From 13621d4d68f04cc23c49ef94e3fbefdf4fae28e5 Mon Sep 17 00:00:00 2001 From: Ties de Kock Date: Tue, 28 Apr 2020 21:01:46 +0200 Subject: [PATCH 1/4] Use wireguard from buster-backports on debian if needed (#49) * Changes wireguard apt repo to buster-backports * Add repo only on buster or earlier * No apt pin needed, backports has lower priority than main distribution * Update CHANGELOG.md Co-Authored-By: Robert Wimmer <2039811+githubixx@users.noreply.github.com> * Clarify effects of updating on system state Co-authored-by: Robert Wimmer <2039811+githubixx@users.noreply.github.com> --- CHANGELOG.md | 19 +++++++++++++++ .../etc/apt/preferences.d/limit-unstable | 3 --- tasks/setup-debian.yml | 23 +++---------------- 3 files changed, 22 insertions(+), 23 deletions(-) delete mode 100644 files/debian/etc/apt/preferences.d/limit-unstable diff --git a/CHANGELOG.md b/CHANGELOG.md index b0ac6ab..f75556b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,25 @@ Changelog --------- +**6.0.4** + +- Use the buster-backports repository on Debian Buster (or older), use package + standard repositories on sid/bullseye. + + The role no longer adds the unstable _repo_ nor the _apt preference_ for that repo. + There is no need to clean the preference and unstable repository, since packages + from your release have a higher priority. + + If you remove the apt preference (`/etc/apt/preferences.d/limit-unstable`) + updates from `unstable` are accepted by apt. This likely is not what you want + and may lead to an unstable state. + + If you want to clean up: + * remove `/etc/apt/preferences.d/limit-unstable` and + * remove `deb http://deb.debian.org/debian/ unstable main` from `/etc/apt/sources.list.d/deb_debian_org_debian.list`. + + The backports repository has a lower priority and does not need an apt preference. + **6.0.3** - If `wg syncconf` command is not available do stop/start service instead of restart (contribution by @cristichiru) diff --git a/files/debian/etc/apt/preferences.d/limit-unstable b/files/debian/etc/apt/preferences.d/limit-unstable deleted file mode 100644 index 3350f2c..0000000 --- a/files/debian/etc/apt/preferences.d/limit-unstable +++ /dev/null @@ -1,3 +0,0 @@ -Package: * -Pin: release a=unstable -Pin-Priority: 90 diff --git a/tasks/setup-debian.yml b/tasks/setup-debian.yml index 48a94dc..8669fae 100644 --- a/tasks/setup-debian.yml +++ b/tasks/setup-debian.yml @@ -1,32 +1,15 @@ --- -- name: Setup WireGuard preference - copy: - src: debian/etc/apt/preferences.d/limit-unstable - dest: /etc/apt/preferences.d/limit-unstable - owner: root - group: root - mode: 0644 - tags: - - wg-install - - name: Install GPG - required to add wireguard key apt: name: gnupg state: present -- name: Add WireGuard key - apt_key: - keyserver: "keyserver.ubuntu.com" - id: "8B48AD6246925553" - state: present - tags: - - wg-install - -- name: Add WireGuard repository +- name: Add WireGuard repository on buster or earlier apt_repository: - repo: "deb http://deb.debian.org/debian/ unstable main" + repo: "deb http://deb.debian.org/debian buster-backports main" state: present update_cache: yes + when: ansible_distribution_version | int <= 10 tags: - wg-install From 04843b539462c9c9fc33491aef4a2449cace774f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCrgen=20H=C3=B6tzel?= Date: Sat, 2 May 2020 21:12:34 +0200 Subject: [PATCH 2/4] Use Arch Linux specific package list (#48) Arch Linux ships a Linux kernel > 5.6 and doesn't require DKMS. Move the package list variable to (distribution-specific) var files. For the Arch Linux LTS kernel (5.4) a binary wireguard-lts package is provided in [core]. --- tasks/main.yml | 14 ++++++++++---- tasks/setup-archlinux.yml | 24 ++++++++++++++++++------ vars/packages-archlinux.yml | 2 ++ vars/packages.yml | 3 +++ 4 files changed, 33 insertions(+), 10 deletions(-) create mode 100644 vars/packages-archlinux.yml create mode 100644 vars/packages.yml diff --git a/tasks/main.yml b/tasks/main.yml index 7dd79ae..31366c7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,14 +4,20 @@ - include_tasks: "setup-{{ ansible_distribution|lower }}.yml" +- name: Load packages variable file based on the OS type, or a default if not found + include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - "packages-{{ ansible_distribution | lower }}.yml" + - "packages.yml" + paths: + - "vars" + - name: Install WireGuard package: name: "{{ packages }}" state: present - vars: - packages: - - wireguard-dkms - - wireguard-tools tags: - wg-install diff --git a/tasks/setup-archlinux.yml b/tasks/setup-archlinux.yml index dd0b901..7967488 100644 --- a/tasks/setup-archlinux.yml +++ b/tasks/setup-archlinux.yml @@ -1,11 +1,23 @@ --- -- name: Install required packages +- name: Install wireguard-lts package pacman: - name: "{{ packages }}" - state: present + name: "{{ item.name }}" + state: "{{ item.state }}" + with_items: + - { name: wireguard-dkms, state: absent } + - { name: wireguard-lts, state: present } become: yes - vars: - packages: - - linux-headers tags: - wg-install + when: + - ansible_kernel is match(".*-lts$") + - ansible_kernel is version('5.6', '<') +- name: Install wireguard-dksm package + pacman: + name: wireguard-dkms + become: yes + tags: + - wg-install + when: + - not ansible_kernel is match(".*-lts$") + - ansible_kernel is version('5.6', '<') diff --git a/vars/packages-archlinux.yml b/vars/packages-archlinux.yml new file mode 100644 index 0000000..fdc6563 --- /dev/null +++ b/vars/packages-archlinux.yml @@ -0,0 +1,2 @@ +packages: + - wireguard-tools diff --git a/vars/packages.yml b/vars/packages.yml new file mode 100644 index 0000000..82c6b3c --- /dev/null +++ b/vars/packages.yml @@ -0,0 +1,3 @@ +packages: + - wireguard-dkms + - wireguard-tools From 97f566ad857f0763e97e01ece8736d9e2aa592dc Mon Sep 17 00:00:00 2001 From: Robert Wimmer <2039811+githubixx@users.noreply.github.com> Date: Sat, 2 May 2020 21:32:09 +0200 Subject: [PATCH 3/4] cleanup (#51) * update CHANGELOG * fix typo * update CHANGELOG Co-authored-by: githubixx --- CHANGELOG.md | 14 +++++++------- tasks/setup-archlinux.yml | 3 ++- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f75556b..0cd6e5c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,18 +1,18 @@ Changelog --------- +**6.1.0** + +- Archlinux: Linux kernel >= 5.6 contains `wireguard` module now. No need to install `wireguard-dkms` anymore in this case. Installations with LTS kernel installs `wireguard-lts` package now instead of `wireguard-dkms`. Installations with kernel <= 5.6 will still install `wireguard-dkms` package. + **6.0.4** -- Use the buster-backports repository on Debian Buster (or older), use package +- Use the buster-backports repository on Debian Buster (or older), use package standard repositories on sid/bullseye. standard repositories on sid/bullseye. - The role no longer adds the unstable _repo_ nor the _apt preference_ for that repo. - There is no need to clean the preference and unstable repository, since packages - from your release have a higher priority. + The role no longer adds the unstable _repo_ nor the _apt preference_ for that repo. There is no need to clean the preference and unstable repository, since packages from your release have a higher priority. - If you remove the apt preference (`/etc/apt/preferences.d/limit-unstable`) - updates from `unstable` are accepted by apt. This likely is not what you want - and may lead to an unstable state. + If you remove the apt preference (`/etc/apt/preferences.d/limit-unstable`) updates from `unstable` are accepted by apt. This likely is not what you want and may lead to an unstable state. If you want to clean up: * remove `/etc/apt/preferences.d/limit-unstable` and diff --git a/tasks/setup-archlinux.yml b/tasks/setup-archlinux.yml index 7967488..c26357c 100644 --- a/tasks/setup-archlinux.yml +++ b/tasks/setup-archlinux.yml @@ -12,7 +12,8 @@ when: - ansible_kernel is match(".*-lts$") - ansible_kernel is version('5.6', '<') -- name: Install wireguard-dksm package + +- name: Install wireguard-dkms package pacman: name: wireguard-dkms become: yes From 9f76b8baf5c957ed82c3306e66953a6824079251 Mon Sep 17 00:00:00 2001 From: Robert Wimmer <2039811+githubixx@users.noreply.github.com> Date: Mon, 4 May 2020 23:27:56 +0200 Subject: [PATCH 4/4] Support Ubuntu 20.04 (#52) * update Ansible Galaxy meta info (added Ubunut Focal Fossa / Debian Buster) * update CHANGELOG (Ubuntu 20.04 support) * move OS package installation to OS specific subtasks * update README * update CHANGELOG Co-authored-by: githubixx --- CHANGELOG.md | 6 ++++ README.md | 8 +++-- defaults/main.yml | 15 +++++++++ meta/main.yml | 2 ++ tasks/main.yml | 21 ++----------- tasks/setup-archlinux.yml | 12 +++++-- tasks/setup-centos.yml | 14 +++++++-- tasks/setup-debian.yml | 19 +++++++++--- tasks/setup-fedora.yml | 23 +++++++++----- tasks/setup-ubuntu.yml | 62 +++++++++++++++++++++++++------------ vars/packages-archlinux.yml | 2 -- vars/packages.yml | 3 -- 12 files changed, 124 insertions(+), 63 deletions(-) delete mode 100644 vars/packages-archlinux.yml delete mode 100644 vars/packages.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 0cd6e5c..c78a687 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ Changelog --------- +**6.2.0** + +- Support Ubuntu 20.04 (Focal Fossa) +- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specifiy individual Ubuntu package cache settings. Default values are the same as before. +- As kernel >= 5.6 (and kernel 5.4 in Ubuntu 20.04) now have `wireguard` module included `wireguard-dkms` package is no longer needed in that case. That's why WireGuard package installation is now part of the includes for the specific OS to make it easier to handle various cases. + **6.1.0** - Archlinux: Linux kernel >= 5.6 contains `wireguard` module now. No need to install `wireguard-dkms` anymore in this case. Installations with LTS kernel installs `wireguard-lts` package now instead of `wireguard-dkms`. Installations with kernel <= 5.6 will still install `wireguard-dkms` package. diff --git a/README.md b/README.md index 2399a4e..2c09cfb 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a whil In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/). -This role was tested with Ubuntu 18.04 (Bionic Beaver), Debian 9 (Stretch), Archlinux, Fedora 31 and CentOS. It might also work with Ubuntu 16.04 (Xenial Xerus), Debian 10 (Buster) or other distributions but haven't tested it. If someone tested it let me please know if it works or send a pull request to make it work ;-) +This role is tested with Ubuntu 18.04 (Bionic Beaver), Ubuntu 20 (Focal Fossa) and Archlinux. Ubuntu 16.04 (Xenial Xerus), Debian 9 (Stretch), Debian 10 (Buster), Fedora 31 (or later) and CentOS 7 might also work or other distributions but haven't tested it (code for this operating systems was submitted by other contributors). If someone tested it let me please know if it works or send a pull request to make it work ;-) Versions -------- @@ -294,11 +294,13 @@ vpn1: vpn2: hosts: - # use a different name, and define ansible_host, to avoid mixing of vars without needing to prefix vars with interface name + # Use a different name, and define ansible_host, to avoid mixing of vars without + # needing to prefix vars with interface name. multi-wg1: ansible_host: multi wireguard_interface: wg1 - wireguard_port: 51821 # when using several interface on one host, we must use different ports + # when using several interface on one host, we must use different ports + wireguard_port: 51821 wireguard_address: 10.9.1.1/32 wireguard_endpoint: multi.exemple.com another: diff --git a/defaults/main.yml b/defaults/main.yml index 55db08b..966b62b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,8 @@ --- +####################################### +# General settings +####################################### + # Directory to store WireGuard configuration on the remote hosts wireguard_remote_directory: "/etc/wireguard" @@ -7,3 +11,14 @@ wireguard_port: "51820" # The default interface name that wireguard should use if not specified otherwise. wireguard_interface: "wg0" + + +####################################### +# Settings only relevant for Ubuntu +####################################### + +# Set to "false" if package cache should not be updated +wireguard_ubuntu_update_cache: "true" + +# Set package cache valid time +wireguard_ubuntu_cache_valid_time: "3600" diff --git a/meta/main.yml b/meta/main.yml index 0667370..8133ea6 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -8,9 +8,11 @@ galaxy_info: - name: Ubuntu versions: - bionic + - focal - name: Debian versions: - stretch + - buster - name: EL versions: - 7 diff --git a/tasks/main.yml b/tasks/main.yml index 31366c7..ac056c0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,23 +4,6 @@ - include_tasks: "setup-{{ ansible_distribution|lower }}.yml" -- name: Load packages variable file based on the OS type, or a default if not found - include_vars: "{{ lookup('first_found', params) }}" - vars: - params: - files: - - "packages-{{ ansible_distribution | lower }}.yml" - - "packages.yml" - paths: - - "vars" - -- name: Install WireGuard - package: - name: "{{ packages }}" - state: present - tags: - - wg-install - - name: Enable WireGuard kernel module modprobe: name: wireguard @@ -48,6 +31,7 @@ - name: Get wg subcommands command: "wg --help" register: wg_subcommands + changed_when: false - name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available) set_fact: @@ -64,8 +48,9 @@ - block: - name: Generate WireGuard private key - shell: "wg genkey" + command: "wg genkey" register: wg_private_key_result + changed_when: false tags: - wg-generate-keys diff --git a/tasks/setup-archlinux.yml b/tasks/setup-archlinux.yml index c26357c..8d34575 100644 --- a/tasks/setup-archlinux.yml +++ b/tasks/setup-archlinux.yml @@ -1,5 +1,5 @@ --- -- name: Install wireguard-lts package +- name: (Archlinux) Install wireguard-lts package pacman: name: "{{ item.name }}" state: "{{ item.state }}" @@ -13,12 +13,20 @@ - ansible_kernel is match(".*-lts$") - ansible_kernel is version('5.6', '<') -- name: Install wireguard-dkms package +- name: (Archlinux) Install wireguard-dkms package pacman: name: wireguard-dkms + state: present become: yes tags: - wg-install when: - not ansible_kernel is match(".*-lts$") - ansible_kernel is version('5.6', '<') + +- name: (Archlinux) Install wireguard-tools package + pacman: + name: wireguard-tools + state: present + tags: + - wg-install diff --git a/tasks/setup-centos.yml b/tasks/setup-centos.yml index 50cdc33..4a17708 100644 --- a/tasks/setup-centos.yml +++ b/tasks/setup-centos.yml @@ -1,11 +1,19 @@ --- - -- name: Add WireGuard repository +- name: (CentOS) Add WireGuard repository get_url: url: https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo dest: /etc/yum.repos.d/wireguard.repo -- name: Install EPEL repository +- name: (CentOS) Install EPEL repository yum: name: epel-release update_cache: yes + +- name: (CentOS) Install wireguard packages + yum: + name: + - "wireguard-dkms" + - "wireguard-tools" + state: present + tags: + - wg-install diff --git a/tasks/setup-debian.yml b/tasks/setup-debian.yml index 8669fae..d874d65 100644 --- a/tasks/setup-debian.yml +++ b/tasks/setup-debian.yml @@ -1,10 +1,10 @@ --- -- name: Install GPG - required to add wireguard key +- name: (Debian) Install GPG - required to add wireguard key apt: name: gnupg state: present -- name: Add WireGuard repository on buster or earlier +- name: (Debian) Add WireGuard repository on buster or earlier apt_repository: repo: "deb http://deb.debian.org/debian buster-backports main" state: present @@ -13,13 +13,22 @@ tags: - wg-install -- name: Get architecture - shell: dpkg --print-architecture +- name: (Debian) Get architecture + command: "dpkg --print-architecture" register: dpkg_arch changed_when: False -- name: Install kernel headers to compile wireguard with DKMS +- name: (Debian) Install kernel headers to compile Wireguard with DKMS apt: name: - "linux-headers-{{ dpkg_arch.stdout }}" state: present + +- name: (Debian) Install wireguard packages + apt: + name: + - "wireguard-dkms" + - "wireguard-tools" + state: present + tags: + - wg-install diff --git a/tasks/setup-fedora.yml b/tasks/setup-fedora.yml index 19fddb2..4561dba 100644 --- a/tasks/setup-fedora.yml +++ b/tasks/setup-fedora.yml @@ -1,8 +1,17 @@ --- - - name: Add wireguard COPR - yum_repository: - name: "jdoss-wireguard" - description: "Copr repo for wireguard owned by jdoss" - baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/fedora-$releasever-$basearch/" - gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg" - gpgcheck: yes +- name: (Fedora) Add wireguard COPR + yum_repository: + name: "jdoss-wireguard" + description: "Copr repo for wireguard owned by jdoss" + baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/fedora-$releasever-$basearch/" + gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg" + gpgcheck: yes + +- name: (Fedora) Install wireguard packages + yum: + name: + - "wireguard-dkms" + - "wireguard-tools" + state: present + tags: + - wg-install diff --git a/tasks/setup-ubuntu.yml b/tasks/setup-ubuntu.yml index 17ae4f8..9df682e 100644 --- a/tasks/setup-ubuntu.yml +++ b/tasks/setup-ubuntu.yml @@ -1,26 +1,48 @@ --- -- name: Update APT package cache +- name: (Ubuntu) Update APT package cache apt: - update_cache: true - cache_valid_time: 3600 + update_cache: "{{ wireguard_ubuntu_update_cache }}" + cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}" tags: - wg-install -- name: Install required packages - package: - name: "{{ packages }}" - state: present - vars: - packages: - - software-properties-common - - linux-headers-{{ ansible_kernel }} - tags: - - wg-install +- block: + - name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10) + package: + name: "{{ packages }}" + state: present + vars: + packages: + - software-properties-common + - linux-headers-{{ ansible_kernel }} + tags: + - wg-install -- name: Add WireGuard repository - apt_repository: - repo: "ppa:wireguard/wireguard" - state: present - update_cache: yes - tags: - - wg-install + - name: (Ubuntu) Add WireGuard repository (for Ubuntu < 19.10) + apt_repository: + repo: "ppa:wireguard/wireguard" + state: present + update_cache: yes + tags: + - wg-install + + - name: (Ubuntu) Install wireguard packages (for Ubuntu < 19.10) + apt: + name: + - "wireguard-dkms" + - "wireguard-tools" + state: present + tags: + - wg-install + when: + - ansible_lsb.major_release is version('19.10', '<') + +- block: + - name: (Ubuntu) Install wireguard-tools package (for Ubuntu > 19.04) + apt: + name: "wireguard-tools" + state: present + tags: + - wg-install + when: + - ansible_lsb.major_release is version('19.04', '>') diff --git a/vars/packages-archlinux.yml b/vars/packages-archlinux.yml deleted file mode 100644 index fdc6563..0000000 --- a/vars/packages-archlinux.yml +++ /dev/null @@ -1,2 +0,0 @@ -packages: - - wireguard-tools diff --git a/vars/packages.yml b/vars/packages.yml deleted file mode 100644 index 82c6b3c..0000000 --- a/vars/packages.yml +++ /dev/null @@ -1,3 +0,0 @@ -packages: - - wireguard-dkms - - wireguard-tools