--- # Copyright (C) 2018-2022 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later ####################################### # General settings ####################################### # Directory to store WireGuard configuration on the remote hosts wireguard_remote_directory: "{{ '/etc/wireguard' if not ansible_os_family == 'Darwin' else '/opt/local/etc/wireguard' }}" # The default port WireGuard will listen if not specified otherwise. wireguard_port: "51820" # The default interface name that WireGuard should use if not specified otherwise. wireguard_interface: "wg0" # The default owner of the wg.conf file wireguard_conf_owner: root # The default group of the wg.conf file wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'wheel' }}" # The default mode of the wg.conf file wireguard_conf_mode: 0600 # The default state of the wireguard service wireguard_service_enabled: "yes" wireguard_service_state: "started" # By default "wg syncconf" is used to apply WireGuard interface settings if # they've changed. Older WireGuard tools doesn't provide this option. In that # case as a fallback the WireGuard interface will be restarted. This causes a # short interruption of network connections. # # So even if "false" is the default, the role figures out if the "syncconf" # option of the "wg" utility is available and if not falls back to "true" # (which means interface will be restarted as this is the only possible option # in this case). # # Possible options: # - false (default) # - true # # Both options have their pros and cons. The default "false" option (do not # restart interface) # - does not need to restart the WireGuard interface to apply changes # - does not cause a short VPN connection interruption when changes are applied # - might cause network routes are not properly reloaded # # Setting the option value to "true" will # - restart the WireGuard interface as the name suggests in case of changes # - cause a short VPN connection interruption when changes are applied # - make sure that network routes are properly reloaded # # So it depends a little bit on your setup which option works best. If you # don't have an overly complicated routing that changes very often or at all # using "false" here is most properly good enough for you. E.g. if you just # want to connect a few servers via VPN and it normally stays this way. # # If you have a more dynamic routing setup then setting this to "true" might be # the safest way to go. Also if you want to avoid the possibility creating some # hard to detect side effects this option should be considered. wireguard_interface_restart: false # This is sensitive: encrypt it with a tool like Ansible Vault. # If not set, a new one is generated on a blank configuration. # wireguard_private_key: ####################################### # Settings only relevant for: # - Ubuntu # - elementary OS ####################################### # Set to "false" if package cache should not be updated wireguard_update_cache: "true" # DEPRECATED: This variable will be removed with the next major release. Please use "wireguard_update_cache" instead. wireguard_ubuntu_update_cache: "{{ wireguard_update_cache }}" # Set package cache valid time wireguard_ubuntu_cache_valid_time: "3600" ####################################### # Settings only relevant for CentOS 7 ####################################### # Set wireguard_centos7_installation_method to "kernel-plus" # to use the kernel-plus kernel, which includes a built-in, # signed WireGuard module. # # The default of "standard" will use the standard kernel and # the ELRepo module for WireGuard. wireguard_centos7_installation_method: "standard" # Reboot host if necessary if the "kernel-plus" kernel is in use wireguard_centos7_kernel_plus_reboot: true # The default seconds to wait for machine to reboot and respond # if "kernel-plus" is in use. Is only relevant if # "wireguard_centos7_kernel_plus_reboot" is set to "true". wireguard_centos7_kernel_plus_reboot_timeout: "600" # Reboot host if necessary if the standard kernel is in use wireguard_centos7_standard_reboot: true # The default seconds to wait for machine to reboot and respond # if "standard" kernel is in use. Is only relevant if # "wireguard_centos7_standard_reboot" is set to "true". wireguard_centos7_standard_reboot_timeout: "600" ######################################### # Settings only relevant for RockyLinux 8 ######################################### # Set wireguard_rockylinux8_installation_method to "dkms" # to build WireGuard module from source, with wireguard-dkms. # This is required if you use a custom kernel and/or your arch # is not x86_64. # # The default of "standard" will install the kernel module # with kmod-wireguard from ELRepo. wireguard_rockylinux8_installation_method: "standard"