update CHANGELOG for Oracle Linux 9 (#187 )

Support Oracle Linux 9 (#185 )
* add support for Oracle Linux 9 * add Oracle Linux 9 to README.md
40 changed files with 2620 additions and 529 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,39 @@
+---
+# This workflow requires a GALAXY_API_KEY secret present in the GitHub
+# repository or organization.
+#
+# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
+# See: https://github.com/ansible/galaxy/issues/46
+
+name: Release
+on:
+  push:
+    tags:
+      - '*'
+
+defaults:
+  run:
+    working-directory: 'githubixx.ansible_role_wireguard'
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v2
+        with:
+          path: 'githubixx.ansible_role_wireguard'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Install Ansible.
+        run: pip3 install ansible-core
+
+      - name: Trigger a new import on Galaxy.
+        run: >-
+          ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }}
+          $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,4 @@
+# Copyright (C) 2018-2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+molecule/kvm/.vagrant
--- a/.reuse/dep5
+++ b/.reuse/dep5
@ -0,0 +1,10 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: ansible-role-wireguard
+Upstream-Contact: Robert Wimmer <>
+Source: https://github.com/githubixx/ansible-role-wireguard
+
+# Sample paragraph, commented out:
+#
+# Files: src/*
+# Copyright: $YEAR $NAME <$CONTACT>
+# License: ...
--- a/.yamllint
+++ b/.yamllint
@ -0,0 +1,9 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 150
+    level: warning
+
+  comments-indentation: disable
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,25 +1,209 @@
-Changelog
---------
+<!--
+Copyright (C) 2018-2023 Robert Wimmer
+SPDX-License-Identifier: GPL-3.0-or-later
+-->

-**6.3.1**
+# Changelog
+
+## 14.0.0
+
+- **BREAKING** CentOS7: Introduce `wireguard_centos7_kernel_plus_reboot` and `wireguard_centos7_standard_reboot` variables. Both are set to "true" by default. This will cause the host to be rebooted in case the "wireguard" kernel module was installed the very first time. If `wireguard_centos7_installation_method: "kernel-plus"` is set and the host wasn't booted with a `kernel-plus` kernel already you most probably need to reboot. For the `standard` kernel this might not be needed.
+- CentOS7: Add reboot to the standard mode to make sure the WireGuard kernel module is available (contribution by @mofelee)
+- **BREAKING** Introduce `wireguard_update_cache` variable to control if package manager caches should be updated before the installation (contribution by @sebix). Before this release the package manager cache wasn't updated for AlmaLinux 9, Archlinux, Fedora and openSUSE. With `wireguard_update_cache` set to `true` by default those OSes are now also update the package manager cache. If you don't want that set `wireguard_update_cache` to `false` for the host in question.
+- variable `wireguard_ubuntu_update_cache` is deprecated
+- add support for Oracle Linux 9 (contribution by @cola-zero)
+
+## 13.0.1
+
+- [fix](https://github.com/githubixx/ansible-role-wireguard/pull/182) in README
+
+## 13.0.0
+
+- add IPv6 support (contribution by @DiscowZombie)
+- introduce `wireguard_addresses` variable (contribution by @DiscowZombie)
+
+## 12.0.0
+
+- remove Fedora 35 support (reached EOL)
+- remove openSUSE 15.3 support (reached EOL)
+- remove Debian 10 (Buster) support (reached EOL)
+- fix Molecule prepare for Archlinux
+- fix `ansible-lint` issue in `tasks/setup-debian-raspbian-buster.yml`
+
+## 11.1.0
+
+- add support for elementary OS 6
+- ignore some minor linter warnings
+
+## 11.0.0
+
+- add support for Rocky Linux 9 (original PR from @vincentDcmps: https://github.com/githubixx/ansible-role-wireguard/pull/163)
+- add support for AlmaLinux 9 (original PR from @trunet: https://github.com/githubixx/ansible-role-wireguard/pull/164)
+- add `EL9` to `meta/main.yml`
+- require Ansible >= `2.11` as Rocky Linux is only supported with this version or above
+- `ansible-lint`: use `community.general.pacman` module instead of `ansible.builtin.pacman` for Archlinux setup
+
+## 10.0.0
+
+- remove Fedora 34 + add Fedora 36 to Molecule test
+- remove support for Fedora 35 / add support for Fedora 36
+- add Molecule setup for openSUSE 15.4
+- add Github release action to push new release to Ansible Galaxy
+- add `.yamllint`
+- `tasks/main.yml`: names should start with an uppercase letter
+- `handlers/main.yml`: names should start with an uppercase letter
+- improve the task key order to: name, when, tags, block
+- fix Jinja2 spacing
+
+## 9.3.0
+
+- add support for Ubuntu 22.04 (Jammy Jellyfish)
+
+## 9.2.0
+
+- add `wireguard_interface_restart` variable. This allows the user to decide if the WireGuard interface should be restarted or not in case of changes to the interface. The default is (and was) to use `wg syncconf` which applies the changes to the interface without the need to restart the interface. Restarting the interface was only done if `wg`'s `syncconf` command wasn't available. But that's basically only true for very old (and outdated) WireGuard tools. For more information on this have a look at the README (initial [PR](https://github.com/githubixx/ansible-role-wireguard/pull/152) by @lmm-git)
+- on Debian `lsb-release` is no longer needed (contribution by @blackandred)
+- WireGuard is directly supported by `Raspbian 11` (Bullseye) and higher. So `Raspbian 11` and `Raspbian 10 (Buster)` (and lower) needs to be handled a little bit differently. (contribution by @penguineer)
+- implement a very basic Molecule unit test
+
+## 9.1.0
+
+- For `Rocky Linux 8` only: Added variable `wireguard_rockylinux8_installation_method`. Set `wireguard_rockylinux8_installation_method` to `dkms` to build WireGuard module from source, with wireguard-dkms. This is required if you use a custom kernel and/or your arch is not `x86_64`. The default of `standard` will install the kernel module with kmod-wireguard from ELRepo (contribution by @gitouche-sur-osm)
+
+## 9.0.1
+
+- FIX: The template rendering the WireGuard configuration only checked if `wireguard_save_config` was set and if so sets `SaveConfig = true`. So setting `wireguard_save_config: "false"` had no effect.
+
+## 9.0.0
+
+- set minimally required Ansible version to `2.9` (contribution by @8ware)
+- fully qualify modules names (requires Ansible >= 2.9) (contribution by @8ware)
+- rearrange hooks to match lifecycle order (contribution by @8ware)
+- remove `CentOS 8` support (reached end of life) - use AlmaLinux or Rocky Linux instead
+- remove `Fedora 33` support (reached end of life)
+- remove `openSUSE Leap 15.2` support (reached end of life)
+- add `openSUSE 15.3` support
+- add `Fedora 35` support
+- remove Proxmox from Molecule test (Vagrant boxes for Proxmox are not useable)
+- Remove unnecessary check if value is an integer on `wireguard_port` (see [#112](https://github.com/githubixx/ansible-role-wireguard/pull/112) (contribution by @abelfodil)
+
+## 8.4.0
+
+- add support for installing wireguard in pve lxc guest (contribution by @tobias-richter)
+
+## 8.3.0
+
+- add Molecule test for CentOS 7 `kernel-plus`
+
+## 8.2.0
+
+- add support for `kernel-plus` for CentOS 7 (contribution by @john-p-potter)
+
+## 8.1.0
+
+- add Rocky Linux support
+- add AlmaLinux support
+- add Molecule tests for Rocky Linux and AlmaLinux
+
+## 8.0.0
+
+- add `Debian 11 (Bullseye)` support
+- add 'Fedora 34` support
+- remove `Fedora 32` support (EOL was in May 2021)
+- fix various issues reported by `ansible-lint`
+- Archlinux: As `linux-lts` is using kernel `5.10` now there is no need to install `wireguard-lts` + WireGuard DKMS packages any longer (and this packages are gone anyway)
+
+## 7.12.0
+
+- Refactor `wg-install` tag handling. For more details see [Fix tag "wg-install" & Add no_log](https://github.com/githubixx/ansible-role-wireguard/pull/110) and [Tag wg-install is not applied properly](Tag wg-install is not applied properly) (contribution by @moonrail)
+- Default verbosity of 0 or slight increases up to 2 will now not print any private keys to output (contribution by @moonrail)
+
+## 7.11.0
+
+- Introduce new variables `wireguard_service_enabled` and `wireguard_service_state` (contribution by @tjend)
+
+## 7.10.0
+
+- Support for Proxmox
+- Check if `wireguard_endpoint` exists before checking if it is empty
+
+## 7.9.0
+
+- Added support for `Fedora 33` (contribution by @wzzrd)
+- Removed support for `Fedora 31` (reached end of life)
+
+## 7.8.0
+
+- Added support for `openSUSE Leap 15.2`
+
+## 7.7.0
+
+- Use wireguard packages from Debian Backports instead of Debian Sid, these packages are more suitable for a stable distribution and have less impact on the system. Packages from unstable must be removed manually (including kernel) to make the switch on an existing system. Upgrading the role has no effect other than adding Debian Backports to the Apt repositories.
+- Fix reboot mechanism in Raspbian role, now also works without `molly-guard`
+
+## 7.6.0
+
+- Added `wireguard_private_key` variable (contribution by @j8r)
+- Fix check mode for Debian (contribution by @j8r)
+
+## 7.5.0
+
+- `wireguard` package is now available for Ubuntu 18.04 in universe repository. Before that `ppa:wireguard/wireguard` was used but that one isn't available anymore. The install procedure for Ubuntu 18.04 and 20.04 is now the same as both can use `wireguard` metapackage now. The role takes care to remove `wireguard-dkms` package in favour of `wireguard` metapackage but it leaves the configuration file for `ppa:wireguard/wireguard` repository untouched. So it's up to you to remove that PPA. Either use `apt-add-repository --remove ppa:wireguard/wireguard` or remove the file manually at `/etc/apt/sources.list.d/` directory (you man need to run `apt-get update` afterwards).
+
+## 7.4.0
+
+- Added initial molecule infrastructure
+- Remove useless block for single task in `setup-debian-vanilla.yml` (contribution by @rubendibattista)
+
+## 7.3.1
+
+- Debian only: Ensure the headers for the currently running kernel are installed instead of the latest one which might not be running yet. This allows DKMS to build the module for the current kernel version and avoids the need for an reboot to load the module. (contribution by @ldelelis and @ypid)
+
+## 7.3.0
+
+- Fix spelling and typos in docs. (contribution by @ypid)
+- Drop Debian Stretch from the list of tested Linux distributions. Actual support was dropped/broken in 6.0.4 without updating the docs. (contribution by @ypid)
+- Remove obsolete `.reload-module-on-update` file. It does not serve any function anymore after support for module reloading has been removed from the postinst script in 0.0.20200215-2 on 2020-02-24. A module update is properly signaled via /run/reboot-required so that the admin can (automatically) schedule a reboot when convenient. This will also be more in line with future Debian releases because starting with Debian bullseye, the kernel ships the module. (contribution by @ypid)
+
+- Add `ansible_managed` header to WireGuard configuration file (`wg0.conf` by default). This will most probably change the WireGuard configuration file but only the formatting. But since the Ansible registers this file as changed Ansible will sync/restart WireGuard service. For newer WireGuard versions (since Nov. 2019) this isn't a problem normally as `wg syncconf` command is used (also see `handlers/main.yml`). (contribution by @ypid)
+- Behind the scenes coding style improvements and cleanup without user impact. (contribution by @ypid)
+
+## 7.2.0
+
+- Basic MacOS X support (contribution by @rubendibattista)
+- Introduce variables `wireguard_conf_owner`, `wireguard_conf_group` and `wireguard_conf_mode` (contribution by @rubendibattista)
+- Fixed a typo bug in `handlers/main.yml` (contribution by @gabriel-v). But it looks like this had no impact on the "sync/restart" functionality.
+- Proper formatting of WireGuard configuration file (`wg0.conf` by default). This will most probably change the WireGuard configuration file but only the formatting. But since the Ansible registers this file as changed Ansible will sync/restart WireGuard service. For newer WireGuard versions (since Nov. 2019) this isn't a problem normally as `wg syncconf` command is used (also see `handlers/main.yml`).
+- Introduce `wireguard_dc` variable. This is an alpha feature and subject to change and may be even removed in future releases again. Therefore no documentation for this variable yet.
+
+## 7.1.0
+
+- Add support for unmanaged peers with `wireguard_unmanaged_peers` (contribution by @joneskoo)
+
+## 7.0.0
+
+- Switched to install from ELRepo KMOD package for CentOS (see [WireGuard installation](https://www.wireguard.com/install/)). This change may break installation for systems with custom kernels. The role previously supported custom kernel implicitly because it was using DKMS package (contribution by @elcomtik)
+- Role removes DKMS WireGuard package, however it doesn't remove jdoss-wireguard-epel-7 repository. If you don't need this repository, do cleanup by removing `/etc/yum.repos.d/wireguard.repo`
+
+## 6.3.1

 - Support Openstack Debian images (contribution by @pallinger)

-**6.3.0**
+## 6.3.0

 - Support Raspbian (contribution by @penguineer)

-**6.2.0**
+## 6.2.0

 - Support Ubuntu 20.04 (Focal Fossa)
- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specifiy individual Ubuntu package cache settings. Default values are the same as before.
+- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specify individual Ubuntu package cache settings. Default values are the same as before.
 - As kernel >= 5.6 (and kernel 5.4 in Ubuntu 20.04) now have `wireguard` module included `wireguard-dkms` package is no longer needed in that case. That's why WireGuard package installation is now part of the includes for the specific OS to make it easier to handle various cases.

-**6.1.0**
+## 6.1.0

 - Archlinux: Linux kernel >= 5.6 contains `wireguard` module now. No need to install `wireguard-dkms` anymore in this case. Installations with LTS kernel installs `wireguard-lts` package now instead of `wireguard-dkms`. Installations with kernel <= 5.6 will still install `wireguard-dkms` package.

-**6.0.4**
+## 6.0.4

 - Use the buster-backports repository on Debian Buster (or older), use package standard repositories on sid/bullseye.
  standard repositories on sid/bullseye.
@ -29,95 +213,94 @@ Changelog
  If you remove the apt preference (`/etc/apt/preferences.d/limit-unstable`) updates from `unstable` are accepted by apt. This likely is not what you want and may lead to an unstable state.

  If you want to clean up:
-    * remove `/etc/apt/preferences.d/limit-unstable` and
-    * remove `deb http://deb.debian.org/debian/ unstable main` from `/etc/apt/sources.list.d/deb_debian_org_debian.list`.
+  - remove `/etc/apt/preferences.d/limit-unstable` and
+  - remove `deb http://deb.debian.org/debian/ unstable main` from `/etc/apt/sources.list.d/deb_debian_org_debian.list`.

  The backports repository has a lower priority and does not need an apt preference.

-**6.0.3**
+## 6.0.3

 - If `wg syncconf` command is not available do stop/start service instead of restart (contribution by @cristichiru)

-**6.0.2**
+## 6.0.2

 - Debian: install `gnupg` package instead of `gpg`. (contribution by @zinefer)

-**6.0.1**
+## 6.0.1

 - add shell options to syncconf handler to fail fast in case of error

-**6.0.0**
+## 6.0.0

 - Newer versions of WireGuard (around November 2019) introduced `wg syncconf` subcommand. This has the advantage that changes to the WireGuard configuration can be applied without disturbing existing connections. With this change this role tries to use `wg syncconf` subcommand when available. This even works if you have hosts with older and newer WireGuard versions.

-**5.0.0**
+## 5.0.0

 - `wireguard_(preup|postdown|preup|predown)` settings are now a list. If more `iptables` commands needs to be specified e.g. then this changes makes it more readable. The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8). Also see README for more examples. (contribution by @Madic-)

-**4.2.0**
+## 4.2.0

 - Add support for Fedora (contribution by @ties)

-
-**4.1.1**
+## 4.1.1

 - Install GPG to be able to import WireGuard key (Debian)

-**4.1.0**
+## 4.1.0

- Allow to specifiy additional Wireguard interface options: `fwmark`, `mtu`, `table`, `preup` and `predown` (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8))
+- Allow to specify additional Wireguard interface options: `fwmark`, `mtu`, `table`, `preup` and `predown` (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8))
 - Add host comments in Wireguard config file

-**4.0.0**
+## 4.0.0

 - While the changes introduced are backwards compatible in general if you stay with your current settings some variables are no longer needed. So this is partly a breaking change and therefore justifies a new major version.
 - Support multiple Wireguard interfaces. See README for examples (contribution by fbourqui)
 - Make role stateless: In the previous versions the private and public keys of the Wireguard hosts were stored locally in the directory defined with the `wireguard_cert_directory` variable. This is no longer the case. The variables `wireguard_cert_directory`, `wireguard_cert_owner` and `wireguard_cert_group` are no longer needed and were removed. If you used this role before this release it's safe to remove them from your settings. The directory that was defined with the `wireguard_cert_directory` variable will be kept. While not tested it may enable you to go back to an older version of this role and it should still work (contribution by fbourqui)
 - Reminder: `wireguard_cert_directory` default was `~/wireguard/certs`. Public and Private keys where stored on the host running ansible playbook. As a security best practice private keys of all your WireGuard endpoints should not be kept locally.

-**3.2.2**
+## 3.2.2

- remove unneeded `with_inventory_hostnames` loops (thanks to pierreozoux for initial PR)
+- remove unneeded `with_inventory_hostnames` loops (thanks to @pierreozoux for initial PR)

-**3.2.1**
+## 3.2.1

- remove unecessary files (contribution by pierreozoux)
+- remove unnecessary files (contribution by @pierreozoux)

-**3.2.0**
+## 3.2.0

- add support for RHEL/CentOS (contribution by ahanselka)
+- add support for RHEL/CentOS (contribution by @ahanselka)

-**3.1.0**
+## 3.1.0

- pass package list directly to some modules by using the new and prefered syntax instead `loop` or `with_items` (contribution by ahanselka)
+- pass package list directly to some modules by using the new and preferred syntax instead `loop` or `with_items` (contribution by @ahanselka)

-**3.0.1**
+## 3.0.1

 - fix address in README

-**3.0.0**
+## 3.0.0

- support for Debian added (contribution by ties)
+- support for Debian added (contribution by @ties)

-**2.0.1**
+## 2.0.1

 - make Ansible linter happy

-**2.0.0**
+## 2.0.0

- use correct semantic versioning as described in https://semver.org. Needed for Ansible Galaxy importer as it now insists on using semantic versioning.
+- use correct semantic versioning as described in [Semantic versioning](https://semver.org). Needed for Ansible Galaxy importer as it now insists on using semantic versioning.
 - moved changelog entries to separate file
 - make Ansible linter happy
 - no major changes but decided to start a new major release as versioning scheme changed quite heavily

-**v1.0.2**
+## v1.0.2

 - update README

-**v1.0.1**
+## v1.0.1

 - update README

-**v1.0.0**
+## v1.0.0

 - initial implementation
--- a/LICENSES/GPL-3.0-or-later.txt
+++ b/LICENSES/GPL-3.0-or-later.txt
@ -0,0 +1,625 @@
+GNU GENERAL PUBLIC LICENSE
+
+Version 3, 29 June 2007
+
+Copyright © 2007 Free Software Foundation, Inc. <https://fsf.org/>
+
+Everyone is permitted to copy and distribute verbatim copies of this license
+document, but changing it is not allowed.
+
+Preamble
+
+The GNU General Public License is a free, copyleft license for software and
+other kinds of works.
+
+The licenses for most software and other practical works are designed to take
+away your freedom to share and change the works. By contrast, the GNU General
+Public License is intended to guarantee your freedom to share and change all
+versions of a program--to make sure it remains free software for all its users.
+We, the Free Software Foundation, use the GNU General Public License for most
+of our software; it applies also to any other work released this way by its
+authors. You can apply it to your programs, too.
+
+When we speak of free software, we are referring to freedom, not price. Our
+General Public Licenses are designed to make sure that you have the freedom
+to distribute copies of free software (and charge for them if you wish), that
+you receive source code or can get it if you want it, that you can change
+the software or use pieces of it in new free programs, and that you know you
+can do these things.
+
+To protect your rights, we need to prevent others from denying you these rights
+or asking you to surrender the rights. Therefore, you have certain responsibilities
+if you distribute copies of the software, or if you modify it: responsibilities
+to respect the freedom of others.
+
+For example, if you distribute copies of such a program, whether gratis or
+for a fee, you must pass on to the recipients the same freedoms that you received.
+You must make sure that they, too, receive or can get the source code. And
+you must show them these terms so they know their rights.
+
+Developers that use the GNU GPL protect your rights with two steps: (1) assert
+copyright on the software, and (2) offer you this License giving you legal
+permission to copy, distribute and/or modify it.
+
+For the developers' and authors' protection, the GPL clearly explains that
+there is no warranty for this free software. For both users' and authors'
+sake, the GPL requires that modified versions be marked as changed, so that
+their problems will not be attributed erroneously to authors of previous versions.
+
+Some devices are designed to deny users access to install or run modified
+versions of the software inside them, although the manufacturer can do so.
+This is fundamentally incompatible with the aim of protecting users' freedom
+to change the software. The systematic pattern of such abuse occurs in the
+area of products for individuals to use, which is precisely where it is most
+unacceptable. Therefore, we have designed this version of the GPL to prohibit
+the practice for those products. If such problems arise substantially in other
+domains, we stand ready to extend this provision to those domains in future
+versions of the GPL, as needed to protect the freedom of users.
+
+Finally, every program is threatened constantly by software patents. States
+should not allow patents to restrict development and use of software on general-purpose
+computers, but in those that do, we wish to avoid the special danger that
+patents applied to a free program could make it effectively proprietary. To
+prevent this, the GPL assures that patents cannot be used to render the program
+non-free.
+
+The precise terms and conditions for copying, distribution and modification
+follow.
+
+TERMS AND CONDITIONS
+
+   0. Definitions.
+
+   "This License" refers to version 3 of the GNU General Public License.
+
+"Copyright" also means copyright-like laws that apply to other kinds of works,
+such as semiconductor masks.
+
+"The Program" refers to any copyrightable work licensed under this License.
+Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals
+or organizations.
+
+To "modify" a work means to copy from or adapt all or part of the work in
+a fashion requiring copyright permission, other than the making of an exact
+copy. The resulting work is called a "modified version" of the earlier work
+or a work "based on" the earlier work.
+
+A "covered work" means either the unmodified Program or a work based on the
+Program.
+
+To "propagate" a work means to do anything with it that, without permission,
+would make you directly or secondarily liable for infringement under applicable
+copyright law, except executing it on a computer or modifying a private copy.
+Propagation includes copying, distribution (with or without modification),
+making available to the public, and in some countries other activities as
+well.
+
+To "convey" a work means any kind of propagation that enables other parties
+to make or receive copies. Mere interaction with a user through a computer
+network, with no transfer of a copy, is not conveying.
+
+An interactive user interface displays "Appropriate Legal Notices" to the
+extent that it includes a convenient and prominently visible feature that
+(1) displays an appropriate copyright notice, and (2) tells the user that
+there is no warranty for the work (except to the extent that warranties are
+provided), that licensees may convey the work under this License, and how
+to view a copy of this License. If the interface presents a list of user commands
+or options, such as a menu, a prominent item in the list meets this criterion.
+
+   1. Source Code.
+
+The "source code" for a work means the preferred form of the work for making
+modifications to it. "Object code" means any non-source form of a work.
+
+A "Standard Interface" means an interface that either is an official standard
+defined by a recognized standards body, or, in the case of interfaces specified
+for a particular programming language, one that is widely used among developers
+working in that language.
+
+The "System Libraries" of an executable work include anything, other than
+the work as a whole, that (a) is included in the normal form of packaging
+a Major Component, but which is not part of that Major Component, and (b)
+serves only to enable use of the work with that Major Component, or to implement
+a Standard Interface for which an implementation is available to the public
+in source code form. A "Major Component", in this context, means a major essential
+component (kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to produce
+the work, or an object code interpreter used to run it.
+
+The "Corresponding Source" for a work in object code form means all the source
+code needed to generate, install, and (for an executable work) run the object
+code and to modify the work, including scripts to control those activities.
+However, it does not include the work's System Libraries, or general-purpose
+tools or generally available free programs which are used unmodified in performing
+those activities but which are not part of the work. For example, Corresponding
+Source includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically linked
+subprograms that the work is specifically designed to require, such as by
+intimate data communication or control flow between those subprograms and
+other parts of the work.
+
+The Corresponding Source need not include anything that users can regenerate
+automatically from other parts of the Corresponding Source.
+
+   The Corresponding Source for a work in source code form is that same work.
+
+   2. Basic Permissions.
+
+All rights granted under this License are granted for the term of copyright
+on the Program, and are irrevocable provided the stated conditions are met.
+This License explicitly affirms your unlimited permission to run the unmodified
+Program. The output from running a covered work is covered by this License
+only if the output, given its content, constitutes a covered work. This License
+acknowledges your rights of fair use or other equivalent, as provided by copyright
+law.
+
+You may make, run and propagate covered works that you do not convey, without
+conditions so long as your license otherwise remains in force. You may convey
+covered works to others for the sole purpose of having them make modifications
+exclusively for you, or provide you with facilities for running those works,
+provided that you comply with the terms of this License in conveying all material
+for which you do not control copyright. Those thus making or running the covered
+works for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of your copyrighted
+material outside their relationship with you.
+
+Conveying under any other circumstances is permitted solely under the conditions
+stated below. Sublicensing is not allowed; section 10 makes it unnecessary.
+
+   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+No covered work shall be deemed part of an effective technological measure
+under any applicable law fulfilling obligations under article 11 of the WIPO
+copyright treaty adopted on 20 December 1996, or similar laws prohibiting
+or restricting circumvention of such measures.
+
+When you convey a covered work, you waive any legal power to forbid circumvention
+of technological measures to the extent such circumvention is effected by
+exercising rights under this License with respect to the covered work, and
+you disclaim any intention to limit operation or modification of the work
+as a means of enforcing, against the work's users, your or third parties'
+legal rights to forbid circumvention of technological measures.
+
+   4. Conveying Verbatim Copies.
+
+You may convey verbatim copies of the Program's source code as you receive
+it, in any medium, provided that you conspicuously and appropriately publish
+on each copy an appropriate copyright notice; keep intact all notices stating
+that this License and any non-permissive terms added in accord with section
+7 apply to the code; keep intact all notices of the absence of any warranty;
+and give all recipients a copy of this License along with the Program.
+
+You may charge any price or no price for each copy that you convey, and you
+may offer support or warranty protection for a fee.
+
+   5. Conveying Modified Source Versions.
+
+You may convey a work based on the Program, or the modifications to produce
+it from the Program, in the form of source code under the terms of section
+4, provided that you also meet all of these conditions:
+
+a) The work must carry prominent notices stating that you modified it, and
+giving a relevant date.
+
+b) The work must carry prominent notices stating that it is released under
+this License and any conditions added under section 7. This requirement modifies
+the requirement in section 4 to "keep intact all notices".
+
+c) You must license the entire work, as a whole, under this License to anyone
+who comes into possession of a copy. This License will therefore apply, along
+with any applicable section 7 additional terms, to the whole of the work,
+and all its parts, regardless of how they are packaged. This License gives
+no permission to license the work in any other way, but it does not invalidate
+such permission if you have separately received it.
+
+d) If the work has interactive user interfaces, each must display Appropriate
+Legal Notices; however, if the Program has interactive interfaces that do
+not display Appropriate Legal Notices, your work need not make them do so.
+
+A compilation of a covered work with other separate and independent works,
+which are not by their nature extensions of the covered work, and which are
+not combined with it such as to form a larger program, in or on a volume of
+a storage or distribution medium, is called an "aggregate" if the compilation
+and its resulting copyright are not used to limit the access or legal rights
+of the compilation's users beyond what the individual works permit. Inclusion
+of a covered work in an aggregate does not cause this License to apply to
+the other parts of the aggregate.
+
+   6. Conveying Non-Source Forms.
+
+You may convey a covered work in object code form under the terms of sections
+4 and 5, provided that you also convey the machine-readable Corresponding
+Source under the terms of this License, in one of these ways:
+
+a) Convey the object code in, or embodied in, a physical product (including
+a physical distribution medium), accompanied by the Corresponding Source fixed
+on a durable physical medium customarily used for software interchange.
+
+b) Convey the object code in, or embodied in, a physical product (including
+a physical distribution medium), accompanied by a written offer, valid for
+at least three years and valid for as long as you offer spare parts or customer
+support for that product model, to give anyone who possesses the object code
+either (1) a copy of the Corresponding Source for all the software in the
+product that is covered by this License, on a durable physical medium customarily
+used for software interchange, for a price no more than your reasonable cost
+of physically performing this conveying of source, or (2) access to copy the
+Corresponding Source from a network server at no charge.
+
+c) Convey individual copies of the object code with a copy of the written
+offer to provide the Corresponding Source. This alternative is allowed only
+occasionally and noncommercially, and only if you received the object code
+with such an offer, in accord with subsection 6b.
+
+d) Convey the object code by offering access from a designated place (gratis
+or for a charge), and offer equivalent access to the Corresponding Source
+in the same way through the same place at no further charge. You need not
+require recipients to copy the Corresponding Source along with the object
+code. If the place to copy the object code is a network server, the Corresponding
+Source may be on a different server (operated by you or a third party) that
+supports equivalent copying facilities, provided you maintain clear directions
+next to the object code saying where to find the Corresponding Source. Regardless
+of what server hosts the Corresponding Source, you remain obligated to ensure
+that it is available for as long as needed to satisfy these requirements.
+
+e) Convey the object code using peer-to-peer transmission, provided you inform
+other peers where the object code and Corresponding Source of the work are
+being offered to the general public at no charge under subsection 6d.
+
+A separable portion of the object code, whose source code is excluded from
+the Corresponding Source as a System Library, need not be included in conveying
+the object code work.
+
+A "User Product" is either (1) a "consumer product", which means any tangible
+personal property which is normally used for personal, family, or household
+purposes, or (2) anything designed or sold for incorporation into a dwelling.
+In determining whether a product is a consumer product, doubtful cases shall
+be resolved in favor of coverage. For a particular product received by a particular
+user, "normally used" refers to a typical or common use of that class of product,
+regardless of the status of the particular user or of the way in which the
+particular user actually uses, or expects or is expected to use, the product.
+A product is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent the
+only significant mode of use of the product.
+
+"Installation Information" for a User Product means any methods, procedures,
+authorization keys, or other information required to install and execute modified
+versions of a covered work in that User Product from a modified version of
+its Corresponding Source. The information must suffice to ensure that the
+continued functioning of the modified object code is in no case prevented
+or interfered with solely because modification has been made.
+
+If you convey an object code work under this section in, or with, or specifically
+for use in, a User Product, and the conveying occurs as part of a transaction
+in which the right of possession and use of the User Product is transferred
+to the recipient in perpetuity or for a fixed term (regardless of how the
+transaction is characterized), the Corresponding Source conveyed under this
+section must be accompanied by the Installation Information. But this requirement
+does not apply if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has been installed
+in ROM).
+
+The requirement to provide Installation Information does not include a requirement
+to continue to provide support service, warranty, or updates for a work that
+has been modified or installed by the recipient, or for the User Product in
+which it has been modified or installed. Access to a network may be denied
+when the modification itself materially and adversely affects the operation
+of the network or violates the rules and protocols for communication across
+the network.
+
+Corresponding Source conveyed, and Installation Information provided, in accord
+with this section must be in a format that is publicly documented (and with
+an implementation available to the public in source code form), and must require
+no special password or key for unpacking, reading or copying.
+
+   7. Additional Terms.
+
+"Additional permissions" are terms that supplement the terms of this License
+by making exceptions from one or more of its conditions. Additional permissions
+that are applicable to the entire Program shall be treated as though they
+were included in this License, to the extent that they are valid under applicable
+law. If additional permissions apply only to part of the Program, that part
+may be used separately under those permissions, but the entire Program remains
+governed by this License without regard to the additional permissions.
+
+When you convey a copy of a covered work, you may at your option remove any
+additional permissions from that copy, or from any part of it. (Additional
+permissions may be written to require their own removal in certain cases when
+you modify the work.) You may place additional permissions on material, added
+by you to a covered work, for which you have or can give appropriate copyright
+permission.
+
+Notwithstanding any other provision of this License, for material you add
+to a covered work, you may (if authorized by the copyright holders of that
+material) supplement the terms of this License with terms:
+
+a) Disclaiming warranty or limiting liability differently from the terms of
+sections 15 and 16 of this License; or
+
+b) Requiring preservation of specified reasonable legal notices or author
+attributions in that material or in the Appropriate Legal Notices displayed
+by works containing it; or
+
+c) Prohibiting misrepresentation of the origin of that material, or requiring
+that modified versions of such material be marked in reasonable ways as different
+from the original version; or
+
+d) Limiting the use for publicity purposes of names of licensors or authors
+of the material; or
+
+e) Declining to grant rights under trademark law for use of some trade names,
+trademarks, or service marks; or
+
+f) Requiring indemnification of licensors and authors of that material by
+anyone who conveys the material (or modified versions of it) with contractual
+assumptions of liability to the recipient, for any liability that these contractual
+assumptions directly impose on those licensors and authors.
+
+All other non-permissive additional terms are considered "further restrictions"
+within the meaning of section 10. If the Program as you received it, or any
+part of it, contains a notice stating that it is governed by this License
+along with a term that is a further restriction, you may remove that term.
+If a license document contains a further restriction but permits relicensing
+or conveying under this License, you may add to a covered work material governed
+by the terms of that license document, provided that the further restriction
+does not survive such relicensing or conveying.
+
+If you add terms to a covered work in accord with this section, you must place,
+in the relevant source files, a statement of the additional terms that apply
+to those files, or a notice indicating where to find the applicable terms.
+
+Additional terms, permissive or non-permissive, may be stated in the form
+of a separately written license, or stated as exceptions; the above requirements
+apply either way.
+
+   8. Termination.
+
+You may not propagate or modify a covered work except as expressly provided
+under this License. Any attempt otherwise to propagate or modify it is void,
+and will automatically terminate your rights under this License (including
+any patent licenses granted under the third paragraph of section 11).
+
+However, if you cease all violation of this License, then your license from
+a particular copyright holder is reinstated (a) provisionally, unless and
+until the copyright holder explicitly and finally terminates your license,
+and (b) permanently, if the copyright holder fails to notify you of the violation
+by some reasonable means prior to 60 days after the cessation.
+
+Moreover, your license from a particular copyright holder is reinstated permanently
+if the copyright holder notifies you of the violation by some reasonable means,
+this is the first time you have received notice of violation of this License
+(for any work) from that copyright holder, and you cure the violation prior
+to 30 days after your receipt of the notice.
+
+Termination of your rights under this section does not terminate the licenses
+of parties who have received copies or rights from you under this License.
+If your rights have been terminated and not permanently reinstated, you do
+not qualify to receive new licenses for the same material under section 10.
+
+   9. Acceptance Not Required for Having Copies.
+
+You are not required to accept this License in order to receive or run a copy
+of the Program. Ancillary propagation of a covered work occurring solely as
+a consequence of using peer-to-peer transmission to receive a copy likewise
+does not require acceptance. However, nothing other than this License grants
+you permission to propagate or modify any covered work. These actions infringe
+copyright if you do not accept this License. Therefore, by modifying or propagating
+a covered work, you indicate your acceptance of this License to do so.
+
+   10. Automatic Licensing of Downstream Recipients.
+
+Each time you convey a covered work, the recipient automatically receives
+a license from the original licensors, to run, modify and propagate that work,
+subject to this License. You are not responsible for enforcing compliance
+by third parties with this License.
+
+An "entity transaction" is a transaction transferring control of an organization,
+or substantially all assets of one, or subdividing an organization, or merging
+organizations. If propagation of a covered work results from an entity transaction,
+each party to that transaction who receives a copy of the work also receives
+whatever licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the Corresponding
+Source of the work from the predecessor in interest, if the predecessor has
+it or can get it with reasonable efforts.
+
+You may not impose any further restrictions on the exercise of the rights
+granted or affirmed under this License. For example, you may not impose a
+license fee, royalty, or other charge for exercise of rights granted under
+this License, and you may not initiate litigation (including a cross-claim
+or counterclaim in a lawsuit) alleging that any patent claim is infringed
+by making, using, selling, offering for sale, or importing the Program or
+any portion of it.
+
+   11. Patents.
+
+A "contributor" is a copyright holder who authorizes use under this License
+of the Program or a work on which the Program is based. The work thus licensed
+is called the contributor's "contributor version".
+
+A contributor's "essential patent claims" are all patent claims owned or controlled
+by the contributor, whether already acquired or hereafter acquired, that would
+be infringed by some manner, permitted by this License, of making, using,
+or selling its contributor version, but do not include claims that would be
+infringed only as a consequence of further modification of the contributor
+version. For purposes of this definition, "control" includes the right to
+grant patent sublicenses in a manner consistent with the requirements of this
+License.
+
+Each contributor grants you a non-exclusive, worldwide, royalty-free patent
+license under the contributor's essential patent claims, to make, use, sell,
+offer for sale, import and otherwise run, modify and propagate the contents
+of its contributor version.
+
+In the following three paragraphs, a "patent license" is any express agreement
+or commitment, however denominated, not to enforce a patent (such as an express
+permission to practice a patent or covenant not to sue for patent infringement).
+To "grant" such a patent license to a party means to make such an agreement
+or commitment not to enforce a patent against the party.
+
+If you convey a covered work, knowingly relying on a patent license, and the
+Corresponding Source of the work is not available for anyone to copy, free
+of charge and under the terms of this License, through a publicly available
+network server or other readily accessible means, then you must either (1)
+cause the Corresponding Source to be so available, or (2) arrange to deprive
+yourself of the benefit of the patent license for this particular work, or
+(3) arrange, in a manner consistent with the requirements of this License,
+to extend the patent license to downstream recipients. "Knowingly relying"
+means you have actual knowledge that, but for the patent license, your conveying
+the covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that country
+that you have reason to believe are valid.
+
+If, pursuant to or in connection with a single transaction or arrangement,
+you convey, or propagate by procuring conveyance of, a covered work, and grant
+a patent license to some of the parties receiving the covered work authorizing
+them to use, propagate, modify or convey a specific copy of the covered work,
+then the patent license you grant is automatically extended to all recipients
+of the covered work and works based on it.
+
+A patent license is "discriminatory" if it does not include within the scope
+of its coverage, prohibits the exercise of, or is conditioned on the non-exercise
+of one or more of the rights that are specifically granted under this License.
+You may not convey a covered work if you are a party to an arrangement with
+a third party that is in the business of distributing software, under which
+you make payment to the third party based on the extent of your activity of
+conveying the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory patent
+license (a) in connection with copies of the covered work conveyed by you
+(or copies made from those copies), or (b) primarily for and in connection
+with specific products or compilations that contain the covered work, unless
+you entered into that arrangement, or that patent license was granted, prior
+to 28 March 2007.
+
+Nothing in this License shall be construed as excluding or limiting any implied
+license or other defenses to infringement that may otherwise be available
+to you under applicable patent law.
+
+   12. No Surrender of Others' Freedom.
+
+If conditions are imposed on you (whether by court order, agreement or otherwise)
+that contradict the conditions of this License, they do not excuse you from
+the conditions of this License. If you cannot convey a covered work so as
+to satisfy simultaneously your obligations under this License and any other
+pertinent obligations, then as a consequence you may not convey it at all.
+For example, if you agree to terms that obligate you to collect a royalty
+for further conveying from those to whom you convey the Program, the only
+way you could satisfy both those terms and this License would be to refrain
+entirely from conveying the Program.
+
+   13. Use with the GNU Affero General Public License.
+
+Notwithstanding any other provision of this License, you have permission to
+link or combine any covered work with a work licensed under version 3 of the
+GNU Affero General Public License into a single combined work, and to convey
+the resulting work. The terms of this License will continue to apply to the
+part which is the covered work, but the special requirements of the GNU Affero
+General Public License, section 13, concerning interaction through a network
+will apply to the combination as such.
+
+   14. Revised Versions of this License.
+
+The Free Software Foundation may publish revised and/or new versions of the
+GNU General Public License from time to time. Such new versions will be similar
+in spirit to the present version, but may differ in detail to address new
+problems or concerns.
+
+Each version is given a distinguishing version number. If the Program specifies
+that a certain numbered version of the GNU General Public License "or any
+later version" applies to it, you have the option of following the terms and
+conditions either of that numbered version or of any later version published
+by the Free Software Foundation. If the Program does not specify a version
+number of the GNU General Public License, you may choose any version ever
+published by the Free Software Foundation.
+
+If the Program specifies that a proxy can decide which future versions of
+the GNU General Public License can be used, that proxy's public statement
+of acceptance of a version permanently authorizes you to choose that version
+for the Program.
+
+Later license versions may give you additional or different permissions. However,
+no additional obligations are imposed on any author or copyright holder as
+a result of your choosing to follow a later version.
+
+   15. Disclaimer of Warranty.
+
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE
+LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
+EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM
+PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
+CORRECTION.
+
+   16. Limitation of Liability.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL
+ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM
+AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL,
+INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO
+USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
+INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
+PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
+PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+   17. Interpretation of Sections 15 and 16.
+
+If the disclaimer of warranty and limitation of liability provided above cannot
+be given local legal effect according to their terms, reviewing courts shall
+apply local law that most closely approximates an absolute waiver of all civil
+liability in connection with the Program, unless a warranty or assumption
+of liability accompanies a copy of the Program in return for a fee. END OF
+TERMS AND CONDITIONS
+
+How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest possible
+use to the public, the best way to achieve this is to make it free software
+which everyone can redistribute and change under these terms.
+
+To do so, attach the following notices to the program. It is safest to attach
+them to the start of each source file to most effectively state the exclusion
+of warranty; and each file should have at least the "copyright" line and a
+pointer to where the full notice is found.
+
+<one line to give the program's name and a brief idea of what it does.>
+
+Copyright (C) <year> <name of author>
+
+This program is free software: you can redistribute it and/or modify it under
+the terms of the GNU General Public License as published by the Free Software
+Foundation, either version 3 of the License, or (at your option) any later
+version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT
+ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with
+this program. If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program does terminal interaction, make it output a short notice like
+this when it starts in an interactive mode:
+
+<program> Copyright (C) <year> <name of author>
+
+This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+
+This is free software, and you are welcome to redistribute it under certain
+conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, your program's commands might
+be different; for a GUI interface, you would use an "about box".
+
+You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary. For
+more information on this, and how to apply and follow the GNU GPL, see <https://www.gnu.org/licenses/>.
+
+The GNU General Public License does not permit incorporating your program
+into proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Lesser General Public
+License instead of this License. But first, please read <https://www.gnu.org/
+licenses /why-not-lgpl.html>.
--- a/README.md
+++ b/README.md
@ -1,13 +1,55 @@
+<!--
+Copyright (C) 2018-2023 Robert Wimmer
+Copyright (C) 2019 fbourqui
+SPDX-License-Identifier: GPL-3.0-or-later
+-->
+
 ansible-role-wireguard
 ======================

-This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster. This VPN also includes two clients so that I can communicate securly with the Kubernetes API server. Also my Postfix mailserver running as K8s DaemonSet forwards mails to my internal Postfix through WireGuard VPN.
-
-I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a while. As I moved my cloud hosts from Scaleway to Hetzner cloud it was a good time to switch the VPN solution ;-) In general PeerVPN still works perfectly fine esp. if you need a easy to setup fully meshed network (where every node is able to talk to all other nodes and even if node `A` should be able to talk to Node `C` via node `B` ;-) ). But PeerVPN needs also lot of CPU resources and throuhput could be better. That's solved with [WireGuard](https://www.wireguard.io/).
+This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. The latest release is [available via Ansible Galaxy](https://galaxy.ansible.com/githubixx/ansible_role_wireguard).  I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster.

 In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/).

-This role is tested with Ubuntu 18.04 (Bionic Beaver), Ubuntu 20 (Focal Fossa) and Archlinux. Ubuntu 16.04 (Xenial Xerus), Debian 9 (Stretch), Debian 10 (Buster), Fedora 31 (or later) and CentOS 7 might also work or other distributions but haven't tested it (code for this operating systems was submitted by other contributors). If someone tested it let me please know if it works or send a pull request to make it work ;-)
+Linux
+-----
+
+This role should work with:
+
+- Ubuntu 18.04 (Bionic Beaver)
+- Ubuntu 20.04 (Focal Fossa)
+- Ubuntu 22.04 (Jammy Jellyfish)
+- Archlinux
+- Debian 11 (Bullseye)
+- Fedora 36
+- CentOS 7
+- AlmaLinux
+- Rocky Linux
+- openSUSE Leap 15.4
+- Oracle Linux 9
+
+Best effort:
+
+- elementary OS 6
+
+Molecule tests are [available](https://github.com/githubixx/ansible-role-wireguard#testing) (see further down below). It should also work with `Raspbian Buster` but for this one there is no test available. MacOS (see below) should also work partitially but is only best effort.
+
+MacOS
+-----
+
+While this playbook configures, enables and starts a `systemd` service on Linux in a such a way that no additional action is needed, on MacOS it installs the required packages and it just generates the correct `wg0.conf` file that is then placed in the specified `wireguard_remote_directory` (`/opt/local/etc/wireguard` by default). In order to run the VPN, then, you need to:
+
+```bash
+sudo wg-quick up wg0
+```
+
+and to deactivate it
+
+```bash
+sudo wg-quick down wg0
+```
+
+or you can install the [official app](https://apps.apple.com/it/app/wireguard/id1451685025?l=en&mt=12) and import the `wg0.conf` file.

 Versions
 --------
@ -17,7 +59,9 @@ I tag every release and try to stay with [semantic versioning](http://semver.org
 Requirements
 ------------

-By default port `51820` (protocol UDP) should be accessable from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward `. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere. You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things. Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down.
+By default port `51820` (protocol UDP) should be accessible from the outside. But you can adjust the port by changing the variable `wireguard_port`. Also IP forwarding needs to be enabled e.g. via `echo 1 > /proc/sys/net/ipv4/ip_forward`. I decided not to implement this task in this Ansible role. IMHO that should be handled elsewhere.
+You can use my [ansible-role-harden-linux](https://github.com/githubixx/ansible-role-harden-linux) e.g. Besides changing sysctl entries (which you need to enable IP forwarding) it also manages firewall settings among other things.
+Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good place to do some network related stuff before a WireGuard interface comes up or goes down.

 Changelog
 ---------
@ -27,49 +71,168 @@ see [CHANGELOG.md](https://github.com/githubixx/ansible-role-wireguard/blob/mast
 Role Variables
 --------------

-These variables can be changed in `group_vars/`:
+These variables can be changed in `group_vars/` e.g.:

-```
+```yaml
 # Directory to store WireGuard configuration on the remote hosts
-wireguard_remote_directory: "/etc/wireguard"
+wireguard_remote_directory: "/etc/wireguard"              # On Linux
+# wireguard_remote_directory: "/opt/local/etc/wireguard"  # On MacOS

 # The default port WireGuard will listen if not specified otherwise.
 wireguard_port: "51820"

-# The default interface name that wireguard should use if not specified otherwise.
+# The default interface name that WireGuard should use if not specified otherwise.
 wireguard_interface: "wg0"
-```
-
-The following variable is mandatory and needs to be configured for every host in `host_vars/`:

-```
-wireguard_address: "10.8.0.101/24"
-```
-
-Of course all IP's should be in the same subnet like `/24` we see in the example above. If `wireguard_allowed_ips` is not set then the default value is the value from `wireguard_address` without the CIDR but instead with `/32` which is basically a host route (have a look `templates/wg.conf.j2`). Let's see this example and let's assume you don't set `wireguard_allowed_ips` explicitly:
-
-```
+# The default owner of the wg.conf file
+wireguard_conf_owner: root
+
+# The default group of the wg.conf file
+wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'wheel' }}"
+
+# The default mode of the wg.conf file
+wireguard_conf_mode: 0600
+
+# The default state of the wireguard service
+wireguard_service_enabled: "yes"
+wireguard_service_state: "started"
+
+# By default "wg syncconf" is used to apply WireGuard interface settings if
+# they've changed. Older WireGuard tools doesn't provide this option. In that
+# case as a fallback the WireGuard interface will be restarted. This causes a
+# short interruption of network connections.
+#
+# So even if "false" is the default, the role figures out if the "syncconf"
+# option of the "wg" utility is available and if not falls back to "true"
+# (which means interface will be restarted as this is the only possible option
+# in this case).
+#
+# Possible options:
+# - false (default)
+# - true
+#
+# Both options have their pros and cons. The default "false" option (do not
+# restart interface)
+# - does not need to restart the WireGuard interface to apply changes
+# - does not cause a short VPN connection interruption when changes are applied
+# - might cause network routes are not properly reloaded
+#
+# Setting the option value to "true" will
+# - restart the WireGuard interface as the name suggests in case of changes
+# - cause a short VPN connection interruption when changes are applied
+# - make sure that network routes are properly reloaded
+#
+# So it depends a little bit on your setup which option works best. If you
+# don't have an overly complicated routing that changes very often or at all
+# using "false" here is most properly good enough for you. E.g. if you just
+# want to connect a few servers via VPN and it normally stays this way.
+#
+# If you have a more dynamic routing setup then setting this to "true" might be
+# the safest way to go. Also if you want to avoid the possibility creating some
+# hard to detect side effects this option should be considered.
+wireguard_interface_restart: false
+
+# Normally the role automatically creates a private key the very first time
+# if there isn't already a WireGuard configuration. But this option allows
+# to provide your own WireGuard private key if really needed. As this is of
+# course a very sensitive value you might consider a tool like Ansible Vault
+# to store it encrypted.
+# wireguard_private_key:
+
+# Set to "false" if package cache should not be updated (only relevant if
+# the package manager in question supports this option)
+wireguard_update_cache: "true"
+```
+
+There are also a few Linux distribution specific settings:
+
+```yaml
+#######################################
+# Settings only relevant for:
+# - Ubuntu
+# - elementary OS
+#######################################
+
+# DEPRECATED: Please use "wireguard_update_cache" instead.
+# Set to "false" if package cache should not be updated.
+wireguard_ubuntu_update_cache: "{{ wireguard_update_cache }}"
+
+# Set package cache valid time
+wireguard_ubuntu_cache_valid_time: "3600"
+
+#######################################
+# Settings only relevant for CentOS 7
+#######################################
+
+# Set wireguard_centos7_installation_method to "kernel-plus"
+# to use the kernel-plus kernel, which includes a built-in,
+# signed WireGuard module.
+#
+# The default of "standard" will use the standard kernel and
+# the ELRepo module for WireGuard.
+wireguard_centos7_installation_method: "standard"
+
+# Reboot host if necessary if the "kernel-plus" kernel is in use
+wireguard_centos7_kernel_plus_reboot: true
+
+# The default seconds to wait for machine to reboot and respond
+# if "kernel-plus" is in use. Is only relevant if
+# "wireguard_centos7_kernel_plus_reboot" is set to "true".
+wireguard_centos7_kernel_plus_reboot_timeout: "600"
+
+# Reboot host if necessary if the standard kernel is in use
+wireguard_centos7_standard_reboot: true
+
+# The default seconds to wait for machine to reboot and respond
+# if "standard" kernel is in use. Is only relevant if
+# "wireguard_centos7_standard_reboot" is set to "true".
+wireguard_centos7_standard_reboot_timeout: "600"
+
+#########################################
+# Settings only relevant for RockyLinux 8
+#########################################
+
+# Set wireguard_rockylinux8_installation_method to "dkms"
+# to build WireGuard module from source, with wireguard-dkms.
+# This is required if you use a custom kernel and/or your arch
+# is not x86_64.
+#
+# The default of "standard" will install the kernel module
+# with kmod-wireguard from ELRepo.
+wireguard_rockylinux8_installation_method: "standard"
+```
+
+Every host in `host_vars/` should configure at least one address via `wireguard_address` or `wireguard_addresses`. The `wireguard_address` can only contain one IPv4, thus it's recommended to use the `wireguard_addresses` variable that can contain an array of both IPv4 and IPv6 addresses.
+
+```yaml
+wireguard_addresses:
+  - "10.8.0.101/24"
+```
+
+Of course all IP's should be in the same subnet like `/24` we see in the example above. If `wireguard_allowed_ips` is not set then the default values are IPs defined in `wireguard_address` and `wireguard_addresses` without the CIDR but instead with `/32` (IPv4) or `/128` (IPv6) which is basically a host route (have a look `templates/wg.conf.j2`). Let's see this example and let's assume you don't set `wireguard_allowed_ips` explicitly:
+
+```ini
 [Interface]
 Address = 10.8.0.2/24
 PrivateKey = ....
 ListenPort = 51820

 [Peer]
-PrivateKey = ....
+PublicKey = ....
 AllowedIPs = 10.8.0.101/32
 Endpoint = controller01.p.domain.tld:51820
 ```

-This is part of the WireGuard config from my workstation. It has the VPN IP `10.8.0.2` and we've a `/24` subnet in which all my WireGuard hosts are located. Also you can see we've a peer here that has the endpoint `controller01.p.domain.tld:51820`. When `wireguard_allowed_ips` is not explicitly set the Ansible template will add an `AllowedIPs` entry with the IP of that host plus `/32`. In WireGuard this basically specifies the routing. The config above says: On my workstation with the IP `10.8.0.2` I want send all traffic to `10.8.0.101/32` to the endpoint `controller01.p.domain.tld:51820`. Now let's assume we set `wireguard_allowed_ips: "0.0.0.0/0"`. Then the resulting config looks like this.
+This is part of the WireGuard config from my workstation. It has the VPN IP `10.8.0.2` and we've a `/24` subnet in which all my WireGuard hosts are located. Also you can see we've a peer here that has the endpoint `controller01.p.domain.tld:51820`. When `wireguard_allowed_ips` is not explicitly set the Ansible template will add an `AllowedIPs` entry with the IP of that host plus `/32` or `/128`. In WireGuard this basically specifies the routing. The config above says: On my workstation with the IP `10.8.0.2` I want send all traffic to `10.8.0.101/32` to the endpoint `controller01.p.domain.tld:51820`. Now let's assume we set `wireguard_allowed_ips: "0.0.0.0/0"`. Then the resulting config looks like this.

-```
+```ini
 [Interface]
 Address = 10.8.0.2/24
 PrivateKey = ....
 ListenPort = 51820

 [Peer]
-PrivateKey = ....
+PublicKey = ....
 AllowedIPs = 0.0.0.0/0
 Endpoint = controller01.p.domain.tld:51820
 ```
@ -78,7 +241,7 @@ Now this is basically the same as above BUT now the config says: I want to route

 You can specify further optional settings (they don't have a default and won't be set if not specified besides `wireguard_allowed_ips` as already mentioned) also per host in `host_vars/` (or in your Ansible hosts file if you like). The values for the following variables are just examples and no defaults (for more information and examples see [wg-quick.8](https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8)):

-```
+```yaml
 wireguard_allowed_ips: ""
 wireguard_endpoint: "host1.domain.tld"
 wireguard_persistent_keepalive: "30"
@ -95,18 +258,25 @@ wireguard_postup:
 wireguard_postdown:
  - ...
 wireguard_save_config: "true"
+wireguard_unmanaged_peers:
+  client.example.com:
+    public_key: 5zsSBeZZ8P9pQaaJvY9RbELQulcwC5VBXaZ93egzOlI=
+    # preshared_key: ... e.g. from ansible-vault?
+    allowed_ips: 10.0.0.3/32
+    endpoint: client.example.com:51820
+    persistent_keepalive: 0
 ```

 `wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples:

-```
+```yaml
 wireguard_postup:
  - iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE
  - iptables -A FORWARD -i %i -j ACCEPT
  - iptables -A FORWARD -o %i -j ACCEPT
 ```

-```
+```yaml
 wireguard_preup:
  - echo 1 > /proc/sys/net/ipv4/ip_forward
  - ufw allow 51820/udp
@ -114,13 +284,13 @@ wireguard_preup:

 The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8).

-`wireguard_address` is required as already mentioned. It's the IP of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs a unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).
+One of `wireguard_address` (deprecated) or `wireguard_addresses` (recommended) is required as already mentioned. It's the IPs of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs at least one unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).

-Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already) mentioned I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
+Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.

 First, here is a part of my Ansible `hosts` file:

-```
+```ini
 [vpn]
 controller0[1:3].i.domain.tld
 worker0[1:2].i.domain.tld
@ -134,45 +304,53 @@ controller0[1:3].i.domain.tld
 worker0[1:2].i.domain.tld
 ```

-As you can see I've three gropus here: `vpn` (all hosts on that will get WireGuard installed), `k8s_controller` (the Kubernetes controller nodes) and `k8s_worker` (the Kubernetes worker nodes). The `i` in the domainname is for `internal`. All the `i.domain.tld` DNS entries have a `A` record that points to the WireGuard IP that we define shortly for every host e.g.: ` controller01.i.domain.tld. IN A 10.8.0.101`. The reason for that is that all Kubernetes components only binds and listen on the WireGuard interface in my setup. And since I need this internal IPs for all my Kubernetes components I specify the internal DNS entries in my Ansible `hosts` file. That way I can use the Ansible inventory hostnames and variables very easy in the playbooks and templates.
+As you can see I've three groups here: `vpn` (all hosts on that will get WireGuard installed), `k8s_controller` (the Kubernetes controller nodes) and `k8s_worker` (the Kubernetes worker nodes). The `i` in the domainname is for `internal`. All the `i.domain.tld` DNS entries have a `A` record that points to the WireGuard IP that we define shortly for every host e.g.: `controller01.i.domain.tld. IN A 10.8.0.101`. The reason for that is that all Kubernetes components only binds and listen on the WireGuard interface in my setup. And since I need this internal IPs for all my Kubernetes components I specify the internal DNS entries in my Ansible `hosts` file. That way I can use the Ansible inventory hostnames and variables very easy in the playbooks and templates.

 For the Kubernetes controller nodes I've defined the following host variables:

 Ansible host file: `host_vars/controller01.i.domain.tld`
-```
+
+```yaml
 ---
-wireguard_address: "10.8.0.101/24"
+wireguard_addresses:
+  - "10.8.0.101/24"
 wireguard_endpoint: "controller01.p.domain.tld"
 ansible_host: "controller01.p.domain.tld"
 ansible_python_interpreter: /usr/bin/python3
 ```

 Ansible host file: `host_vars/controller02.i.domain.tld`:
-```
+
+```yaml
 ---
-wireguard_address: "10.8.0.102/24"
+wireguard_addresses:
+  - "10.8.0.102/24"
 wireguard_endpoint: "controller02.p.domain.tld"
 ansible_host: "controller02.p.domain.tld"
 ansible_python_interpreter: /usr/bin/python3
 ```

 Ansible host file: `host_vars/controller03.i.domain.tld`:
-```
+
+```yaml
 ---
-wireguard_address: "10.8.0.103/24"
+wireguard_addresses:
+  - "10.8.0.103/24"
 wireguard_endpoint: "controller03.p.domain.tld"
 ansible_host: "controller03.p.domain.tld"
 ansible_python_interpreter: /usr/bin/python3
 ```

-I've specified `ansible_python_interpreter` here for every node as the controller nodes use Ubuntu 18.04 which has Python 3 installed by default. `ansible_host` is set to the public DNS of that host. Ansible will use this hostname to connect to the host via SSH. I use the same value also for `wireguard_endpoint` because of the same reason. The WireGuard peers needs to connect to the other peers via a public IP (well at least via a IP that the WireGuard hosts can connect to - that could be of course also a internal IP if it works for you). The `wireguard_address` needs to be unique of course for every host. 
+I've specified `ansible_python_interpreter` here for every node as the controller nodes use Ubuntu 18.04 which has Python 3 installed by default. `ansible_host` is set to the public DNS of that host. Ansible will use this hostname to connect to the host via SSH. I use the same value also for `wireguard_endpoint` because of the same reason. The WireGuard peers needs to connect to the other peers via a public IP (well at least via a IP that the WireGuard hosts can connect to - that could be of course also a internal IP if it works for you). IPs specified by `wireguard_address` or `wireguard_addresses` needs to be unique of course for every host.

 For the Kubernetes worker I've defined the following variables:

 Ansible host file: `host_vars/worker01.i.domain.tld`
-```
+
+```yaml
 ---
-wireguard_address: "10.8.0.111/24"
+wireguard_addresses:
+  - "10.8.0.111/24"
 wireguard_endpoint: "worker01.p.domain.tld"
 wireguard_persistent_keepalive: "30"
 ansible_host: "worker01.p.domain.tld"
@ -180,9 +358,11 @@ ansible_python_interpreter: /usr/bin/python3
 ```

 Ansible host file: `host_vars/worker02.i.domain.tld`:
-```
+
+```yaml
 ---
-wireguard_address: "10.8.0.112/24"
+wireguard_addresses:
+  - "10.8.0.112/24"
 wireguard_endpoint: "worker02.p.domain.tld"
 wireguard_persistent_keepalive: "30"
 ansible_host: "worker02.p.domain.tld"
@ -193,21 +373,23 @@ As you can see the variables are basically the same as the controller nodes have

 For my internal server at home (connected via DSL router to the internet) we've this configuration:

-```
+```yaml
 ---
-wireguard_address: "10.8.0.1/24"
+wireguard_addresses:
+  - "10.8.0.1/24"
 wireguard_endpoint: "server.at.home.p.domain.tld"
 wireguard_persistent_keepalive: "30"
 ansible_host: 192.168.2.254
 ansible_port: 22
 ```

-By default the SSH daemon is listening on a different port than 22 on all of my public nodes but internally I use `22` and that's the reason to set `ansible_port: 22` here. Also `ansible_host` is of course a internal IP for that host. The `wireguard_endpoint` value is a dynamic DNS entry. Since my IP at home isn't static I need to run a script every minute at my home server that checks if the IP has changed and if so adjusts my DNS record. I use OVH's DynHost feature to accomplish this but you can use and DynDNS provider you want of course. Also I forward incoming traffic on port `51820/UDP` to my internal server to allow incoming WireGuard traffic. The `wireguard_address` needs to be of course part of our WireGuard subnet.
+By default the SSH daemon is listening on a different port than 22 on all of my public nodes but internally I use `22` and that's the reason to set `ansible_port: 22` here. Also `ansible_host` is of course a internal IP for that host. The `wireguard_endpoint` value is a dynamic DNS entry. Since my IP at home isn't static I need to run a script every minute at my home server that checks if the IP has changed and if so adjusts my DNS record. I use OVH's DynHost feature to accomplish this but you can use and DynDNS provider you want of course. Also I forward incoming traffic on port `51820/UDP` to my internal server to allow incoming WireGuard traffic. IPs from `wireguard_address` and `wireguard_addresses` needs to be of course part of our WireGuard subnet.

 And finally for my workstation (on which I run all `ansible-playbook` commands):

-```
-wireguard_address: "10.8.0.2/24"
+```yaml
+wireguard_addresses:
+  - "10.8.0.2/24"
 wireguard_endpoint: ""
 ansible_connection: local
 ansible_become: false
@ -215,41 +397,41 @@ ansible_become: false

 As you can see `wireguard_endpoint: ""` is a empty string here. That means the Ansible role won't set an endpoint for my workstation. Since there is no need for the other hosts to connect to my workstation it doesn't makes sense to have a endpoint defined. So in this case I can access all hosts defined in the Ansible group `vpn` from my workstation but not the other way round. So the resulting WireGuard config for my workstation looks like this:

-```
+```ini
 [Interface]
 Address = 10.8.0.2/24
 PrivateKey = ....
 ListenPort = 51820

 [Peer]
-PrivateKey = ....
+PublicKey = ....
 AllowedIPs = 10.8.0.101/32
 Endpoint = controller01.p.domain.tld:51820

 [Peer]
-PrivateKey = ....
+PublicKey = ....
 AllowedIPs = 10.8.0.102/32
 Endpoint = controller02.p.domain.tld:51820

 [Peer]
-PrivateKey = ....
+PublicKey = ....
 AllowedIPs = 10.8.0.103/32
 Endpoint = controller03.p.domain.tld:51820

 [Peer]
-PrivateKey = ....
+PublicKey = ....
 AllowedIPs = 10.8.0.111/32
 PersistentKeepalive = 30
 Endpoint = worker01.p.domain.tld:51820

 [Peer]
-PrivateKey = ....
+PublicKey = ....
 AllowedIPs = 10.8.0.112/32
 PersistentKeepalive = 30
 Endpoint = worker02.p.domain.tld:51820

 [Peer]
-PrivateKey = ....
+PublicKey = ....
 AllowedIPs = 10.8.0.1/32
 PersistentKeepalive = 30
 Endpoint = server.at.home.p.domain.tld:51820
@ -257,32 +439,42 @@ Endpoint = server.at.home.p.domain.tld:51820

 The other WireGuard config files (`wg0.conf` by default) looks similar but of course `[Interface]` includes the config of that specific host and the `[Peer]` entries lists the config of the other hosts.

-Example Playbook
----------------
+Example Playbooks
+-----------------

-```
+```yaml
 - hosts: vpn
  roles:
-    - wireguard
+    - githubixx.ansible_role_wireguard
 ```

-Example Inventory using two different WireGuard interfaces on host "multi"
+```yaml
+  hosts: vpn
+  roles:
+    -
+      role: githubixx.ansible_role_wireguard
+      tags: role-wireguard
+```
+
+Example inventory using two different WireGuard interfaces on host "multi"
 --------------------------------------------------------------------------

 This is a complex example using yaml inventory format:

-```
+```yaml
 vpn1:
  hosts:
    multi:
-      wireguard_address: 10.9.0.1/32
+      wireguard_addresses:
+        - "10.9.0.1/32"
      wireguard_allowed_ips: "10.9.0.1/32, 192.168.2.0/24"
-      wireguard_endpoint: multi.exemple.com
+      wireguard_endpoint: multi.example.com
    nated:
-      wireguard_address: 10.9.0.2/32
+      wireguard_addresses:
+        - "10.9.0.2/32"
      wireguard_allowed_ips: "10.9.0.2/32, 192.168.3.0/24"
      wireguard_persistent_keepalive: 15
-      wireguard_endpoint: nated.exemple.com
+      wireguard_endpoint: nated.example.com
      wireguard_postup:
        - iptables -t nat -A POSTROUTING -o ens12 -j MASQUERADE
        - iptables -A FORWARD -i %i -j ACCEPT
@ -301,32 +493,62 @@ vpn2:
      wireguard_interface: wg1
      # when using several interface on one host, we must use different ports
      wireguard_port: 51821
-      wireguard_address: 10.9.1.1/32
-      wireguard_endpoint: multi.exemple.com
+      wireguard_addresses:
+        - "10.9.1.1/32"
+      wireguard_endpoint: multi.example.com
    another:
-      wireguard_address: 10.9.1.2/32
-      wireguard_endpoint: another.exemple.com
+      wireguard_address:
+        - "10.9.1.2/32"
+      wireguard_endpoint: another.example.com
 ```

-Playbooks
---------
+Sample playbooks for example above:

-```
+```yaml
 - hosts: vpn1
  roles:
-    - wireguard
+    - githubixx.ansible_role_wireguard
 ```

-```
+```yaml
 - hosts: vpn2
  roles:
-    - wireguard
+    - githubixx.ansible_role_wireguard
+```
+
+Testing
+-------
+
+This role has a small test setup that is created using [Molecule](https://github.com/ansible-community/molecule), libvirt (vagrant-libvirt) and QEMU/KVM. Please see my blog post [Testing Ansible roles with Molecule, libvirt (vagrant-libvirt) and QEMU/KVM](https://www.tauceti.blog/posts/testing-ansible-roles-with-molecule-libvirt-vagrant-qemu-kvm/) how to setup. The test configuration is [here](https://github.com/githubixx/ansible-role-wireguard/tree/master/molecule/kvm).
+
+Afterwards molecule can be executed:
+
+```bash
+molecule converge -s kvm
+```
+
+This will setup quite a few virtual machines (VM) with different supported Linux operating systems. To run a few tests:
+
+```bash
+molecule verify -s kvm
+```
+
+To clean up run
+
+```bash
+molecule destroy -s kvm
+```
+
+There is also a small Molecule setup that mimics a central WireGuard server with a few clients:
+
+```bash
+molecule converge -s kvm-single-server
 ```

 License
 -------

-GNU GENERAL PUBLIC LICENSE Version 3
+[GNU General Public License v3.0 or later](https://spdx.org/licenses/GPL-3.0-or-later.html)

 Author Information
 ------------------
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,24 +1,126 @@
 ---
+# Copyright (C) 2018-2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 #######################################
 # General settings
 #######################################

 # Directory to store WireGuard configuration on the remote hosts
-wireguard_remote_directory: "/etc/wireguard"
+wireguard_remote_directory: "{{ '/etc/wireguard' if not ansible_os_family == 'Darwin' else '/opt/local/etc/wireguard' }}"

 # The default port WireGuard will listen if not specified otherwise.
 wireguard_port: "51820"

-# The default interface name that wireguard should use if not specified otherwise.
+# The default interface name that WireGuard should use if not specified otherwise.
 wireguard_interface: "wg0"

+# The default owner of the wg.conf file
+wireguard_conf_owner: root
+
+# The default group of the wg.conf file
+wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'wheel' }}"
+
+# The default mode of the wg.conf file
+wireguard_conf_mode: 0600
+
+# The default state of the wireguard service
+wireguard_service_enabled: "yes"
+wireguard_service_state: "started"
+
+# By default "wg syncconf" is used to apply WireGuard interface settings if
+# they've changed. Older WireGuard tools doesn't provide this option. In that
+# case as a fallback the WireGuard interface will be restarted. This causes a
+# short interruption of network connections.
+#
+# So even if "false" is the default, the role figures out if the "syncconf"
+# option of the "wg" utility is available and if not falls back to "true"
+# (which means interface will be restarted as this is the only possible option
+# in this case).
+#
+# Possible options:
+# - false (default)
+# - true
+#
+# Both options have their pros and cons. The default "false" option (do not
+# restart interface)
+# - does not need to restart the WireGuard interface to apply changes
+# - does not cause a short VPN connection interruption when changes are applied
+# - might cause network routes are not properly reloaded
+#
+# Setting the option value to "true" will
+# - restart the WireGuard interface as the name suggests in case of changes
+# - cause a short VPN connection interruption when changes are applied
+# - make sure that network routes are properly reloaded
+#
+# So it depends a little bit on your setup which option works best. If you
+# don't have an overly complicated routing that changes very often or at all
+# using "false" here is most properly good enough for you. E.g. if you just
+# want to connect a few servers via VPN and it normally stays this way.
+#
+# If you have a more dynamic routing setup then setting this to "true" might be
+# the safest way to go. Also if you want to avoid the possibility creating some
+# hard to detect side effects this option should be considered.
+wireguard_interface_restart: false
+
+# This is sensitive: encrypt it with a tool like Ansible Vault.
+# If not set, a new one is generated on a blank configuration.
+# wireguard_private_key:
+
+# Set to "false" if package cache should not be updated (only relevant if
+# the package manager in question supports this option)
+wireguard_update_cache: "true"

 #######################################
-# Settings only relevant for Ubuntu
+# Settings only relevant for:
+# - Ubuntu
+# - elementary OS
 #######################################

-# Set to "false" if package cache should not be updated
-wireguard_ubuntu_update_cache: "true"
+# DEPRECATED: Please use "wireguard_update_cache" instead.
+# Set to "false" if package cache should not be updated.
+wireguard_ubuntu_update_cache: "{{ wireguard_update_cache }}"

 # Set package cache valid time
 wireguard_ubuntu_cache_valid_time: "3600"
+
+#######################################
+# Settings only relevant for CentOS 7
+#######################################
+
+# Set wireguard_centos7_installation_method to "kernel-plus"
+# to use the kernel-plus kernel, which includes a built-in,
+# signed WireGuard module.
+#
+# The default of "standard" will use the standard kernel and
+# the ELRepo module for WireGuard.
+wireguard_centos7_installation_method: "standard"
+
+# Reboot host if necessary if the "kernel-plus" kernel is in use
+wireguard_centos7_kernel_plus_reboot: true
+
+# The default seconds to wait for machine to reboot and respond
+# if "kernel-plus" is in use. Is only relevant if
+# "wireguard_centos7_kernel_plus_reboot" is set to "true".
+wireguard_centos7_kernel_plus_reboot_timeout: "600"
+
+# Reboot host if necessary if the standard kernel is in use
+wireguard_centos7_standard_reboot: true
+
+# The default seconds to wait for machine to reboot and respond
+# if "standard" kernel is in use. Is only relevant if
+# "wireguard_centos7_standard_reboot" is set to "true".
+wireguard_centos7_standard_reboot_timeout: "600"
+
+#########################################
+# Settings only relevant for RockyLinux 8
+#########################################
+
+# Set wireguard_rockylinux8_installation_method to "dkms"
+# to build WireGuard module from source, with wireguard-dkms.
+# This is required if you use a custom kernel and/or your arch
+# is not x86_64.
+#
+# The default of "standard" will install the kernel module
+# with kmod-wireguard from ELRepo.
+wireguard_rockylinux8_installation_method: "standard"
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,23 +1,32 @@
 ---
- name: restart wireguard
-  service:
+# Copyright (C) 2018-2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Restart wireguard
+  ansible.builtin.service:
    name: "wg-quick@{{ wireguard_interface }}"
    state: "{{ item }}"
  loop:
-  - stopped
-  - started
-  when: not wg_syncconf
+    - stopped
+    - started
+  when:
+    - wireguard__restart_interface
+    - not ansible_os_family == 'Darwin'
+    - wireguard_service_enabled == "yes"
  listen: "reconfigure wireguard"

- name: syncconf wireguard
-  shell: |
-      set -o errexit
-      set -o pipefail
-      set -o nounset
-      systemctl is-active wg-quick@wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
-      wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
-      exit 0
+- name: Syncconf wireguard
+  ansible.builtin.shell: |
+    set -o errexit
+    set -o pipefail
+    set -o nounset
+    systemctl is-active wg-quick@{{ wireguard_interface | quote }} || systemctl start wg-quick@{{ wireguard_interface | quote }}
+    wg syncconf {{ wireguard_interface | quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface | quote }}.conf)
+    exit 0
  args:
    executable: "/bin/bash"
-  when: wg_syncconf
+  when:
+    - not wireguard__restart_interface
+    - not ansible_os_family == 'Darwin'
+    - wireguard_service_enabled == "yes"
  listen: "reconfigure wireguard"
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,24 +1,35 @@
+---
+# Copyright (C) 2018-2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 galaxy_info:
  author: Robert Wimmer
  description: Installs Wireguard incl. systemd integration
-  license: GPLv3
-  min_ansible_version: 2.5
+  license: GPL-3.0-or-later
+  min_ansible_version: "2.11"
+  namespace: githubixx
+  role_name: ansible_role_wireguard
  platforms:
-  - name: ArchLinux
-  - name: Ubuntu
-    versions:
-    - bionic
-    - focal
-  - name: Debian
-    versions:
-    - stretch
-    - buster
-  - name: EL
-    versions:
-    - 7
-  - name: Fedora
-    versions:
-    - 31
+    - name: ArchLinux
+    - name: Ubuntu
+      versions:
+        - "bionic"
+        - "focal"
+        - "jammy"
+    - name: Debian
+      versions:
+        - "bullseye"
+    - name: EL
+      versions:
+        - "7"
+        - "8"
+        - "9"
+    - name: Fedora
+      versions:
+        - "36"
+    - name: opensuse
+      versions:
+        - "15.4"
  galaxy_tags:
    - networking
    - security
--- a/molecule/kvm-single-server/converge.yml
+++ b/molecule/kvm-single-server/converge.yml
@ -0,0 +1,12 @@
+---
+# Copyright (C) 2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: all
+  remote_user: vagrant
+  become: true
+  gather_facts: true
+  tasks:
+    - name: Include WireGuard role
+      ansible.builtin.include_role:
+        name: githubixx.ansible_role_wireguard
--- a/molecule/kvm-single-server/molecule.yml
+++ b/molecule/kvm-single-server/molecule.yml
@ -0,0 +1,95 @@
+---
+# Copyright (C) 2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependency:
+  name: galaxy
+
+driver:
+  name: vagrant
+  provider:
+    name: libvirt
+    type: libvirt
+    options:
+      memory: 192
+      cpus: 2
+
+platforms:
+  - name: test-wg-ubuntu2004
+    box: generic/ubuntu2004
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.10
+    groups:
+      - vpn
+      - ubuntu
+  - name: test-wg-ubuntu1804
+    box: generic/ubuntu1804
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.20
+    groups:
+      - vpn
+      - ubuntu
+  - name: test-wg-debian11
+    box: generic/debian11
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.30
+    groups:
+      - vpn
+      - debian
+  - name: test-wg-ubuntu2204
+    box: alvistack/ubuntu-22.04
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.40
+    groups:
+      - vpn
+      - ubuntu
+
+provisioner:
+  name: ansible
+  connection_options:
+    ansible_ssh_user: vagrant
+    ansible_become: true
+  log: true
+  lint:
+    name: ansible-lint
+  inventory:
+    host_vars:
+      test-wg-ubuntu2004:
+        wireguard_address: "10.10.10.10/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.10"
+      test-wg-ubuntu1804:
+        wireguard_address: "10.10.10.20/24"
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: ""
+      test-wg-debian11:
+        wireguard_address: "10.10.10.30/24"
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: ""
+        ansible_python_interpreter: "/usr/bin/python3"
+      test-wg-ubuntu2204:
+        wireguard_address: "10.10.10.40/24"
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: ""
+
+scenario:
+  name: kvm-single-server
+  test_sequence:
+    - prepare
+    - converge
+
+verifier:
+  name: ansible
--- a/molecule/kvm-single-server/prepare.yml
+++ b/molecule/kvm-single-server/prepare.yml
@ -0,0 +1,13 @@
+---
+# Copyright (C) 2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: ubuntu
+  remote_user: vagrant
+  become: true
+  gather_facts: true
+  tasks:
+    - name: Update APT package cache
+      ansible.builtin.apt:
+        update_cache: true
+        cache_valid_time: 3600
--- a/molecule/kvm-single-server/verify.yml
+++ b/molecule/kvm-single-server/verify.yml
@ -0,0 +1,33 @@
+---
+# Copyright (C) 2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Verify setup
+  hosts: all
+  vars:
+    hosts_count: "{{ groups['vpn'] | length }}"
+  tasks:
+    - name: Count WireGuard interfaces
+      ansible.builtin.shell: |
+        set -o errexit
+        set -o pipefail
+        set -o nounset
+        wg | grep "peer: " | wc -l
+        exit 0
+      args:
+        executable: "/bin/bash"
+      register: wireguard__interfaces_count
+      changed_when: false
+
+    - name: Print WireGuard interface count
+      ansible.builtin.debug:
+        var: wireguard__interfaces_count.stdout
+
+    - name: Print hosts count in vpn group
+      ansible.builtin.debug:
+        var: hosts_count
+
+    - name: There should be as much WireGuard interfaces as hosts in vpn group minus one
+      ansible.builtin.assert:
+        that:
+          - "hosts_count|int -1 == wireguard__interfaces_count.stdout|int"
--- a/molecule/kvm/converge.yml
+++ b/molecule/kvm/converge.yml
@ -0,0 +1,12 @@
+---
+# Copyright (C) 2020-2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: all
+  remote_user: vagrant
+  become: true
+  gather_facts: true
+  tasks:
+    - name: Include WireGuard role
+      ansible.builtin.include_role:
+        name: githubixx.ansible_role_wireguard
--- a/molecule/kvm/molecule.yml
+++ b/molecule/kvm/molecule.yml
@ -0,0 +1,297 @@
+---
+# Copyright (C) 2020-2022 Robert Wimmer
+# Copyright (C) 2020 Pierre Ozoux
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+dependency:
+  name: galaxy
+
+driver:
+  name: vagrant
+  provider:
+    name: libvirt
+    type: libvirt
+
+platforms:
+  - name: test-wg-ubuntu2004
+    box: generic/ubuntu2004
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.10
+    groups:
+      - vpn
+      - ubuntu
+  - name: test-wg-ubuntu1804
+    box: generic/ubuntu1804
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.20
+    groups:
+      - vpn
+      - ubuntu
+  - name: test-wg-fedora36
+    box: generic/fedora36
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.40
+    groups:
+      - vpn
+      - fedora
+  - name: test-wg-centos7
+    box: generic/centos7
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.50
+    groups:
+      - vpn
+      - el7
+  - name: test-wg-arch
+    box: archlinux/archlinux
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.60
+    groups:
+      - vpn
+      - archlinux
+  - name: test-wg-debian11
+    box: generic/debian11
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.70
+    groups:
+      - vpn
+      - debian
+  - name: test-wg-rocky8
+    box: generic/rocky8
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.80
+    groups:
+      - vpn
+      - el8
+  - name: test-wg-alma8
+    box: generic/alma8
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.90
+    groups:
+      - vpn
+      - el8
+  - name: test-wg-centos7-kernel-plus
+    box: generic/centos7
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.100
+    groups:
+      - vpn
+      - el7
+  - name: test-wg-rocky8-dkms
+    box: generic/rocky8
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.130
+    groups:
+      - vpn
+      - el8
+      - el8dkms
+  - name: test-wg-ubuntu2204
+    box: generic/ubuntu2004
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.140
+    groups:
+      - vpn
+      - ubuntu
+  - name: test-wg-opensuse-leap-15-4
+    box: opensuse/Leap-15.4.x86_64
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.150
+    groups:
+      - vpn
+      - opensuse
+  - name: test-wg-rocky9
+    box: generic/rocky9
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.160
+    groups:
+      - vpn
+      - el9
+  - name: test-wg-alma9
+    box: generic/alma9
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.170
+    groups:
+      - vpn
+      - el9
+  - name: test-wg-oracle9
+    box: generic/oracle9
+    memory: 1024
+    cpus: 2
+    interfaces:
+      - auto_config: true
+        network_name: private_network
+        type: static
+        ip: 192.168.10.180
+    groups:
+      - vpn
+      - el9
+
+provisioner:
+  name: ansible
+  connection_options:
+    ansible_ssh_user: vagrant
+    ansible_become: true
+  log: true
+  lint:
+    name: ansible-lint
+  inventory:
+    host_vars:
+      test-wg-ubuntu2004:
+        wireguard_address: "10.10.10.10/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.10"
+      test-wg-ubuntu1804:
+        wireguard_address: "10.10.10.20/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.20"
+      test-wg-fedora36:
+        wireguard_address: "10.10.10.40/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.40"
+        wireguard_interface_restart: true
+      test-wg-centos7:
+        wireguard_address: "10.10.10.50/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.50"
+        wireguard_interface_restart: true
+      test-wg-arch:
+        wireguard_address: "10.10.10.60/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.60"
+        ansible_python_interpreter: "/usr/bin/python"
+      test-wg-debian11:
+        wireguard_address: "10.10.10.70/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.70"
+        ansible_python_interpreter: "/usr/bin/python3"
+      test-wg-rocky8:
+        wireguard_address: "10.10.10.80/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.80"
+      test-wg-alma8:
+        wireguard_address: "10.10.10.90/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.90"
+      test-wg-centos7-kernel-plus:
+        wireguard_address: "10.10.10.100/24"
+        wireguard_port: 51821
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.100"
+        wireguard_centos7_installation_method: "kernel-plus"
+      test-wg-rocky8-dkms:
+        wireguard_address: "10.10.10.130/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.130"
+        wireguard_rockylinux8_installation_method: "dkms"
+      test-wg-ubuntu2204:
+        wireguard_address: "10.10.10.140/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.140"
+      test-wg-opensuse-leap-15-4:
+        wireguard_address: "10.10.10.150/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.150"
+      test-wg-rocky9:
+        wireguard_address: "10.10.10.160/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.160"
+      test-wg-alma9:
+        wireguard_address: "10.10.10.170/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.170"
+      test-wg-oracle9:
+        wireguard_address: "10.10.10.180/24"
+        wireguard_port: 51820
+        wireguard_persistent_keepalive: "30"
+        wireguard_endpoint: "192.168.10.180"
+
+scenario:
+  name: kvm
+  test_sequence:
+    - prepare
+    - converge
+
+verifier:
+  name: ansible
--- a/molecule/kvm/prepare.yml
+++ b/molecule/kvm/prepare.yml
@ -0,0 +1,70 @@
+---
+# Copyright (C) 2021-2023 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- hosts: opensuse
+  remote_user: vagrant
+  become: true
+  gather_facts: true
+  tasks:
+    - name: Remove backports repositories
+      ansible.builtin.raw: |
+        zypper rr repo-backports-debug-update
+        zypper rr repo-backports-update
+      changed_when: false
+      failed_when: false
+
+- hosts: archlinux
+  remote_user: vagrant
+  become: true
+  gather_facts: false
+  tasks:
+    - name: Init pacman
+      ansible.builtin.raw: |
+        pacman-key --init
+        pacman-key --populate archlinux
+      changed_when: false
+      failed_when: false
+
+    - name: Updating pacman cache
+      raw: pacman -Sy
+
+    - name: Install Python
+      ansible.builtin.raw: |
+        pacman -S --noconfirm python
+      args:
+        executable: /bin/bash
+      changed_when: false
+
+- hosts: proxmox
+  remote_user: vagrant
+  become: true
+  gather_facts: true
+  tasks:
+    - name: (Proxmox) Delete /var/lib/apt/lists/lock
+      ansible.builtin.file:
+        name: /var/lib/apt/lists/lock
+        state: absent
+
+- hosts: ubuntu
+  remote_user: vagrant
+  become: true
+  gather_facts: true
+  tasks:
+    - name: Update APT package cache
+      ansible.builtin.apt:
+        update_cache: true
+        cache_valid_time: 3600
+
+- hosts: el8dkms
+  remote_user: vagrant
+  become: true
+  gather_facts: true
+  tasks:
+    - name: Install ELRepo mainline kernel
+      ansible.builtin.raw: |
+        rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
+        dnf install -y https://www.elrepo.org/elrepo-release-8.el8.elrepo.noarch.rpm
+        dnf --enablerepo=elrepo-kernel install -y kernel-ml
+      changed_when: false
+      failed_when: false
--- a/molecule/kvm/verify.yml
+++ b/molecule/kvm/verify.yml
@ -0,0 +1,33 @@
+---
+# Copyright (C) 2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: Verify setup
+  hosts: all
+  vars:
+    hosts_count: "{{ groups['vpn'] | length }}"
+  tasks:
+    - name: Count WireGuard interfaces
+      ansible.builtin.shell: |
+        set -o errexit
+        set -o pipefail
+        set -o nounset
+        wg | grep "peer: " | wc -l
+        exit 0
+      args:
+        executable: "/bin/bash"
+      register: wireguard__interfaces_count
+      changed_when: false
+
+    - name: Print WireGuard interface count
+      ansible.builtin.debug:
+        var: wireguard__interfaces_count.stdout
+
+    - name: Print hosts count in vpn group
+      ansible.builtin.debug:
+        var: hosts_count
+
+    - name: There should be as much WireGuard interfaces as hosts in vpn group minus one
+      ansible.builtin.assert:
+        that:
+          - "hosts_count|int -1 == wireguard__interfaces_count.stdout|int"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,96 +1,153 @@
 ---
- name: Gather instance facts
-  setup:
+# Copyright (C) 2018-2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later

- include_tasks: "setup-{{ ansible_distribution|lower }}.yml"
+- name: Gather instance facts
+  ansible.builtin.setup:
+
+- name: Include tasks depending on OS
+  ansible.builtin.include_tasks:
+    file: "{{ item }}"
+    apply:
+      tags:
+        - wg-install
+  with_first_found:
+    - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version }}.yml"
+    - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}.yml"
+    - "setup-{{ ansible_distribution | lower }}-{{ ansible_distribution_release }}.yml"
+    - "setup-{{ ansible_distribution | lower }}.yml"
+    - "setup-{{ ansible_os_family | lower }}.yml"
+  tags:
+    - wg-install

 - name: Enable WireGuard kernel module
-  modprobe:
+  community.general.modprobe:
    name: wireguard
    state: present
-  register: wireguard_module_enabled
-  until:  wireguard_module_enabled is succeeded
+  register: wireguard__register_module_enabled
+  until: wireguard__register_module_enabled is succeeded
  retries: 10
  delay: 10
-  failed_when: wireguard_module_enabled is failure
+  failed_when: wireguard__register_module_enabled is failure
  tags:
    - wg-install
+  when: not ansible_os_family == 'Darwin'
+
+- name: Set default for WireGuard interface restart behavior
+  ansible.builtin.set_fact:
+    wireguard__restart_interface: >-
+      {%- if wireguard_interface_restart -%}
+      true
+      {%- else -%}
+      false
+      {%- endif %}
+  tags:
+    - skip_ansible_lint

- name: Set WireGuard IP (without mask)
-  set_fact:
-    wireguard_ip: "{{ wireguard_address.split('/')[0] }}"
+- name: Make sure wg syncconf option is available
+  when:
+    - not wireguard_interface_restart
+  tags:
+    - wg-config
+  block:
+    - name: Get available wg subcommands
+      ansible.builtin.command: "wg --help"
+      register: wireguard__register_subcommands
+      changed_when: false
+      check_mode: false
+
+    - name: Check if wg syncconf subcommand is available
+      ansible.builtin.set_fact:
+        wireguard__syncconf_avail: "{{ 'syncconf:' in wireguard__register_subcommands.stdout }}"
+
+    - name: Wg syncconf subcommand available
+      ansible.builtin.debug:
+        var: wireguard__syncconf_avail
+
+    - name: Fall back to interface restart if wg syncconf is not available
+      when:
+        - not wireguard__syncconf_avail
+      ansible.builtin.set_fact:
+        wireguard__restart_interface: true
+
+- name: Final decision on WireGuard interface restart method
+  ansible.builtin.debug:
+    msg: >-
+      {%- if wireguard__restart_interface -%}
+      'restart'
+      {%- else -%}
+      'syncconf'
+      {%- endif %}
+  tags:
+    - skip_ansible_lint

 - name: Register if config/private key already exists on target host
-  stat:
+  ansible.builtin.stat:
    path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
-  register: config_file_stat
+  register: wireguard__register_config_file
  tags:
    - wg-generate-keys
    - wg-config

- name: Get wg subcommands
-  command: "wg --help"
-  register: wg_subcommands
-  changed_when: false
-
- name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available)
-  set_fact:
-    wg_syncconf: false
-
- name: Check if wg syncconf subcommand is available
-  set_fact:
-    wg_syncconf: true
-  when: wg_subcommands.stdout | regex_search('syncconf:')
-
- name: Show syncconf subcommand status
-  debug:
-    var: wg_syncconf
-
- block:
-  - name: Generate WireGuard private key
-    command: "wg genkey"
-    register: wg_private_key_result
-    changed_when: false
-    tags:
-      - wg-generate-keys
-
-  - name: Set private key fact
-    set_fact:
-      private_key: "{{ wg_private_key_result.stdout }}"
-    tags:
-      - wg-generate-keys
-  when: not config_file_stat.stat.exists
-
- block:
-  - name: Read WireGuard config file
-    slurp:
-      src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
-    register: wg_config
-    tags:
-      - wg-config
-
-  - name: Set private key fact
-    set_fact:
-      private_key: "{{ wg_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
-    tags:
-      - wg-config
-  when: config_file_stat.stat.exists
+- name: WireGuard private key handling for new keys
+  when:
+    - not wireguard__register_config_file.stat.exists
+    - wireguard_private_key is not defined
+  block:
+    - name: Generate WireGuard private key
+      ansible.builtin.command: "wg genkey"
+      register: wireguard__register_private_key
+      changed_when: false
+      no_log: '{{ ansible_verbosity < 3 }}'
+      tags:
+        - wg-generate-keys
+
+    - name: Set private key fact
+      ansible.builtin.set_fact:
+        wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
+      no_log: '{{ ansible_verbosity < 3 }}'
+      tags:
+        - wg-generate-keys
+
+- name: WireGuard private key handling for existing keys
+  when:
+    - wireguard__register_config_file.stat.exists
+    - wireguard_private_key is not defined
+  block:
+    - name: Read WireGuard config file
+      ansible.builtin.slurp:
+        src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
+      register: wireguard__register_config
+      no_log: '{{ ansible_verbosity < 3 }}'
+      tags:
+        - wg-config
+
+    - name: Set private key fact
+      ansible.builtin.set_fact:
+        wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
+      no_log: '{{ ansible_verbosity < 3 }}'
+      tags:
+        - wg-config

 - name: Derive WireGuard public key
-  shell: "echo '{{ private_key }}' | wg pubkey" # noqa 306
-  register: wg_public_key_result
+  ansible.builtin.command: "wg pubkey"
+  args:
+    stdin: "{{ wireguard_private_key }}"
+  register: wireguard__register_public_key
  changed_when: false
+  check_mode: false
+  no_log: '{{ ansible_verbosity < 3 }}'
  tags:
    - wg-config

 - name: Set public key fact
-  set_fact:
-    public_key: "{{ wg_public_key_result.stdout }}"
+  ansible.builtin.set_fact:
+    wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
  tags:
    - wg-config

 - name: Create WireGuard configuration directory
-  file:
+  ansible.builtin.file:
    dest: "{{ wireguard_remote_directory }}"
    state: directory
    mode: 0700
@ -98,34 +155,28 @@
    - wg-config

 - name: Generate WireGuard configuration file
-  template:
-    src: wg.conf.j2
+  ansible.builtin.template:
+    src: etc/wireguard/wg.conf.j2
    dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
-    owner: root
-    group: root
-    mode: 0600
+    owner: "{{ wireguard_conf_owner }}"
+    group: "{{ wireguard_conf_group }}"
+    mode: "{{ wireguard_conf_mode }}"
+  no_log: '{{ ansible_verbosity < 3 }}'
  tags:
    - wg-config
  notify:
    - reconfigure wireguard

- name: Check if reload-module-on-update is set
-  stat:
-    path: "{{ wireguard_remote_directory }}/.reload-module-on-update"
-  register: reload_module_on_update
-  tags:
-    - wg-config
-
- name: Set WireGuard reload-module-on-update
-  file:
+- name: Ensure legacy reload-module-on-update is absent
+  ansible.builtin.file:
    dest: "{{ wireguard_remote_directory }}/.reload-module-on-update"
-    state: touch
-  when: not reload_module_on_update.stat.exists
+    state: absent
  tags:
    - wg-config

 - name: Start and enable WireGuard service
-  service:
+  ansible.builtin.service:
    name: "wg-quick@{{ wireguard_interface }}"
-    state: started
-    enabled: yes
+    state: "{{ wireguard_service_state }}"
+    enabled: "{{ wireguard_service_enabled }}"
+  when: not ansible_os_family == 'Darwin'
--- a/tasks/setup-almalinux-8.yml
+++ b/tasks/setup-almalinux-8.yml
@ -0,0 +1,23 @@
+---
+# Copyright (C) 2021-2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: (AlmaLinux 8) Install EPEL & ELRepo repository
+  ansible.builtin.yum:
+    name:
+      - epel-release
+      - elrepo-release
+    update_cache: "{{ wireguard_update_cache }}"
+
+- name: (AlmaLinux 8) Ensure WireGuard DKMS package is removed
+  ansible.builtin.yum:
+    name:
+      - "wireguard-dkms"
+    state: absent
+
+- name: (AlmaLinux 8) Install WireGuard packages
+  ansible.builtin.yum:
+    name:
+      - "kmod-wireguard"
+      - "wireguard-tools"
+    state: present
--- a/tasks/setup-almalinux.yml
+++ b/tasks/setup-almalinux.yml
@ -0,0 +1,9 @@
+---
+# Copyright (C) 2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: (AlmaLinux) Install wireguard-tools package
+  ansible.builtin.yum:
+    name: wireguard-tools
+    state: present
+    update_cache: "{{ wireguard_update_cache }}"
--- a/tasks/setup-archlinux.yml
+++ b/tasks/setup-archlinux.yml
@ -1,32 +1,12 @@
 ---
- name: (Archlinux) Install wireguard-lts package
-  pacman:
-    name: "{{ item.name }}"
-    state: "{{ item.state }}"
-  with_items:
-    - { name: wireguard-dkms, state: absent }
-    - { name: wireguard-lts, state: present }
-  become: yes
-  tags:
-    - wg-install
-  when:
-    - ansible_kernel is match(".*-lts$")
-    - ansible_kernel is version('5.6', '<')
+# Copyright (C) 2018-2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later

- name: (Archlinux) Install wireguard-dkms package
-  pacman:
-    name: wireguard-dkms
-    state: present
-  become: yes
-  tags:
-    - wg-install
-  when:
-    - not ansible_kernel is match(".*-lts$")
-    - ansible_kernel is version('5.6', '<')
+- name: (Archlinux) Refresh the master package lists
+  community.general.pacman:
+    update_cache: "{{ wireguard_update_cache }}"

 - name: (Archlinux) Install wireguard-tools package
-  pacman:
+  community.general.pacman:
    name: wireguard-tools
    state: present
-  tags:
-    - wg-install
--- a/tasks/setup-centos-7.yml
+++ b/tasks/setup-centos-7.yml
@ -0,0 +1,77 @@
+---
+# Copyright (C) 2020 Roman Danko
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: (CentOS 7) Tasks for standard kernel
+  when:
+    - wireguard_centos7_installation_method == "standard"
+  block:
+    - name: (CentOS 7) Install EPEL & ELRepo repository
+      ansible.builtin.yum:
+        name:
+          - epel-release
+          - https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
+        update_cache: "{{ wireguard_update_cache }}"
+
+    - name: (CentOS 7) Install yum-plugin-elrepo
+      ansible.builtin.yum:
+        name: yum-plugin-elrepo
+        update_cache: "{{ wireguard_update_cache }}"
+
+    - name: (CentOS 7) Install WireGuard packages
+      ansible.builtin.yum:
+        name:
+          - "kmod-wireguard"
+          - "wireguard-tools"
+        state: present
+      register: wireguard__centos7_yum_updates
+
+    - name: (CentOS 7) Reboot Instance to update kernel
+      when:
+        - wireguard_centos7_standard_reboot
+        - wireguard__centos7_yum_updates.changed
+      ansible.builtin.reboot:
+        reboot_timeout: "{{ wireguard_centos7_standard_reboot_timeout }}"
+
+- name: (CentOS 7) Ensure WireGuard DKMS package is removed
+  ansible.builtin.yum:
+    name:
+      - "wireguard-dkms"
+    state: absent
+
+- name: (CentOS 7 - kernel-plus) Tasks for kernel-plus
+  when:
+    - wireguard_centos7_installation_method == "kernel-plus"
+  block:
+    - name: (CentOS 7) Install EPEL repository & yum utils
+      ansible.builtin.yum:
+        name:
+          - epel-release
+          - yum-utils
+        update_cache: "{{ wireguard_update_cache }}"
+
+    - name: (CentOS 7 - kernel-plus) Enable CentosPlus repo
+      ansible.builtin.command: yum-config-manager --setopt=centosplus.includepkgs=kernel-plus --enablerepo=centosplus --save
+      changed_when: false
+
+    - name: (CentOS 7 - kernel-plus) Update to kernel-plus
+      ansible.builtin.replace:
+        path: /etc/sysconfig/kernel
+        regexp: '^DEFAULTKERNEL=kernel$'
+        replace: 'DEFAULTKERNEL=kernel-plus'
+
+    - name: (CentOS 7 - kernel-plus) Install WireGuard packages
+      ansible.builtin.yum:
+        name:
+          - "kernel-plus"
+          - "wireguard-tools"
+        state: present
+      register: wireguard__centos7_yum_updates
+
+    - name: (CentOS 7 - kernel-plus) Reboot Instance to update kernel
+      when:
+        - wireguard_centos7_kernel_plus_reboot
+        - wireguard__centos7_yum_updates.changes is defined
+        - wireguard__centos7_yum_updates.changes.installed|flatten|select('regex', '^kernel-plus$') is any
+      ansible.builtin.reboot:
+        reboot_timeout: "{{ wireguard_centos7_kernel_plus_reboot_timeout }}"
--- a/tasks/setup-centos.yml
+++ b/tasks/setup-centos.yml
@ -1,19 +0,0 @@
---
- name: (CentOS) Add WireGuard repository
-  get_url:
-    url: https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
-    dest: /etc/yum.repos.d/wireguard.repo
-
- name: (CentOS) Install EPEL repository
-  yum:
-    name: epel-release
-    update_cache: yes
-
- name: (CentOS) Install wireguard packages
-  yum:
-    name:
-      - "wireguard-dkms"
-      - "wireguard-tools"
-    state: present
-  tags:
-    - wg-install
--- a/tasks/setup-debian-pve-guest-variant.yml
+++ b/tasks/setup-debian-pve-guest-variant.yml
@ -0,0 +1,16 @@
+---
+# Copyright (C) 2021 Tobias Richter
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: (Proxmox) Add WireGuard repository
+  ansible.builtin.apt_repository:
+    repo: "deb http://deb.debian.org/debian buster-backports main"
+    state: "{{ 'present' if (ansible_distribution_version | int <= 10) else 'absent' }}"
+    update_cache: "{{ wireguard_update_cache }}"
+
+- name: (Proxmox lxc) Install wireguard-tools.
+  ansible.builtin.apt:
+    install_recommends: false
+    name:
+      - wireguard-tools
+    state: present
--- a/tasks/setup-debian-pve-host-variant.yml
+++ b/tasks/setup-debian-pve-host-variant.yml
@ -0,0 +1,23 @@
+---
+# Copyright (C) 2018-2022 Robert Wimmer
+# Copyright (C) 2019-2020 Ties de Kock
+# Copyright (C) 2021 Steve Fan
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: (Proxmox) Add WireGuard repository
+  ansible.builtin.apt_repository:
+    repo: "deb http://deb.debian.org/debian buster-backports main"
+    state: "{{ 'present' if (ansible_distribution_version | int <= 10) else 'absent' }}"
+    update_cache: "{{ wireguard_update_cache }}"
+
+- name: (Proxmox) Install kernel headers for the currently running kernel to compile WireGuard with DKMS
+  ansible.builtin.apt:
+    name:
+      - "pve-headers-{{ ansible_kernel }}"
+    state: present
+
+- name: (Proxmox) Install WireGuard packages
+  ansible.builtin.apt:
+    name:
+      - "wireguard"
+    state: present
--- a/tasks/setup-debian-raspbian-buster.yml
+++ b/tasks/setup-debian-raspbian-buster.yml
@ -0,0 +1,87 @@
+---
+# Copyright (C) 2020 Stefan Haun
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Note: This setup is called for Raspbian 10 (Buster) and lower.
+#       Since Raspbian 11 (Bullseye) wireguard is supported out
+#       of the box.
+#       Any Raspbian-related changes for Bullseye and above need to
+#       go to a separate playbook.
+
+- name: (Raspbian) Install GPG - required to add WireGuard key
+  ansible.builtin.apt:
+    name: gnupg
+    state: present
+
+- name: (Raspbian) Add Debian repository keys
+  ansible.builtin.apt_key:
+    keyserver: "keyserver.ubuntu.com"
+    id: "{{ item }}"
+    state: present
+  when: ansible_lsb.id == "Raspbian"
+  with_items:
+    - "04EE7237B7D453EC"
+    - "648ACFD622F3D138"
+
+- name: (Raspbian) Add Debian Buster Backports repository for WireGuard
+  ansible.builtin.apt_repository:
+    repo: "deb http://deb.debian.org/debian buster-backports main"
+    state: present
+    update_cache: "{{ wireguard_update_cache }}"
+
+- name: (Raspbian) Install latest kernel
+  ansible.builtin.apt:
+    name:
+      - "raspberrypi-kernel"
+    state: latest  # noqa package-latest
+  register: wireguard__register_kernel_update
+
+- name: (Raspbian) Reboot after kernel update (Ansible >= 2.8)
+  ansible.builtin.reboot:
+    search_paths: ['/lib/molly-guard', '/usr/sbin', '/sbin']
+  when:
+    - ansible_version.full is version('2.8.0', '>=')
+    - wireguard__register_kernel_update is changed
+
+- name: (Raspbian) Check if molly-guard is installed (Ansible < 2.8)
+  ansible.builtin.stat:
+    path: /lib/molly-guard/
+  register: wireguard__register_molly_guard
+
+- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, no molly-guard)
+  ansible.builtin.reboot:
+  when:
+    - ansible_version.full is version('2.8.0', '<')
+    - wireguard__register_kernel_update is changed
+    - not wireguard__register_molly_guard.stat.exists
+
+- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, with molly-guard)
+  ansible.builtin.command: /lib/molly-guard/shutdown -r now
+  async: 1
+  poll: 0
+  ignore_unreachable: true
+  changed_when: false
+  when:
+    - ansible_version.full is version('2.8.0', '<')
+    - wireguard__register_kernel_update is changed
+    - wireguard__register_molly_guard.stat.exists
+
+- name: (Raspbian) Waiting for host to be available (Ansible < 2.8, with molly-guard)
+  ansible.builtin.wait_for_connection:
+  when:
+    - ansible_version.full is version('2.8.0', '<')
+    - wireguard__register_kernel_update is changed
+    - wireguard__register_molly_guard.stat.exists
+
+- name: (Raspbian) Install latest kernel headers to compile Wireguard with DKMS
+  ansible.builtin.apt:
+    name:
+      - "raspberrypi-kernel-headers"
+    state: latest  # noqa package-latest
+
+- name: (Raspbian) Install WireGuard packages
+  ansible.builtin.apt:
+    name:
+      - "wireguard-dkms"
+      - "wireguard-tools"
+    state: present
--- a/tasks/setup-debian-raspbian.yml
+++ b/tasks/setup-debian-raspbian.yml
@ -1,93 +0,0 @@
---
-
- name: (Raspbian) Install GPG - required to add wireguard key
-  apt:
-    name: gnupg
-    state: present
-
- name: (Raspbian) Add Debian repository key
-  apt_key:
-    keyserver: "keyserver.ubuntu.com"
-    id: "04EE7237B7D453EC"
-    state: present
-  when: ansible_lsb.id == "Raspbian"
-  tags:
-    - wg-install
-
- name: (Raspbian) Add Debian Unstable repository for WireGuard
-  apt_repository:
-    repo: "deb http://deb.debian.org/debian unstable main"
-    state: present
-    update_cache: yes
-  tags:
-    - wg-install
-
- name: (Raspbian) Install latest kernel
-  apt:
-    name:
-    - "raspberrypi-kernel"
-    state: latest
-  register: kernel_update
-  tags:
-    - wg-install
-
- name: (Raspbian) Reboot after kernel update (Ansible >= 2.8)
-  reboot:
-    search_paths: ['/lib/molly-guard', '/usr/sbin']
-  when:
-    - ansible_version.full is version('2.8.0', '>=')
-    - kernel_update is changed
-  tags:
-    - wg-install
-
- name: (Raspbian) Check if molly-guard is installed (Ansible < 2.8)
-  stat:
-    path: /lib/molly-guard/
-  register: molly_guard
-
- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, no molly-guard)
-  reboot:
-  when:
-    - ansible_version.full is version('2.8.0', '<')
-    - kernel_update is changed
-    - not molly_guard.stat.exists
-  tags:
-    - wg-install
-
- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, with molly-guard)
-  command: /lib/molly-guard/shutdown -r now
-  async: 1
-  poll: 0
-  ignore_unreachable: yes
-  when:
-    - ansible_version.full is version('2.8.0', '<')
-    - kernel_update is changed
-    - molly_guard.stat.exists
-  tags:
-    - wg-install
-
- name: (Raspbian) Waiting for host to be available (Ansible < 2.8, with molly-guard)
-  wait_for_connection:
-  when:
-    - ansible_version.full is version('2.8.0', '<')
-    - kernel_update is changed
-    - molly_guard.stat.exists
-  tags:
-    - wg-install
-
- name: (Raspbian) Install latest kernel headers to compile Wireguard with DKMS
-  apt:
-    name:
-    - "raspberrypi-kernel-headers"
-    state: latest
-  tags:
-    - wg-install
-
- name: (Raspbian) Install wireguard packages
-  apt:
-    name:
-      - "wireguard-dkms"
-      - "wireguard-tools"
-    state: present
-  tags:
-    - wg-install
--- a/tasks/setup-debian-vanilla.yml
+++ b/tasks/setup-debian-vanilla.yml
@ -1,37 +1,11 @@
 ---
- name: (Debian) Install GPG - required to add wireguard key
-  apt:
-    name: gnupg
-    state: present
-
- name: (Debian) Add WireGuard repository on buster or earlier
-  apt_repository:
-    repo: "deb http://deb.debian.org/debian buster-backports main"
-    state: present
-    update_cache: yes
-  when: ansible_distribution_version | int <= 10
-  tags:
-    - wg-install
-
- name: (Debian) Get architecture
-  command: "dpkg --print-architecture"
-  register: dpkg_arch
-  changed_when: False
-
- set_fact:
-    kernel_header_version: "{{ ('-cloud-' in ansible_kernel) | ternary(ansible_kernel,dpkg_arch.stdout) }}"
-
- name: (Debian) Install kernel headers to compile Wireguard with DKMS
-  apt:
-    name:
-      - "linux-headers-{{ kernel_header_version }}"
-    state: present
+# Copyright (C) 2018-2022 Robert Wimmer
+# Copyright (C) 2019-2020 Ties de Kock
+# SPDX-License-Identifier: GPL-3.0-or-later

- name: (Debian) Install wireguard packages
-  apt:
+- name: (Debian) Install WireGuard packages
+  ansible.builtin.apt:
    name:
-      - "wireguard-dkms"
-      - "wireguard-tools"
+      - "wireguard"
    state: present
-  tags:
-    - wg-install
+    update_cache: "{{ wireguard_update_cache }}"
--- a/tasks/setup-debian.yml
+++ b/tasks/setup-debian.yml
@ -1,8 +1,51 @@
 ---
+# Copyright (C) 2020 Stefan Haun
+# Copyright (C) 2021 Steve Fan
+# SPDX-License-Identifier: GPL-3.0-or-later

- include_tasks: "setup-debian-raspbian.yml"
-  when: ansible_lsb.id == "Raspbian"
-  register: raspbian_setup
+- name: Setup for Raspbian
+  ansible.builtin.include_tasks:
+    file: "setup-debian-raspbian-buster.yml"
+    apply:
+      tags:
+        - wg-install
+  when:
+    - ansible_lsb.id is defined
+    - ansible_lsb.id == "Raspbian"
+    - ansible_lsb.major_release is version('11', '<')
+  register: wireguard__register_raspbian_setup

- include_tasks: "setup-debian-vanilla.yml"
-  when: raspbian_setup is skipped
+- name: Setup for Proxmox VE variants
+  when:
+    - ansible_kernel.find("pve") != -1
+  block:
+    - name: Setup Proxmox VE host
+      ansible.builtin.include_tasks:
+        file: "setup-debian-pve-host-variant.yml"
+        apply:
+          tags:
+            - wg-install
+      when:
+        - ansible_virtualization_role == "host"
+      register: wireguard__register_pve_host_variant_setup
+
+    - name: Setup Proxmox VE guest
+      ansible.builtin.include_tasks:
+        file: "setup-debian-pve-guest-variant.yml"
+        apply:
+          tags:
+            - wg-install
+      when:
+        - ansible_virtualization_role == "guest"
+      register: wireguard__register_pve_guest_variant_setup
+
+- name: Setup for Debian
+  ansible.builtin.include_tasks:
+    file: "setup-debian-vanilla.yml"
+    apply:
+      tags:
+        - wg-install
+  when:
+    - wireguard__register_raspbian_setup is skipped
+    - wireguard__register_pve_guest_variant_setup is skipped
+    - wireguard__register_pve_host_variant_setup is skipped
--- a/tasks/setup-elementary
+++ b/tasks/setup-elementary
@ -0,0 +1,13 @@
+---
+# Copyright (C) 2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: (elementary OS) Update APT package cache
+  ansible.builtin.apt:
+    update_cache: "{{ wireguard_ubuntu_update_cache }}"
+    cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}"
+
+- name: (elementary OS) Install wireguard package
+  ansible.builtin.apt:
+    name: "wireguard"
+    state: present
--- a/tasks/setup-fedora.yml
+++ b/tasks/setup-fedora.yml
@ -1,17 +1,11 @@
 ---
- name: (Fedora) Add wireguard COPR
-  yum_repository:
-    name: "jdoss-wireguard"
-    description: "Copr repo for wireguard owned by jdoss"
-    baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/fedora-$releasever-$basearch/"
-    gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg"
-    gpgcheck: yes
+# Copyright (C) 2020 Ties de Kock
+# Copyright (C) 2023 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later

- name: (Fedora) Install wireguard packages
-  yum:
+- name: (Fedora) Install WireGuard packages
+  ansible.builtin.yum:
    name:
-      - "wireguard-dkms"
      - "wireguard-tools"
    state: present
-  tags:
-    - wg-install
+    update_cache: "{{ wireguard_update_cache }}"
--- a/tasks/setup-macosx.yml
+++ b/tasks/setup-macosx.yml
@ -0,0 +1,14 @@
+---
+# Copyright (C) 2020 Ruben Di Battista
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: (MacOS) Install wireguard package
+  ansible.builtin.package:
+    name: wireguard-go
+    state: present
+  become: true
+
+- name: (MacOS) Install wireguard-tools package
+  ansible.builtin.package:
+    name: wireguard-tools
+    state: present
--- a/tasks/setup-opensuse
+++ b/tasks/setup-opensuse
@ -0,0 +1,10 @@
+---
+# Copyright (C) 2020-2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: (openSUSE Leap) Install WireGuard packages
+  community.general.zypper:
+    name:
+      - "wireguard-tools"
+    state: present
+    update_cache: "{{ wireguard_update_cache }}"
--- a/tasks/setup-oraclelinux.yml
+++ b/tasks/setup-oraclelinux.yml
@ -0,0 +1,8 @@
+---
+# Copyright (C) 2022 Masahiro Koga
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: (OracleLinux) Install wireguard-tools package
+  ansible.builtin.yum:
+    name: wireguard-tools
+    state: present
--- a/tasks/setup-rocky-8.yml
+++ b/tasks/setup-rocky-8.yml
@ -0,0 +1,56 @@
+---
+# Copyright (C) 2021-2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: (Rocky Linux 8) Tasks for standard kernel
+  when:
+    - wireguard_rockylinux8_installation_method == "standard"
+  block:
+    - name: (Rocky Linux 8) Install EPEL & ELRepo repository
+      ansible.builtin.yum:
+        name:
+          - epel-release
+          - elrepo-release
+        update_cache: "{{ wireguard_update_cache }}"
+
+    - name: (Rocky Linux 8) Ensure WireGuard DKMS package is removed
+      ansible.builtin.yum:
+        name:
+          - "wireguard-dkms"
+        state: absent
+
+    - name: (Rocky Linux 8) Install WireGuard packages
+      ansible.builtin.yum:
+        name:
+          - "kmod-wireguard"
+          - "wireguard-tools"
+        state: present
+
+- name: (Rocky Linux 8) Tasks for non-standard kernel
+  when:
+    - wireguard_rockylinux8_installation_method == "dkms"
+  block:
+    - name: (Rocky Linux 8) Install jdoss/wireguard COPR repository
+      community.general.copr:
+        state: enabled
+        name: jdoss/wireguard
+        chroot: epel-8-{{ ansible_architecture }}
+
+    - name: (Rocky Linux 8) Install EPEL repository
+      ansible.builtin.yum:
+        name:
+          - epel-release
+        update_cache: "{{ wireguard_update_cache }}"
+
+    - name: (Rocky Linux 8) Ensure WireGuard KMOD package is removed
+      ansible.builtin.yum:
+        name:
+          - "kmod-wireguard"
+        state: absent
+
+    - name: (Rocky Linux 8) Install WireGuard packages
+      ansible.builtin.yum:
+        name:
+          - "wireguard-dkms"
+          - "wireguard-tools"
+        state: present
--- a/tasks/setup-rocky.yml
+++ b/tasks/setup-rocky.yml
@ -0,0 +1,9 @@
+---
+# Copyright (C) 2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: (Rocky Linux) Install wireguard-tools package
+  ansible.builtin.yum:
+    name: wireguard-tools
+    state: present
+    update_cache: "{{ wireguard_update_cache }}"
--- a/tasks/setup-ubuntu.yml
+++ b/tasks/setup-ubuntu.yml
@ -1,48 +1,32 @@
 ---
+# Copyright (C) 2018-2022 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+
 - name: (Ubuntu) Update APT package cache
-  apt:
+  ansible.builtin.apt:
    update_cache: "{{ wireguard_ubuntu_update_cache }}"
    cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}"
-  tags:
-    - wg-install
-
- block:
-  - name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10)
-    package:
-      name: "{{ packages }}"
-      state: present
-    vars:
-      packages:
-      - software-properties-common
-      - linux-headers-{{ ansible_kernel }}
-    tags:
-      - wg-install
-
-  - name: (Ubuntu) Add WireGuard repository (for Ubuntu < 19.10)
-    apt_repository:
-      repo: "ppa:wireguard/wireguard"
-      state: present
-      update_cache: yes
-    tags:
-      - wg-install

-  - name: (Ubuntu) Install wireguard packages (for Ubuntu < 19.10)
-    apt:
-      name:
-        - "wireguard-dkms"
-        - "wireguard-tools"
-      state: present
-    tags:
-      - wg-install
+- name: (Ubuntu) Tasks for Ubuntu < 19.10
  when:
    - ansible_lsb.major_release is version('19.10', '<')
+  block:
+    - name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10)
+      ansible.builtin.package:
+        name: "{{ packages }}"
+        state: present
+      vars:
+        packages:
+          - software-properties-common
+          - linux-headers-{{ ansible_kernel }}

- block:
-  - name: (Ubuntu) Install wireguard-tools package (for Ubuntu > 19.04)
-    apt:
-      name: "wireguard-tools"
-      state: present
-    tags:
-      - wg-install
-  when:
-    - ansible_lsb.major_release is version('19.04', '>')
+- name: (Ubuntu) Ensure WireGuard DKMS package is removed
+  ansible.builtin.apt:
+    name:
+      - "wireguard-dkms"
+    state: absent
+
+- name: (Ubuntu) Install wireguard package
+  ansible.builtin.apt:
+    name: "wireguard"
+    state: present
--- a/templates/etc/wireguard/wg.conf.j2
+++ b/templates/etc/wireguard/wg.conf.j2
@ -0,0 +1,123 @@
+#jinja2: lstrip_blocks:"True",trim_blocks:"True"
+{# Copyright (C) 2018-2022 Robert Wimmer
+ # SPDX-License-Identifier: GPL-3.0-or-later
+ #}
+# {{ ansible_managed }}
+
+[Interface]
+# {{ inventory_hostname }}
+{% if wireguard_address is defined %}
+Address = {{ wireguard_address }}
+{% endif %}
+{% if wireguard_addresses is defined %}
+{%  for wg_addr in wireguard_addresses %}
+Address = {{ wg_addr }}
+{%  endfor %}
+{% endif %}
+PrivateKey = {{ wireguard_private_key }}
+ListenPort = {{ wireguard_port }}
+{% if wireguard_dns is defined %}
+DNS = {{ wireguard_dns }}
+{% endif %}
+{% if wireguard_fwmark is defined %}
+FwMark = {{ wireguard_fwmark }}
+{% endif %}
+{% if wireguard_mtu is defined %}
+MTU = {{ wireguard_mtu }}
+{% endif %}
+{% if wireguard_table is defined %}
+Table = {{ wireguard_table }}
+{% endif %}
+{% if wireguard_preup is defined %}
+{% for wg_preup in wireguard_preup %}
+PreUp = {{ wg_preup }}
+{% endfor %}
+{% endif %}
+{% if wireguard_postup is defined %}
+{% for wg_postup in wireguard_postup %}
+PostUp = {{ wg_postup }}
+{% endfor %}
+{% endif %}
+{% if wireguard_predown is defined %}
+{% for wg_predown in wireguard_predown %}
+PreDown = {{ wg_predown }}
+{% endfor %}
+{% endif %}
+{% if wireguard_postdown is defined %}
+{% for wg_postdown in wireguard_postdown %}
+PostDown = {{ wg_postdown }}
+{% endfor %}
+{% endif %}
+{% if wireguard_save_config is defined %}
+SaveConfig = {{ wireguard_save_config }}
+{% endif %}
+{% for host in ansible_play_hosts %}
+{%   if host != inventory_hostname %}
+
+[Peer]
+# {{ host }}
+PublicKey = {{hostvars[host].wireguard__fact_public_key}}
+{%     if hostvars[host].wireguard_allowed_ips is defined %}
+AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
+{%     else %}
+{%      if wireguard_address is defined %}
+AllowedIPs = {{ hostvars[host].wireguard_address.split('/')[0] }}/32
+{%      endif %}
+{%      if wireguard_addresses is defined %}
+{%      for wg_addr in hostvars[host].wireguard_addresses %}
+{%        if (wg_addr | ansible.utils.ipv4) %}
+AllowedIPs = {{ wg_addr.split('/')[0] }}/32
+{%        elif (wg_addr | ansible.utils.ipv6) %}
+AllowedIPs = {{ wg_addr.split('/')[0] }}/128
+{%        endif %}
+{%      endfor %}
+{%      endif %}
+{%     endif %}
+{%     if hostvars[host].wireguard_persistent_keepalive is defined %}
+PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
+{%     endif %}
+{%     if (
+         hostvars[host].wireguard_dc is defined and
+         wireguard_dc is defined and
+         wireguard_dc['name'] != hostvars[host].wireguard_dc['name']
+       )
+%}
+Endpoint = {{hostvars[host].wireguard_dc['endpoint']}}:{{hostvars[host].wireguard_dc['port']}}
+{%     elif hostvars[host].wireguard_port is defined %}
+{%       if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
+Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}
+{%       else %}
+Endpoint = {{host}}:{{hostvars[host].wireguard_port}}
+{%       endif %}
+{%     elif hostvars[host].wireguard_endpoint is defined %}
+{%       if hostvars[host].wireguard_endpoint != "" %}
+Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
+{%       else %}
+# No endpoint defined for this peer
+{%       endif %}
+{%     else %}
+Endpoint = {{host}}:{{wireguard_port}}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+{% if wireguard_unmanaged_peers is defined %}
+
+# Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
+{% for peer in wireguard_unmanaged_peers.keys() %}
+[Peer]
+# {{ peer }}
+PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
+{%     if wireguard_unmanaged_peers[peer].preshared_key is defined %}
+PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
+AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].endpoint is defined %}
+Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
+{%     endif %}
+{%     if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
+PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
+{%     endif %}
+{%   endfor %}
+{% endif %}
--- a/templates/wg.conf.j2
+++ b/templates/wg.conf.j2
@ -1,70 +0,0 @@
-#jinja2: lstrip_blocks:"True",trim_blocks:"True"
-[Interface]
-# {{ inventory_hostname }}
-Address = {{hostvars[inventory_hostname].wireguard_address}}
-PrivateKey = {{private_key}}
-ListenPort = {{wireguard_port}}
-{% if hostvars[inventory_hostname].wireguard_dns is defined %}
-DNS = {{hostvars[inventory_hostname].wireguard_dns}}
-{% endif %}
-{% if hostvars[inventory_hostname].wireguard_fwmark is defined %}
-FwMark = {{hostvars[inventory_hostname].wireguard_fwmark}}
-{% endif %}
-{% if hostvars[inventory_hostname].wireguard_mtu is defined %}
-MTU = {{hostvars[inventory_hostname].wireguard_mtu}}
-{% endif %}
-{% if hostvars[inventory_hostname].wireguard_table is defined %}
-Table = {{hostvars[inventory_hostname].wireguard_table}}
-{% endif %}
-{% if hostvars[inventory_hostname].wireguard_preup is defined %}
-{% for wg_preup in hostvars[inventory_hostname].wireguard_preup %}
-PreUp = {{ wg_preup }}
-{% endfor %}
-{% endif %}
-{% if hostvars[inventory_hostname].wireguard_predown is defined %}
-{% for wg_predown in hostvars[inventory_hostname].wireguard_predown %}
-PreDown = {{ wg_predown }}
-{% endfor %}
-{% endif %}
-{% if hostvars[inventory_hostname].wireguard_postup is defined %}
-{% for wg_postup in hostvars[inventory_hostname].wireguard_postup %}
-PostUp = {{ wg_postup }}
-{% endfor %}
-{% endif %}
-{% if hostvars[inventory_hostname].wireguard_postdown is defined %}
-{% for wg_postdown in hostvars[inventory_hostname].wireguard_postdown %}
-PostDown = {{ wg_postdown }}
-{% endfor %}
-{% endif %}
-{% if hostvars[inventory_hostname].wireguard_save_config is defined %}
-SaveConfig = true
-{% endif %}
-{% for host in ansible_play_hosts %}
-  {% if host != inventory_hostname %}
-  
-    [Peer]
-    # {{ host }}
-    PublicKey = {{hostvars[host].public_key}}
-    {% if hostvars[host].wireguard_allowed_ips is defined %}
-    AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
-    {% else %}
-    AllowedIPs = {{hostvars[host].wireguard_ip}}/32
-    {% endif %}
-    {% if hostvars[host].wireguard_persistent_keepalive is defined %}
-    PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
-    {% endif %}
-    {% if hostvars[host].wireguard_port is defined and hostvars[host].wireguard_port is number %}
-      {% if hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
-    Endpoint = {{hostvars[host].wireguard_endpoint}}:{{hostvars[host].wireguard_port}}
-      {% else %}
-    Endpoint = {{host}}:{{hostvars[host].wireguard_port}}
-      {% endif %}
-    {% elif hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
-    Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
-    {% elif hostvars[host].wireguard_endpoint == "" %}
-    # No endpoint defined for this peer
-    {% else %}
-    Endpoint = {{host}}:{{wireguard_port}}
-    {% endif %}
-  {% endif %}
-{% endfor %}
Author	SHA1	Message	Date
Robert Wimmer	34d33d5ffe	update CHANGELOG for Oracle Linux 9 (#187 )	2 years ago
cola-zero	b844de89c4	Support Oracle Linux 9 (#185 ) * add support for Oracle Linux 9 * add Oracle Linux 9 to README.md	2 years ago
githubixx	8a3fad9859	Merge branch 'commongoodtechnology-update_cache_all'	2 years ago
githubixx	4e6c265663	update CHANGELOG	2 years ago
githubixx	65b7567414	update README and defaults/main.yml	2 years ago
githubixx	e621ba4b9f	molecule/kvm/prepare.yml: fix Archlinux preperation	2 years ago
githubixx	053f187100	AlmaLinux 9: update package manager cache by default	2 years ago
githubixx	4d51195462	openSUSE: update package manager cache by default	2 years ago
githubixx	dabf45c78b	Archlinux: update package manager cache by default	2 years ago
githubixx	ada56ca65b	Fedora: update package manager cache by default	2 years ago
githubixx	7fbb316965	Rocky Linux 9: update package manager cache by default	2 years ago
githubixx	9f8e446ff1	fix merge conflict in CHANGELOG	2 years ago
Robert Wimmer	0cd8d01fb3	Update CentOS7 reboot handling (#186 ) * fix typos in CHANGELOG * update CentOS7 reboot handling	2 years ago
mofelee	c58f736e32	Add reboot to the standard mode (#184 )	2 years ago
Sebastian Wagner	314fec5248	option wireguard_update_cache to disable refresh previously disable the cache update was only possible on ubuntu using the generic name wireguard_update_cache it can be enabled for all operating systems	2 years ago
Robert Wimmer	c6159d4205	update CHANGELOG (#183 )	2 years ago
Mathéo Cimbaro	5205445786	Fixed Readme (#182 ) Fixed `dd64b7bf2a (r102734826)`	2 years ago
Mathéo Cimbaro	dd64b7bf2a	Allow to use multiple addresses and added IPv6 support (#174 ) * Basic IPv6 support Hosts can now have one IPv6, by specifying 'wireguard_address_v6' variable. This IP is added to peer's AllowedIPs. Future plans : - Support IPv6 only hosts (No 'wireguard_address') - Allow the endpoint to be an IPv6 address * Added 'wireguard_addresses' to use multiple IPs Added the 'wireguard_addresses' variable to specify an array of IPv4 and IPv6. The old 'wireguard_address' variable can be deprecated even she still work to specify one IPv4. The 'wireguard_address_v6' from last commit was deleted. * Updating the README to use `wireguard_addresses` * 13.0.0 changelog	2 years ago
Robert Wimmer	4631fbdc06	12.0.0 (#181 ) * Fix Molecule prepare for Archlinux * remove Debian 10 (Buster) support (readed EOL) * remove openSUSE 15.3 support (reached EOL) * add openSUSE 15.4 to meta/main.yml * fix ansible-lint issue in tasks/setup-debian-raspbian-buster.yml * remove Fedora 35 support (reached EOL) * update CHANGELOG	2 years ago
Robert Wimmer	f6a6e4680a	Support elementary OS (#171 ) * add support for elementary OS * update README * add skip_ansible_lint for two tasks * ignore two ansible-lint warnings for Raspbian Buster tasks * update CHANGELOG * update comment in defaults/main.yml and README	2 years ago
Robert Wimmer	f4573c5e8f	Rocky Linux + AlmaLinux support (#168 ) * add EL9 to meta/main.yml * require Ansible >= 2.11 as Rocky Linux is only supported with this version or above * ansible-lint: use community.general.pacman module instead of ansible.builtin.pacman for Archlinux setup * add support for Rocky Linux 9 and AlmaLinux 9 * add openSUSE Leap 15.4 to README.md * update CHANGELOG.md	2 years ago
Robert Wimmer	3821005839	v10.0.0 (#162 ) * remove support for Fedora 35 / add support for Fedora 36 * remove Fedora 34 + add Fedora 36 to Molecule test * fix Jinja2 spacing * fix Jinja2 spacing * improve the task key order to: name, when, tags, block * handlers/main.yml: names should start with an uppercase letter * tasks/main.yml: names should start with an uppercase letter * add .yamllint * add Github release action to push new release to Ansible Galaxy * add Molecule setup for openSUSE 15.4 * molecule/kvm-single-server: add verify.yml / enable verifier * update CHANGELOG	2 years ago
Robert Wimmer	fad7b1d7b0	Support Ubuntu 22.04 (Jammy Jellyfish) (#159 ) * add Ubuntu 22.04 (Jammy Jellyfish) support * update README	3 years ago
Robert Wimmer	8d395dd014	update CHANGELOG for 9.2.0 (#157 ) * update CHANGELOG * fix typo	3 years ago
Andrew Johnson	f624b439e6	fix: Do not require lsb-release on Debian (#154 )	3 years ago
Robert Wimmer	4e5adac691	Change restart handling / add very basic unit test (#156 ) * move register if config/private key handling out of wg subcommands block * allow user to specify WireGuard interface restart behavior * update README * numeric values in meta/main.yml should be strings * update Copyright * fix indentation in tasks/setup-debian.yml * update Copyright * update Copyright * truthy values should be lowercase * add namespace key again to meta/main.yml * add molecule/kvm/verify.yml with a very basic unit test	3 years ago
Stefan Haun	434fe955ca	Specify Raspbian playbook for Buster and below (#119 ) * Call Raspbian role only when Release is older than 11 (Bullseye) * Rename raspbian-role to mark that it is intended for Buster and lower Wireguard is directly supported by Raspbian 11 (Bullseye) and higher. * Add a note regarding the scope of the Raspbian playbook	3 years ago
Robert Wimmer	6b5fbe8b32	Updates (#150 ) * update CHANGELOG * fix typo * fix host groups: el8-dkms -> el8dkms * remove empty line * update CHANGELOG	3 years ago
gitouche	59651ccb2a	Add non-standard kernel installation for RockyLinux 8 (#146 ) * Add non-standard kernel installation for RockyLinux 8 * Add test VM in molecule tests for Rocky8 non-standard installation method * Rename non-standard to dkms as an install method * Automate installation process : kmod if possible, dkms as fallback * BUGFIX : dmks installation needs EPEL repo for wireguard-tools * Molecule : install ELRepo mainline kernel for rocky8 dkms installation * Revert "Automate installation process : kmod if possible, dkms as fallback" This reverts commit 822fbcbe5d8c484ecd984df57fd170749d6b97c1. * Molecule : add wireguard_rockylinux8_installation_method variable to test-wg-rocky8-dkms	3 years ago
Robert Wimmer	2b3c878715	honor wireguard_save_config value (#149 ) * honor wireguard_save_config value * update CHANGELOG	3 years ago
Robert Wimmer	d0df49bbfa	Add Molecule single server + two clients example (#148 ) * add Molecule scenario for single server * change verifier to Ansible	3 years ago
Chazza	6129398453	Examples should use public not private keys (#143 )	3 years ago
Robert Wimmer	ac98583ab5	Various updates (#142 ) * move wireguard_private_key up in variable order in defaults/main.yml * add opensuse 15.3 to Galaxy metadata * remove trailing space * remove blank line * fix indentation in setup-debian.yml * rename test-wg-opensuse-leap to test-wg-opensuse-leap-15-2 in molecule.yml * add OpenSUSE 15.3 to Molecule test * remove OpenSUSE Leap 15.2 support (EOL) * remove Fedora 33 support (EOL) * remove Fedora 33 + openSUSE Leap 15.2 variables from Molecule test * add Fedora 35 support * remove CentOS 8 support (EOL) - use AlmaLinux or Rocky Linux instead * remove tasks/setup-centos-8.yml (CentOS 8 reached EOL) * fix formatting issues and typos in README + CHANGELOG * update CHANGELOG * truthy value should false in tasks/setup-debian-pve-guest-variant.yml * name task in tasks/main.yml * name tasks in tasks/setup-debian.yml * refactor Molecule setup * remove Proxmox from Molecule test * update CHANGELOG * update CHANGELOG * re-order IP address in Molecule test * use different wireguard_port values for a few hosts in Molecule test for better testing	3 years ago
Anes Belfodil	840f56262d	Remove unnecessary and buggy check preventing proper port from being set in peers (#112 )	3 years ago
Felix Mai	c4a5677f72	General improvements (#138 ) * Rearrange hooks to match lifecycle order * Fully qualify module names BREAKING CHANGE: To use FQCNs at least Ansible 2.9 is required [2]. From the commonly presented note in the Ansible documentation, e. g. of Ansible's builtin debug module [1]: [...] we recommend you use the FQCN for easy linking to the module documentation and to avoid conflicting with other collections that may have the same module name. [1]: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/debug_module.html [2]: https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#where-did-all-the-modules-go * Update changelog	3 years ago
Tobias Richter	5caaea2047	PVE guest and host detection (#127 ) * Distinguish between proxmox host and guest setup * Update CHANGELOG.md	3 years ago
Robert Wimmer	5f5320010f	add Molecule test for CentOS 7 kernel-plus (#131 )	3 years ago
John Potter	4626475a9c	feat: Update CentOS 7 to use signed kernel-plus module (#129 ) * feat: Update CentOS 7 to use signed kernel-plus module * Apply suggestions from code review Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com> * Update CentOS 7 for optional signed kernel-plus module Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com>	3 years ago
Robert Wimmer	692cce2f55	Add Rocky Linux/AlmaLinux support + Molecule tests (#123 ) * Add Rocky Linux/AlmaLinux support + Molecule tests * update CHANGELOG	3 years ago
Robert Wimmer	527c9ae967	Debian 11 + Fedora 34 support / Fedora 32 support removed (#118 ) * add Debian 11 aka Bullseye * add Debian 11 aka Bullseye to Molecule test * update README * added Fedora 34 + removed Fedora 32 support from meta/main.yml * Debian 11 do not need kernel headers anymore * remove Fedora 32 from Molecule test / add Fedora 34 + Debian 11 to Molecule test * add rolename/namespace + make ansible-lint happy in meta/main.yml * make ansible-lint happy * (Archlinux) As linux-lts is using kernel 5.10 now there is no need to install wireguard-lts tools any longer (and this package is gone anyway) * (Debian) fix ansible-lint issues * update CHANGELOG	3 years ago
Robert Wimmer	027eaa99f7	update README for v7.12.0 of this role (#111 )	3 years ago
Jan Gaßner	871d1e4497	Fix tag "wg-install" & Add no_log (#110 ) * Fixed tag "wg-install" inheritance to included tasks Fixes #109 * Added no_log to tasks handling private keys - can be explicitly deactivated for debugging by running with verbosity 3 or higher Fixes #81	3 years ago
Robert Wimmer	57340b6c06	Update readme chlog formatting (#108 ) * handlers/main.yml: better formatting * update README/CHANGELOG	4 years ago
tjend	2d6e36572b	Allow disabling service (#107 )	4 years ago
Robert Wimmer	5178a9a097	update CHANGELOG (#100 )	4 years ago
Jamison Lofthouse	a41231675f	Check if wireguard_endpoint exists before checking if it is empty (#92 )	4 years ago
Robert Wimmer	663d3b9a5f	Support for Proxmox (#99 ) * add PVE to the recipe * Update tasks/setup-debian-pve-variant.yml Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com> * Update tasks/setup-debian-pve-variant.yml Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com> * Update tasks/setup-debian-pve-variant.yml Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com> * Update tasks/setup-debian.yml Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com> * On Proxmox ansible_lsb.id variable is not set * change when condition for include task setup-debian-vanilla.yml to a list * add Molecule test for Proxmox * use file module to delete /var/lib/apt/lists/lock for Proxmox in Molecule test Co-authored-by: Steve Fan <29133953+stevefan1999-personal@users.noreply.github.com>	4 years ago
Robert Wimmer	364b1fe4f0	remove Fedora 31 support / add Fedora 33 support (#94 ) * added support Fedora 33 support / remove Fedora 31 support * update playbooks example * add credits	4 years ago
Maxim Burgerhout	0c6c1b8b80	Fix Fedora support (#93 ) Fedora 32 still installs the copr repo and the dkms module. I assume that is still necessary for Fedora 32, though I have no box to test it with. If the user is on Fedora 33 or higher, the default setup-fedora.yml is used, which no longer installs the copr repo, nor the dkms module since neither are necessary anymore.	4 years ago
leggewie	bb77be4d97	Update README.md (#90 ) Add a link to the Ansible Galaxy page	4 years ago
Robert Wimmer	4c21076cb2	added support for openSUSE Leap 15.2 (#89 )	4 years ago
Stefan Haun	5c0014aa62	Raspberry Pi: Use Backports instead of Debian Unstable (#88 ) * Use Debian backports repositories Use Debian backports instead of unstable to get wireguard. This is a more stable solution and has less impact on the system. Unfortunately a reboot is still required. * Fix boot paths * Update Changelog, switch to 7.7.0	4 years ago
Robert Wimmer	05fd811928	update Ansible Galaxy metadata (#87 )	4 years ago
Julien Reichardt	c0e3e13e0a	Add wireguard_private_key variable (#69 ) * Fix check mode for Debian * Add wireguard_private_key variable * Release 7.6.0 * Fix undefined `wg_syncconf` when using tags	4 years ago
Robert Wimmer	65e94eaebb	Fix Ubuntu 18 install (#85 ) * CHANGELOG formatting * No need to use PPA for Ubuntu 18 any longer * update CHANGELOG * Bring back task to install support packages for Ubuntu < 19.10 just to be sure	4 years ago
Robin Schneider	db8bec1b0a	REUSE Specification v3.0 and other minor stuff (#76 ) * Add editor fold sections * Remove trailing whitespace * Make the repo compliant with REUSE Specification v3.0 Closes: #71 Email addresses have all been removed from this commit as requested by githubixx. * Use common namespace "wireguard" for role facts * Fix typo * Explicitly state that GPL-3.0-or-later applies Closes: #72	4 years ago
githubixx	c009cac619	update CHANGELOG	4 years ago
Robert Wimmer	51cbca51b5	added initial molecule infrastructure (#83 ) * add .gitignore file * add molecule	4 years ago
Ruben Di Battista	47885d8db9	Remove useless block for single task (#82 )	4 years ago
Robert Wimmer	4db85a4fda	Merge pull request #77 from ypid/fix/62 Debian only: Ensure DKMS builds for the currently running kernel	4 years ago
Robin Schneider	0eac8789aa	Debian only: Ensure DKMS builds for the currently running kernel Closes: #62	4 years ago
Robert Wimmer	fbf47d2a13	Merge pull request #67 from ypid/improve Improve coding style, spelling and Debian support	4 years ago
Robin Schneider	cc0c5751b6	Add changelog entry for my first review/improvements round	4 years ago
Robin Schneider	739c9de73e	Move wireguard_ip template code to template where it belongs Instead of redundant set_fact task.	4 years ago
Robin Schneider	3362f1c2fc	Consistent use of spaces in Jinja2 print expressions	4 years ago
Robin Schneider	132c59521a	Drop redundant use of `hostvars[inventory_hostname].` prefix Those variables are directly in the namespace. Using the long form is uncommon. A case could have been made if the later section of the config (which uses `hostvars[host]`) has similar semantics but that is not the case as those are peer sections.	4 years ago
Robin Schneider	a27f805d2d	Ensure that buster-backports will be absent on Debian 11+	4 years ago
Robin Schneider	2309abf09e	Remove forgotten gnupg pkg that is not needed anymore for Debian vanilla It was once needed for the apt_key tasks.	4 years ago
Robin Schneider	c1049ab647	Debian stretch is not currently supported by the role (anymore) It once was supported by an "unstable" workaround which has since been dropped in favor of Debian buster.	4 years ago
Robin Schneider	5d68b0f97f	Prefer the metapackage "wireguard" for later Debian bullseye support	4 years ago
Robin Schneider	8b1ae7d4c2	Remove obsolete .reload-module-on-update file It does not serve any function anymore after support for module reloading has been removed from the postinst script in 0.0.20200215-2 on 2020-02-24. A module update is properly signaled via /run/reboot-required so that the admin can (automatically) schedule a reboot when convenient. This will also be more in line with future Debian releases because starting with Debian bullseye, the kernel ships the module.	4 years ago
Robin Schneider	e7588cd047	Fix ansible-lint warning [502] All tasks should be named Just drop the redundant task	4 years ago
Robin Schneider	81c371c6a2	Solve ansible-lint [201] Trailing whitespace	4 years ago
Robin Schneider	a56a4d6600	Properly solve ansible-lint 306 warning about shell task with pipe Do not ignore such warnings! They are there for a reason!	4 years ago
Robin Schneider	713a7683ef	Move template into it’s fhs place	4 years ago
Robin Schneider	3531334281	Add ansible_managed header to templates files	4 years ago
Robin Schneider	c4a21dd0ef	Use common namespace "wireguard" for role facts	4 years ago
Robin Schneider	7a1af464b1	Move condition code into Jinja instead of having two set_fact tasks	4 years ago
Robin Schneider	f3c590665d	WireGuard should be written "WireGuard"	4 years ago
Robin Schneider	eb6a54a0a7	Fix typos	4 years ago
Robert Wimmer	4082794706	update README/CHANGELOG (#75 )	4 years ago
Ruben Di Battista	3ef759edbb	Add basic support for macOS (#61 ) Add macOS details in the README Fix Archlinux spelling Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com> Remove additional linux.yml file, use conditional block instead Add CHANGELOG entry Bump to 7.2.0 in CHANGELOG Invert OS check on Darwin instead of Linux Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com> Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com>	4 years ago
Robert Wimmer	e9e95f80e0	proper formatting of WireGuard config file / add wireguard_dc variable (#74 )	4 years ago
Gabriel Vîjială	f35670a0e4	fix typo in syncconf handler (#73 )	4 years ago
Joonas Kuorilehto	ee456757ed	Add support for unmanaged WireGuard peers (#63 ) * Add support for unmanaged WireGuard peers Add variable wireguard_extra_peer_config that is raw WireGuard configuration appended to the peers section. Value is a string containing arbitrary wg-quick syntax. This closes #41, and closes #45. * update CHANGELOG (#63) * Change unmanaged peers to dictionary instead of string Based on review comment by @j8r in #63. * README: update preshared_key example Update wireguard_unmanaged_peers example for preshared_key. Make it a comment to highlight it is optional and should probably be handled like other secrets. * Clean up jinja2 syntax Based on review comments. * Remove unneeded if of required public_key The public_key is required for a wireguard peer so remove the if from wireguard_unmanaged_peers public_key. The effect is that it is a syntax error from Ansible rather than failing config validation when the config has already been written and fails to load.	4 years ago
Joonas Kuorilehto	f07cab4243	README: add syntax highlighting language (#64 ) Github can render pretty syntax highlighting for YAML and ini code snippets if it knows the language. Set the language in the code block header.	4 years ago
Roman Danko	c1f413f966	Switched to ELRepo for Centos (#59 ) * Switched to ELRepo for Centos (#50) - added switch to differentiate setup of Centos7/8 - replaced old repository by officialy recomended - added step to remove old dkms wireguard package - switched to install KMOD wireguard package * Updated CHANGELOG after switching to ELRepo for Centos * Update CHANGELOG.md Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com> * Updted CHANGELOG: added notice about old wireguard Centos repository removal Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com>	4 years ago