
  connection_options:
    ansible_ssh_user: vagrant
    ansible_become: true
  log: true
  lint:
    name: ansible-lint
  inventory:
    host_vars:
      test-wg-ubuntu2004:
        wireguard_address: "10.10.10.10/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.10"
      test-wg-ubuntu1804:
        wireguard_address: "10.10.10.20/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.20"
      test-wg-fedora36:
        wireguard_address: "10.10.10.40/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.40"
        wireguard_interface_restart: true
      test-wg-centos7:
        wireguard_address: "10.10.10.50/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.50"
        wireguard_interface_restart: true
      test-wg-arch:
        wireguard_address: "10.10.10.60/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.60"
        ansible_python_interpreter: "/usr/bin/python"
      test-wg-debian11:
        wireguard_address: "10.10.10.70/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.70"
        ansible_python_interpreter: "/usr/bin/python3"
      test-wg-rocky8:
        wireguard_address: "10.10.10.80/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.80"
      test-wg-alma8:
        wireguard_address: "10.10.10.90/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.90"
      test-wg-centos7-kernel-plus:
        wireguard_address: "10.10.10.100/24"
        wireguard_port: 51821
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.100"
        wireguard_centos7_installation_method: "kernel-plus"
      test-wg-rocky8-dkms:
        wireguard_address: "10.10.10.130/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.130"
        wireguard_rockylinux8_installation_method: "dkms"
      test-wg-ubuntu2204:
        wireguard_address: "10.10.10.140/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.140"
      test-wg-opensuse-leap-15-4:
        wireguard_address: "10.10.10.150/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.150"
      test-wg-rocky9:
        wireguard_address: "10.10.10.160/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.160"
      test-wg-alma9:
        wireguard_address: "10.10.10.170/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.170"
      test-wg-oracle9:
        wireguard_address: "10.10.10.180/24"
        wireguard_port: 51820
        wireguard_persistent_keepalive: "30"
        wireguard_endpoint: "192.168.10.180"
 scenario:
  name: kvm
  test_sequence:
    - prepare
    - converge
 verifier:
  name: ansible
--- a/molecule/kvm/prepare.yml
+++ b/molecule/kvm/prepare.yml
@ -1,70 +0,0 @@
 ---
 # Copyright (C) 2021-2023 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - hosts: opensuse
  remote_user: vagrant
  become: true
  gather_facts: true
  tasks:
    - name: Remove backports repositories
      ansible.builtin.raw: |
        zypper rr repo-backports-debug-update
        zypper rr repo-backports-update
      changed_when: false
      failed_when: false
 - hosts: archlinux
  remote_user: vagrant
  become: true
  gather_facts: false
  tasks:
    - name: Init pacman
      ansible.builtin.raw: |
        pacman-key --init
        pacman-key --populate archlinux
      changed_when: false
      failed_when: false
    - name: Updating pacman cache
      raw: pacman -Sy
    - name: Install Python
      ansible.builtin.raw: |
        pacman -S --noconfirm python
      args:
        executable: /bin/bash
      changed_when: false
 - hosts: proxmox
  remote_user: vagrant
  become: true
  gather_facts: true
  tasks:
    - name: (Proxmox) Delete /var/lib/apt/lists/lock
      ansible.builtin.file:
        name: /var/lib/apt/lists/lock
        state: absent
 - hosts: ubuntu
  remote_user: vagrant
  become: true
  gather_facts: true
  tasks:
    - name: Update APT package cache
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 3600
 - hosts: el8dkms
  remote_user: vagrant
  become: true
  gather_facts: true
  tasks:
    - name: Install ELRepo mainline kernel
      ansible.builtin.raw: |
        rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
        dnf install -y https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
        dnf --enablerepo=elrepo-kernel install -y kernel-ml
      changed_when: false
      failed_when: false
--- a/molecule/kvm/verify.yml
+++ b/molecule/kvm/verify.yml
@ -1,33 +0,0 @@
 ---
 # Copyright (C) 2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: Verify setup
  hosts: all
  vars:
    hosts_count: "{{ groups['vpn'] | length }}"
  tasks:
    - name: Count WireGuard interfaces
      ansible.builtin.shell: |
        set -o errexit
        set -o pipefail
        set -o nounset
        wg | grep "peer: " | wc -l
        exit 0
      args:
        executable: "/bin/bash"
      register: wireguard__interfaces_count
      changed_when: false
    - name: Print WireGuard interface count
      ansible.builtin.debug:
        var: wireguard__interfaces_count.stdout
    - name: Print hosts count in vpn group
      ansible.builtin.debug:
        var: hosts_count
    - name: There should be as much WireGuard interfaces as hosts in vpn group minus one
      ansible.builtin.assert:
        that:
          - "hosts_count|int -1 == wireguard__interfaces_count.stdout|int"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,153 +1,110 @@
 ---
-# Copyright (C) 2018-2022 Robert Wimmer
+#- name: Gather instance facts
-# SPDX-License-Identifier: GPL-3.0-or-later
+#  setup:
-
+
- name: Gather instance facts
+#- name: Include distribution specific tasks
-  ansible.builtin.setup:
+#  include_tasks: "setup-{{ ansible_distribution|lower }}.yml"
-
+
- name: Include tasks depending on OS
+- name: Include unmanaged hosts variables
-  ansible.builtin.include_tasks:
+  include_vars:
-    file: "{{ item }}"
+    name: wireguard_unmanaged_host_{{ item }}
-    apply:
+    dir: vars
-      tags:
+    extensions:
-        - wg-install
+      - yml
-  with_first_found:
+      - yaml
-    - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.yml"
+  loop: "{{ wireguard_unmanaged_hosts_list }}"
-    - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}.yml"
+  when: wireguard_unmanaged_hosts_list is defined
-    - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_release }}.yml"
+
-    - "setup-{{ ansible_distribution | lower }}.yml"
+- debug: var=wireguard_unmanaged_host_{{ item }}
-    - "setup-{{ ansible_os_family | lower }}.yml"
+  loop: "{{ wireguard_unmanaged_hosts_list }}"
  tags:
    - wg-install
 - name: Enable WireGuard kernel module
-  community.general.modprobe:
+  modprobe:
    name: wireguard
    state: present
-  register: wireguard__register_module_enabled
+  register: wireguard_module_enabled
-  until: wireguard__register_module_enabled is succeeded
+  until:  wireguard_module_enabled is succeeded
  retries: 10
  delay: 10
-  failed_when: wireguard__register_module_enabled is failure
+  failed_when: wireguard_module_enabled is failure
  tags:
    - wg-install
  when: not ansible_os_family == 'Darwin'
 - name: Set default for WireGuard interface restart behavior
  ansible.builtin.set_fact:
    wireguard__restart_interface: >-
      {%- if wireguard_interface_restart -%}
      true
      {%- else -%}
      false
      {%- endif %}
  tags:
    - skip_ansible_lint
- name: Make sure wg syncconf option is available
+- name: Set WireGuard IP (without mask)
-  when:
+  set_fact:
-    - not wireguard_interface_restart
+    wireguard_ip: "{{ wireguard_address.split('/')[0] }}"
  tags:
    - wg-config
  block:
    - name: Get available wg subcommands
      ansible.builtin.command: "wg --help"
      register: wireguard__register_subcommands
      changed_when: false
      check_mode: false
    - name: Check if wg syncconf subcommand is available
      ansible.builtin.set_fact:
        wireguard__syncconf_avail: "{{ 'syncconf:' in wireguard__register_subcommands.stdout }}"
    - name: Wg syncconf subcommand available
      ansible.builtin.debug:
        var: wireguard__syncconf_avail
    - name: Fall back to interface restart if wg syncconf is not available
      when:
        - not wireguard__syncconf_avail
      ansible.builtin.set_fact:
        wireguard__restart_interface: true
 - name: Final decision on WireGuard interface restart method
  ansible.builtin.debug:
    msg: >-
      {%- if wireguard__restart_interface -%}
      'restart'
      {%- else -%}
      'syncconf'
      {%- endif %}
  tags:
    - skip_ansible_lint
 - name: Register if config/private key already exists on target host
-  ansible.builtin.stat:
+  stat:
    path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
-  register: wireguard__register_config_file
+  register: config_file_stat
  tags:
    - wg-generate-keys
    - wg-config
- name: WireGuard private key handling for new keys
+- name: Get wg subcommands
-  when:
+  command: "wg --help"
-    - not wireguard__register_config_file.stat.exists
+  register: wg_subcommands
-    - wireguard_private_key is not defined
+  changed_when: false
-  block:
+
-    - name: Generate WireGuard private key
+- name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available)
-      ansible.builtin.command: "wg genkey"
+  set_fact:
-      register: wireguard__register_private_key
+    wg_syncconf: false
-      changed_when: false
+
-      no_log: '{{ ansible_verbosity < 3 }}'
+- name: Check if wg syncconf subcommand is available
-      tags:
+  set_fact:
-        - wg-generate-keys
+    wg_syncconf: true
-
+  when: wg_subcommands.stdout | regex_search('syncconf:')
-    - name: Set private key fact
+
-      ansible.builtin.set_fact:
+- name: Show syncconf subcommand status
-        wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
+  debug:
-      no_log: '{{ ansible_verbosity < 3 }}'
+    var: wg_syncconf
-      tags:
+
-        - wg-generate-keys
+- block:
-
+  - name: Generate WireGuard private key
- name: WireGuard private key handling for existing keys
+    command: "wg genkey"
-  when:
+    register: wg_private_key_result
-    - wireguard__register_config_file.stat.exists
+    changed_when: false
-    - wireguard_private_key is not defined
+    tags:
-  block:
+      - wg-generate-keys
-    - name: Read WireGuard config file
+
-      ansible.builtin.slurp:
+  - name: Set private key fact
-        src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
+    set_fact:
-      register: wireguard__register_config
+      private_key: "{{ wg_private_key_result.stdout }}"
-      no_log: '{{ ansible_verbosity < 3 }}'
+    tags:
-      tags:
+      - wg-generate-keys
-        - wg-config
+  when: not config_file_stat.stat.exists
-
+
-    - name: Set private key fact
+- block:
-      ansible.builtin.set_fact:
+  - name: Read WireGuard config file
-        wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
+    slurp:
-      no_log: '{{ ansible_verbosity < 3 }}'
+      src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
-      tags:
+    register: wg_config
-        - wg-config
+    tags:
      - wg-config
  - name: Set private key fact
    set_fact:
      private_key: "{{ wg_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
    tags:
      - wg-config
  when: config_file_stat.stat.exists
 - name: Derive WireGuard public key
-  ansible.builtin.command: "wg pubkey"
+  shell: "echo '{{ private_key }}' | wg pubkey" # noqa 306
-  args:
+  register: wg_public_key_result
    stdin: "{{ wireguard_private_key }}"
  register: wireguard__register_public_key
  changed_when: false
  check_mode: false
  no_log: '{{ ansible_verbosity < 3 }}'
  tags:
    - wg-config
 - name: Set public key fact
-  ansible.builtin.set_fact:
+  set_fact:
-    wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
+    public_key: "{{ wg_public_key_result.stdout }}"
  tags:
    - wg-config
 - name: Create WireGuard configuration directory
-  ansible.builtin.file:
+  file:
    dest: "{{ wireguard_remote_directory }}"
    state: directory
    mode: 0700
@ -155,28 +112,34 @@
    - wg-config
 - name: Generate WireGuard configuration file
-  ansible.builtin.template:
+  template:
-    src: etc/wireguard/wg.conf.j2
+    src: wg.conf.j2
    dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
-    owner: "{{ wireguard_conf_owner }}"
+    owner: root
-    group: "{{ wireguard_conf_group }}"
+    group: root
-    mode: "{{ wireguard_conf_mode }}"
+    mode: 0600
  no_log: '{{ ansible_verbosity < 3 }}'
  tags:
    - wg-config
  notify:
    - reconfigure wireguard
- name: Ensure legacy reload-module-on-update is absent
+- name: Check if reload-module-on-update is set
-  ansible.builtin.file:
+  stat:
    path: "{{ wireguard_remote_directory }}/.reload-module-on-update"
  register: reload_module_on_update
  tags:
    - wg-config
 - name: Set WireGuard reload-module-on-update
  file:
    dest: "{{ wireguard_remote_directory }}/.reload-module-on-update"
-    state: absent
+    state: touch
  when: not reload_module_on_update.stat.exists
  tags:
    - wg-config
 - name: Start and enable WireGuard service
-  ansible.builtin.service:
+  service:
    name: "wg-quick@{{ wireguard_interface }}"
-    state: "{{ wireguard_service_state }}"
+    state: started
-    enabled: "{{ wireguard_service_enabled }}"
+    enabled: yes
  when: not ansible_os_family == 'Darwin'
--- a/tasks/setup-almalinux-8.yml
+++ b/tasks/setup-almalinux-8.yml
@ -1,23 +0,0 @@
 ---
 # Copyright (C) 2021-2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (AlmaLinux 8) Install EPEL & ELRepo repository
  ansible.builtin.yum:
    name:
      - epel-release
      - elrepo-release
    update_cache: "{{ wireguard_update_cache }}"
 - name: (AlmaLinux 8) Ensure WireGuard DKMS package is removed
  ansible.builtin.yum:
    name:
      - "wireguard-dkms"
    state: absent
 - name: (AlmaLinux 8) Install WireGuard packages
  ansible.builtin.yum:
    name:
      - "kmod-wireguard"
      - "wireguard-tools"
    state: present
--- a/tasks/setup-almalinux.yml
+++ b/tasks/setup-almalinux.yml
@ -1,9 +0,0 @@
 ---
 # Copyright (C) 2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (AlmaLinux) Install wireguard-tools package
  ansible.builtin.yum:
    name: wireguard-tools
    state: present
    update_cache: "{{ wireguard_update_cache }}"
--- a/tasks/setup-archlinux.yml
+++ b/tasks/setup-archlinux.yml
@ -1,12 +1,32 @@
 ---
-# Copyright (C) 2018-2022 Robert Wimmer
+- name: (Archlinux) Install wireguard-lts package
-# SPDX-License-Identifier: GPL-3.0-or-later
+  pacman:
    name: "{{ item.name }}"
    state: "{{ item.state }}"
  with_items:
    - { name: wireguard-dkms, state: absent }
    - { name: wireguard-lts, state: present }
  become: yes
  tags:
    - wg-install
  when:
    - ansible_kernel is match(".*-lts$")
    - ansible_kernel is version('5.6', '<')
- name: (Archlinux) Refresh the master package lists
+- name: (Archlinux) Install wireguard-dkms package
-  community.general.pacman:
+  pacman:
-    update_cache: "{{ wireguard_update_cache }}"
+    name: wireguard-dkms
    state: present
  become: yes
  tags:
    - wg-install
  when:
    - not ansible_kernel is match(".*-lts$")
    - ansible_kernel is version('5.6', '<')
 - name: (Archlinux) Install wireguard-tools package
-  community.general.pacman:
+  pacman:
    name: wireguard-tools
    state: present
  tags:
    - wg-install
--- a/tasks/setup-centos-7.yml
+++ b/tasks/setup-centos-7.yml
@ -1,77 +0,0 @@
 ---
 # Copyright (C) 2020 Roman Danko
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (CentOS 7) Tasks for standard kernel
  when:
    - wireguard_centos7_installation_method == "standard"
  block:
    - name: (CentOS 7) Install EPEL & ELRepo repository
      ansible.builtin.yum:
        name:
          - epel-release
          - https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
        update_cache: "{{ wireguard_update_cache }}"
    - name: (CentOS 7) Install yum-plugin-elrepo
      ansible.builtin.yum:
        name: yum-plugin-elrepo
        update_cache: "{{ wireguard_update_cache }}"
    - name: (CentOS 7) Install WireGuard packages
      ansible.builtin.yum:
        name:
          - "kmod-wireguard"
          - "wireguard-tools"
        state: present
      register: wireguard__centos7_yum_updates
    - name: (CentOS 7) Reboot Instance to update kernel
      when:
        - wireguard_centos7_standard_reboot
        - wireguard__centos7_yum_updates.changed
      ansible.builtin.reboot:
        reboot_timeout: "{{ wireguard_centos7_standard_reboot_timeout }}"
 - name: (CentOS 7) Ensure WireGuard DKMS package is removed
  ansible.builtin.yum:
    name:
      - "wireguard-dkms"
    state: absent
 - name: (CentOS 7 - kernel-plus) Tasks for kernel-plus
  when:
    - wireguard_centos7_installation_method == "kernel-plus"
  block:
    - name: (CentOS 7) Install EPEL repository & yum utils
      ansible.builtin.yum:
        name:
          - epel-release
          - yum-utils
        update_cache: "{{ wireguard_update_cache }}"
    - name: (CentOS 7 - kernel-plus) Enable CentosPlus repo
      ansible.builtin.command: yum-config-manager --setopt=centosplus.includepkgs=kernel-plus --enablerepo=centosplus --save
      changed_when: false
    - name: (CentOS 7 - kernel-plus) Update to kernel-plus
      ansible.builtin.replace:
        path: /etc/sysconfig/kernel
        regexp: '^DEFAULTKERNEL=kernel$'
        replace: 'DEFAULTKERNEL=kernel-plus'
    - name: (CentOS 7 - kernel-plus) Install WireGuard packages
      ansible.builtin.yum:
        name:
          - "kernel-plus"
          - "wireguard-tools"
        state: present
      register: wireguard__centos7_yum_updates
    - name: (CentOS 7 - kernel-plus) Reboot Instance to update kernel
      when:
        - wireguard_centos7_kernel_plus_reboot
        - wireguard__centos7_yum_updates.changes is defined
        - wireguard__centos7_yum_updates.changes.installed|flatten|select('regex', '^kernel-plus$') is any
      ansible.builtin.reboot:
        reboot_timeout: "{{ wireguard_centos7_kernel_plus_reboot_timeout }}"
--- a/tasks/setup-centos.yml
+++ b/tasks/setup-centos.yml
@ -0,0 +1,19 @@
 ---
 - name: (CentOS) Add WireGuard repository
  get_url:
    url: https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
    dest: /etc/yum.repos.d/wireguard.repo
 - name: (CentOS) Install EPEL repository
  yum:
    name: epel-release
    update_cache: yes
 - name: (CentOS) Install wireguard packages
  yum:
    name:
      - "wireguard-dkms"
      - "wireguard-tools"
    state: present
  tags:
    - wg-install
--- a/tasks/setup-debian-pve-guest-variant.yml
+++ b/tasks/setup-debian-pve-guest-variant.yml
@ -1,16 +0,0 @@
 ---
 # Copyright (C) 2021 Tobias Richter
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (Proxmox) Add WireGuard repository
  ansible.builtin.apt_repository:
    repo: "deb http://deb.debian.org/debian buster-backports main"
    state: "{{ 'present' if (ansible_distribution_version | int <= 10) else 'absent' }}"
    update_cache: "{{ wireguard_update_cache }}"
 - name: (Proxmox lxc) Install wireguard-tools.
  ansible.builtin.apt:
    install_recommends: false
    name:
      - wireguard-tools
    state: present
--- a/tasks/setup-debian-pve-host-variant.yml
+++ b/tasks/setup-debian-pve-host-variant.yml
@ -1,23 +0,0 @@
 ---
 # Copyright (C) 2018-2022 Robert Wimmer
 # Copyright (C) 2019-2020 Ties de Kock
 # Copyright (C) 2021 Steve Fan
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (Proxmox) Add WireGuard repository
  ansible.builtin.apt_repository:
    repo: "deb http://deb.debian.org/debian buster-backports main"
    state: "{{ 'present' if (ansible_distribution_version | int <= 10) else 'absent' }}"
    update_cache: "{{ wireguard_update_cache }}"
 - name: (Proxmox) Install kernel headers for the currently running kernel to compile WireGuard with DKMS
  ansible.builtin.apt:
    name:
      - "pve-headers-{{ ansible_kernel }}"
    state: present
 - name: (Proxmox) Install WireGuard packages
  ansible.builtin.apt:
    name:
      - "wireguard"
    state: present
--- a/tasks/setup-debian-raspbian-buster.yml
+++ b/tasks/setup-debian-raspbian-buster.yml
@ -1,87 +0,0 @@
 ---
 # Copyright (C) 2020 Stefan Haun
 # SPDX-License-Identifier: GPL-3.0-or-later
 # Note: This setup is called for Raspbian 10 (Buster) and lower.
 #       Since Raspbian 11 (Bullseye) wireguard is supported out
 #       of the box.
 #       Any Raspbian-related changes for Bullseye and above need to
 #       go to a separate playbook.
 - name: (Raspbian) Install GPG - required to add WireGuard key
  ansible.builtin.apt:
    name: gnupg
    state: present
 - name: (Raspbian) Add Debian repository keys
  ansible.builtin.apt_key:
    keyserver: "keyserver.ubuntu.com"
    id: "{{ item }}"
    state: present
  when: ansible_lsb.id == "Raspbian"
  with_items:
    - "04EE7237B7D453EC"
    - "648ACFD622F3D138"
 - name: (Raspbian) Add Debian Buster Backports repository for WireGuard
  ansible.builtin.apt_repository:
    repo: "deb http://deb.debian.org/debian buster-backports main"
    state: present
    update_cache: "{{ wireguard_update_cache }}"
 - name: (Raspbian) Install latest kernel
  ansible.builtin.apt:
    name:
      - "raspberrypi-kernel"
    state: latest  # noqa package-latest
  register: wireguard__register_kernel_update
 - name: (Raspbian) Reboot after kernel update (Ansible >= 2.8)
  ansible.builtin.reboot:
    search_paths: ['/lib/molly-guard', '/usr/sbin', '/sbin']
  when:
    - ansible_version.full is version('2.8.0', '>=')
    - wireguard__register_kernel_update is changed
 - name: (Raspbian) Check if molly-guard is installed (Ansible < 2.8)
  ansible.builtin.stat:
    path: /lib/molly-guard/
  register: wireguard__register_molly_guard
 - name: (Raspbian) Reboot after kernel update (Ansible < 2.8, no molly-guard)
  ansible.builtin.reboot:
  when:
    - ansible_version.full is version('2.8.0', '<')
    - wireguard__register_kernel_update is changed
    - not wireguard__register_molly_guard.stat.exists
 - name: (Raspbian) Reboot after kernel update (Ansible < 2.8, with molly-guard)
  ansible.builtin.command: /lib/molly-guard/shutdown -r now
  async: 1
  poll: 0
  ignore_unreachable: true
  changed_when: false
  when:
    - ansible_version.full is version('2.8.0', '<')
    - wireguard__register_kernel_update is changed
    - wireguard__register_molly_guard.stat.exists
 - name: (Raspbian) Waiting for host to be available (Ansible < 2.8, with molly-guard)
  ansible.builtin.wait_for_connection:
  when:
    - ansible_version.full is version('2.8.0', '<')
    - wireguard__register_kernel_update is changed
    - wireguard__register_molly_guard.stat.exists
 - name: (Raspbian) Install latest kernel headers to compile Wireguard with DKMS
  ansible.builtin.apt:
    name:
      - "raspberrypi-kernel-headers"
    state: latest  # noqa package-latest
 - name: (Raspbian) Install WireGuard packages
  ansible.builtin.apt:
    name:
      - "wireguard-dkms"
      - "wireguard-tools"
    state: present
--- a/tasks/setup-debian-raspbian.yml
+++ b/tasks/setup-debian-raspbian.yml
@ -0,0 +1,93 @@
 ---
 - name: (Raspbian) Install GPG - required to add wireguard key
  apt:
    name: gnupg
    state: present
 - name: (Raspbian) Add Debian repository key
  apt_key:
    keyserver: "keyserver.ubuntu.com"
    id: "04EE7237B7D453EC"
    state: present
  when: ansible_lsb.id == "Raspbian"
  tags:
    - wg-install
 - name: (Raspbian) Add Debian Unstable repository for WireGuard
  apt_repository:
    repo: "deb http://deb.debian.org/debian unstable main"
    state: present
    update_cache: yes
  tags:
    - wg-install
 - name: (Raspbian) Install latest kernel
  apt:
    name:
    - "raspberrypi-kernel"
    state: latest
  register: kernel_update
  tags:
    - wg-install
 - name: (Raspbian) Reboot after kernel update (Ansible >= 2.8)
  reboot:
    search_paths: ['/lib/molly-guard', '/usr/sbin']
  when:
    - ansible_version.full is version('2.8.0', '>=')
    - kernel_update is changed
  tags:
    - wg-install
 - name: (Raspbian) Check if molly-guard is installed (Ansible < 2.8)
  stat:
    path: /lib/molly-guard/
  register: molly_guard
 - name: (Raspbian) Reboot after kernel update (Ansible < 2.8, no molly-guard)
  reboot:
  when:
    - ansible_version.full is version('2.8.0', '<')
    - kernel_update is changed
    - not molly_guard.stat.exists
  tags:
    - wg-install
 - name: (Raspbian) Reboot after kernel update (Ansible < 2.8, with molly-guard)
  command: /lib/molly-guard/shutdown -r now
  async: 1
  poll: 0
  ignore_unreachable: yes
  when:
    - ansible_version.full is version('2.8.0', '<')
    - kernel_update is changed
    - molly_guard.stat.exists
  tags:
    - wg-install
 - name: (Raspbian) Waiting for host to be available (Ansible < 2.8, with molly-guard)
  wait_for_connection:
  when:
    - ansible_version.full is version('2.8.0', '<')
    - kernel_update is changed
    - molly_guard.stat.exists
  tags:
    - wg-install
 - name: (Raspbian) Install latest kernel headers to compile Wireguard with DKMS
  apt:
    name:
    - "raspberrypi-kernel-headers"
    state: latest
  tags:
    - wg-install
 - name: (Raspbian) Install wireguard packages
  apt:
    name:
      - "wireguard-dkms"
      - "wireguard-tools"
    state: present
  tags:
    - wg-install
--- a/tasks/setup-debian-vanilla.yml
+++ b/tasks/setup-debian-vanilla.yml
@ -1,11 +1,37 @@
 ---
-# Copyright (C) 2018-2022 Robert Wimmer
+- name: (Debian) Install GPG - required to add wireguard key
-# Copyright (C) 2019-2020 Ties de Kock
+  apt:
-# SPDX-License-Identifier: GPL-3.0-or-later
+    name: gnupg
    state: present
 - name: (Debian) Add WireGuard repository on buster or earlier
  apt_repository:
    repo: "deb http://deb.debian.org/debian buster-backports main"
    state: present
    update_cache: yes
  when: ansible_distribution_version | int <= 10
  tags:
    - wg-install
 - name: (Debian) Get architecture
  command: "dpkg --print-architecture"
  register: dpkg_arch
  changed_when: False
 - set_fact:
    kernel_header_version: "{{ ('-cloud-' in ansible_kernel) | ternary(ansible_kernel,dpkg_arch.stdout) }}"
 - name: (Debian) Install kernel headers to compile Wireguard with DKMS
  apt:
    name:
      - "linux-headers-{{ kernel_header_version }}"
    state: present
- name: (Debian) Install WireGuard packages
+- name: (Debian) Install wireguard packages
-  ansible.builtin.apt:
+  apt:
    name:
-      - "wireguard"
+      - "wireguard-dkms"
      - "wireguard-tools"
    state: present
-    update_cache: "{{ wireguard_update_cache }}"
+  tags:
    - wg-install
--- a/tasks/setup-debian.yml
+++ b/tasks/setup-debian.yml
@ -1,51 +1,8 @@
 ---
 # Copyright (C) 2020 Stefan Haun
 # Copyright (C) 2021 Steve Fan
 # SPDX-License-Identifier: GPL-3.0-or-later
- name: Setup for Raspbian
+- include_tasks: "setup-debian-raspbian.yml"
-  ansible.builtin.include_tasks:
+  when: ansible_lsb.id == "Raspbian"
-    file: "setup-debian-raspbian-buster.yml"
+  register: raspbian_setup
    apply:
      tags:
        - wg-install
  when:
    - ansible_lsb.id is defined
    - ansible_lsb.id == "Raspbian"
    - ansible_lsb.major_release is version('11', '<')
  register: wireguard__register_raspbian_setup
- name: Setup for Proxmox VE variants
+- include_tasks: "setup-debian-vanilla.yml"
-  when:
+  when: raspbian_setup is skipped
    - ansible_kernel.find("pve") != -1
  block:
    - name: Setup Proxmox VE host
      ansible.builtin.include_tasks:
        file: "setup-debian-pve-host-variant.yml"
        apply:
          tags:
            - wg-install
      when:
        - ansible_virtualization_role == "host"
      register: wireguard__register_pve_host_variant_setup
    - name: Setup Proxmox VE guest
      ansible.builtin.include_tasks:
        file: "setup-debian-pve-guest-variant.yml"
        apply:
          tags:
            - wg-install
      when:
        - ansible_virtualization_role == "guest"
      register: wireguard__register_pve_guest_variant_setup
 - name: Setup for Debian
  ansible.builtin.include_tasks:
    file: "setup-debian-vanilla.yml"
    apply:
      tags:
        - wg-install
  when:
    - wireguard__register_raspbian_setup is skipped
    - wireguard__register_pve_guest_variant_setup is skipped
    - wireguard__register_pve_host_variant_setup is skipped
--- a/tasks/setup-elementary
+++ b/tasks/setup-elementary
@ -1,13 +0,0 @@
 ---
 # Copyright (C) 2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (elementary OS) Update APT package cache
  ansible.builtin.apt:
    update_cache: "{{ wireguard_ubuntu_update_cache }}"
    cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}"
 - name: (elementary OS) Install wireguard package
  ansible.builtin.apt:
    name: "wireguard"
    state: present
--- a/tasks/setup-fedora.yml
+++ b/tasks/setup-fedora.yml
@ -1,11 +1,17 @@
 ---
-# Copyright (C) 2020 Ties de Kock
+- name: (Fedora) Add wireguard COPR
-# Copyright (C) 2023 Robert Wimmer
+  yum_repository:
-# SPDX-License-Identifier: GPL-3.0-or-later
+    name: "jdoss-wireguard"
    description: "Copr repo for wireguard owned by jdoss"
    baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/fedora-$releasever-$basearch/"
    gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg"
    gpgcheck: yes
- name: (Fedora) Install WireGuard packages
+- name: (Fedora) Install wireguard packages
-  ansible.builtin.yum:
+  yum:
    name:
      - "wireguard-dkms"
      - "wireguard-tools"
    state: present
-    update_cache: "{{ wireguard_update_cache }}"
+  tags:
    - wg-install
--- a/tasks/setup-macosx.yml
+++ b/tasks/setup-macosx.yml
@ -1,14 +0,0 @@
 ---
 # Copyright (C) 2020 Ruben Di Battista
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (MacOS) Install wireguard package
  ansible.builtin.package:
    name: wireguard-go
    state: present
  become: true
 - name: (MacOS) Install wireguard-tools package
  ansible.builtin.package:
    name: wireguard-tools
    state: present
--- a/tasks/setup-opensuse
+++ b/tasks/setup-opensuse
@ -1,10 +0,0 @@
 ---
 # Copyright (C) 2020-2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (openSUSE Leap) Install WireGuard packages
  community.general.zypper:
    name:
      - "wireguard-tools"
    state: present
    update_cache: "{{ wireguard_update_cache }}"
--- a/tasks/setup-oraclelinux.yml
+++ b/tasks/setup-oraclelinux.yml
@ -1,8 +0,0 @@
 ---
 # Copyright (C) 2022 Masahiro Koga
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (OracleLinux) Install wireguard-tools package
  ansible.builtin.yum:
    name: wireguard-tools
    state: present
--- a/tasks/setup-rocky-8.yml
+++ b/tasks/setup-rocky-8.yml
@ -1,56 +0,0 @@
 ---
 # Copyright (C) 2021-2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (Rocky Linux 8) Tasks for standard kernel
  when:
    - wireguard_rockylinux8_installation_method == "standard"
  block:
    - name: (Rocky Linux 8) Install EPEL & ELRepo repository
      ansible.builtin.yum:
        name:
          - epel-release
          - elrepo-release
        update_cache: "{{ wireguard_update_cache }}"
    - name: (Rocky Linux 8) Ensure WireGuard DKMS package is removed
      ansible.builtin.yum:
        name:
          - "wireguard-dkms"
        state: absent
    - name: (Rocky Linux 8) Install WireGuard packages
      ansible.builtin.yum:
        name:
          - "kmod-wireguard"
          - "wireguard-tools"
        state: present
 - name: (Rocky Linux 8) Tasks for non-standard kernel
  when:
    - wireguard_rockylinux8_installation_method == "dkms"
  block:
    - name: (Rocky Linux 8) Install jdoss/wireguard COPR repository
      community.general.copr:
        state: enabled
        name: jdoss/wireguard
        chroot: epel-8-{{ ansible_architecture }}
    - name: (Rocky Linux 8) Install EPEL repository
      ansible.builtin.yum:
        name:
          - epel-release
        update_cache: "{{ wireguard_update_cache }}"
    - name: (Rocky Linux 8) Ensure WireGuard KMOD package is removed
      ansible.builtin.yum:
        name:
          - "kmod-wireguard"
        state: absent
    - name: (Rocky Linux 8) Install WireGuard packages
      ansible.builtin.yum:
        name:
          - "wireguard-dkms"
          - "wireguard-tools"
        state: present
--- a/tasks/setup-rocky.yml
+++ b/tasks/setup-rocky.yml
@ -1,9 +0,0 @@
 ---
 # Copyright (C) 2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (Rocky Linux) Install wireguard-tools package
  ansible.builtin.yum:
    name: wireguard-tools
    state: present
    update_cache: "{{ wireguard_update_cache }}"
--- a/tasks/setup-ubuntu.yml
+++ b/tasks/setup-ubuntu.yml
@ -1,32 +1,48 @@
 ---
 # Copyright (C) 2018-2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 - name: (Ubuntu) Update APT package cache
-  ansible.builtin.apt:
+  apt:
    update_cache: "{{ wireguard_ubuntu_update_cache }}"
    cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}"
  tags:
    - wg-install
 - block:
  - name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10)
    package:
      name: "{{ packages }}"
      state: present
    vars:
      packages:
      - software-properties-common
      - linux-headers-{{ ansible_kernel }}
    tags:
      - wg-install
  - name: (Ubuntu) Add WireGuard repository (for Ubuntu < 19.10)
    apt_repository:
      repo: "ppa:wireguard/wireguard"
      state: present
      update_cache: yes
    tags:
      - wg-install
- name: (Ubuntu) Tasks for Ubuntu < 19.10
+  - name: (Ubuntu) Install wireguard packages (for Ubuntu < 19.10)
    apt:
      name:
        - "wireguard-dkms"
        - "wireguard-tools"
      state: present
    tags:
      - wg-install
  when:
    - ansible_lsb.major_release is version('19.10', '<')
  block:
    - name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10)
      ansible.builtin.package:
        name: "{{ packages }}"
        state: present
      vars:
        packages:
          - software-properties-common
          - linux-headers-{{ ansible_kernel }}
- name: (Ubuntu) Ensure WireGuard DKMS package is removed
+- block:
-  ansible.builtin.apt:
+  - name: (Ubuntu) Install wireguard-tools package (for Ubuntu > 19.04)
-    name:
+    apt:
-      - "wireguard-dkms"
+      name: "wireguard-tools"
-    state: absent
+      state: present
-
+    tags:
- name: (Ubuntu) Install wireguard package
+      - wg-install
-  ansible.builtin.apt:
+  when:
-    name: "wireguard"
+    - ansible_lsb.major_release is version('19.04', '>')
    state: present
--- a/templates/etc/wireguard/wg.conf.j2
+++ b/templates/etc/wireguard/wg.conf.j2
@ -1,123 +0,0 @@
 #jinja2: lstrip_blocks:"True",trim_blocks:"True"
 {# Copyright (C) 2018-2022 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 #}
 # {{ ansible_managed }}
 [Interface]
 # {{ inventory_hostname }}
 {% if wireguard_address is defined %}
 Address = {{ wireguard_address }}
 {% endif %}
 {% if wireguard_addresses is defined %}
 {%  for wg_addr in wireguard_addresses %}
 Address = {{ wg_addr }}
 {%  endfor %}
 {% endif %}
 PrivateKey = {{ wireguard_private_key }}
 ListenPort = {{ wireguard_port }}
 {% if wireguard_dns is defined %}
 DNS = {{ wireguard_dns }}
 {% endif %}
 {% if wireguard_fwmark is defined %}
 FwMark = {{ wireguard_fwmark }}
 {% endif %}
 {% if wireguard_mtu is defined %}
 MTU = {{ wireguard_mtu }}
 {% endif %}
 {% if wireguard_table is defined %}
 Table = {{ wireguard_table }}
 {% endif %}
 {% if wireguard_preup is defined %}
 {% for wg_preup in wireguard_preup %}
 PreUp = {{ wg_preup }}
 {% endfor %}
 {% endif %}
 {% if wireguard_postup is defined %}
 {% for wg_postup in wireguard_postup %}
 PostUp = {{ wg_postup }}
 {% endfor %}
 {% endif %}
 {% if wireguard_predown is defined %}
 {% for wg_predown in wireguard_predown %}
 PreDown = {{ wg_predown }}
 {% endfor %}
 {% endif %}
 {% if wireguard_postdown is defined %}
 {% for wg_postdown in wireguard_postdown %}
 PostDown = {{ wg_postdown }}
 {% endfor %}
 {% endif %}
 {% if wireguard_save_config is defined %}
 SaveConfig = {{ wireguard_save_config }}
 {% endif %}
 {% for host in ansible_play_hosts %}
 {%   if host != inventory_hostname %}
 [Peer]
 # {{ host }}
 PublicKey = {{hostvars[host].wireguard__fact_public_key}}
 {%     if hostvars[host].wireguard_allowed_ips is defined %}
 AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
 {%     else %}
 {%      if wireguard_address is defined %}
 AllowedIPs = {{ hostvars[host].wireguard_address.split('/')[0] }}/32
 {%      endif %}
 {%      if wireguard_addresses is defined %}
 {%      for wg_addr in hostvars[host].wireguard_addresses %}
 {%        if (wg_addr | ansible.utils.ipv4) %}
 AllowedIPs = {{ wg_addr.split('/')[0] }}/32
 {%        elif (wg_addr | ansible.utils.ipv6) %}
 AllowedIPs = {{ wg_addr.split('/')[0] }}/128
 {%        endif %}
 {%      endfor %}
 {%      endif %}
 {%     endif %}
 {%     if hostvars[host].wireguard_persistent_keepalive is defined %}
 PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
 {%     endif %}
 {%     if (
         hostvars[host].wireguard_dc is defined and
         wireguard_dc is defined and
         wireguard_dc['name'] != hostvars[host].wireguard_dc['name']
       )
 %}
 Endpoint = {{hostvars[host].wireguard_dc['endpoint']}}:{{hostvars[host].wireguard_dc['port']}}
 {%     elif hostvars[host].wireguard_port is defined %}
 {%       if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
 Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}
 {%       else %}
 Endpoint = {{host}}:{{hostvars[host].wireguard_port}}
 {%       endif %}
 {%     elif hostvars[host].wireguard_endpoint is defined %}
 {%       if hostvars[host].wireguard_endpoint != "" %}
 Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
 {%       else %}
 # No endpoint defined for this peer
 {%       endif %}
 {%     else %}
 Endpoint = {{host}}:{{wireguard_port}}
 {%     endif %}
 {%   endif %}
 {% endfor %}
 {% if wireguard_unmanaged_peers is defined %}
 # Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
 {% for peer in wireguard_unmanaged_peers.keys() %}
 [Peer]
 # {{ peer }}
 PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
 {%     if wireguard_unmanaged_peers[peer].preshared_key is defined %}
 PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
 {%     endif %}
 {%     if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
 AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
 {%     endif %}
 {%     if wireguard_unmanaged_peers[peer].endpoint is defined %}
 Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
 {%     endif %}
 {%     if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
 PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
 {%     endif %}
 {%   endfor %}
 {% endif %}
--- a/templates/wg.conf.j2
+++ b/templates/wg.conf.j2
@ -0,0 +1,70 @@
 #jinja2: lstrip_blocks:"True",trim_blocks:"True"
 [Interface]
 # {{ inventory_hostname }}
 Address = {{hostvars[inventory_hostname].wireguard_address}}
 PrivateKey = {{private_key}}
 ListenPort = {{wireguard_port}}
 {% if hostvars[inventory_hostname].wireguard_dns is defined %}
 DNS = {{hostvars[inventory_hostname].wireguard_dns}}
 {% endif %}
 {% if hostvars[inventory_hostname].wireguard_fwmark is defined %}
 FwMark = {{hostvars[inventory_hostname].wireguard_fwmark}}
 {% endif %}
 {% if hostvars[inventory_hostname].wireguard_mtu is defined %}
 MTU = {{hostvars[inventory_hostname].wireguard_mtu}}
 {% endif %}
 {% if hostvars[inventory_hostname].wireguard_table is defined %}
 Table = {{hostvars[inventory_hostname].wireguard_table}}
 {% endif %}
 {% if hostvars[inventory_hostname].wireguard_preup is defined %}
 {% for wg_preup in hostvars[inventory_hostname].wireguard_preup %}
 PreUp = {{ wg_preup }}
 {% endfor %}
 {% endif %}
 {% if hostvars[inventory_hostname].wireguard_predown is defined %}
 {% for wg_predown in hostvars[inventory_hostname].wireguard_predown %}
 PreDown = {{ wg_predown }}
 {% endfor %}
 {% endif %}
 {% if hostvars[inventory_hostname].wireguard_postup is defined %}
 {% for wg_postup in hostvars[inventory_hostname].wireguard_postup %}
 PostUp = {{ wg_postup }}
 {% endfor %}
 {% endif %}
 {% if hostvars[inventory_hostname].wireguard_postdown is defined %}
 {% for wg_postdown in hostvars[inventory_hostname].wireguard_postdown %}
 PostDown = {{ wg_postdown }}
 {% endfor %}
 {% endif %}
 {% if hostvars[inventory_hostname].wireguard_save_config is defined %}
 SaveConfig = true
 {% endif %}
 {% for host in ansible_play_hosts %}
  {% if host != inventory_hostname %}
    [Peer]
    # {{ host }}
    PublicKey = {{hostvars[host].public_key}}
    {% if hostvars[host].wireguard_allowed_ips is defined %}
    AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
    {% else %}
    AllowedIPs = {{hostvars[host].wireguard_ip}}/32
    {% endif %}
    {% if hostvars[host].wireguard_persistent_keepalive is defined %}
    PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
    {% endif %}
    {% if hostvars[host].wireguard_port is defined and hostvars[host].wireguard_port is number %}
      {% if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
    Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}
      {% else %}
    Endpoint = {{host}}:{{hostvars[host].wireguard_port}}
      {% endif %}
    {% elif hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
    Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
    {% elif hostvars[host].wireguard_endpoint == "" %}
    # No endpoint defined for this peer
    {% else %}
    Endpoint = {{host}}:{{wireguard_port}}
    {% endif %}
  {% endif %}
 {% endfor %}
--- a/vars/mobile01.yml
+++ b/vars/mobile01.yml
@ -0,0 +1,4 @@
 wireguard_address: "10.8.0.11"
 wireguard_port: "51820"
 wireguard_dns: "1.1.1.1"
 wireguard_mtu: "1492"
--- a/vars/tablet01.yml
+++ b/vars/tablet01.yml
@ -0,0 +1,4 @@
 wireguard_address: "10.8.0.10"
 wireguard_port: "51820"
 wireguard_dns: "1.1.1.1"
 wireguard_mtu: "1492"
Author	SHA1	Message	Date
githubixx	818b55051e	remove wg-unmanaged.conf.j2	4 years ago
githubixx	9fdcbd9ac7	skeleton for unmanged hosts	4 years ago