changes after githubixx code review
This commit is contained in:
parent
e8c0579237
commit
9d91823ac3
|
@ -1,6 +1,13 @@
|
|||
Changelog
|
||||
---------
|
||||
|
||||
**4.0.0**
|
||||
|
||||
- While the changes introduced are backwards compatible in general if you stay with your current settings some variables are no longer needed. So this is partly a breaking change and therefore justifies a new major version.
|
||||
- Support multiple Wireguard interfaces. See README for examples (contribution by fbourqui)
|
||||
- Make role stateless: In the previous versions the private and public keys of the Wireguard hosts were stored locally in the directory defined with the `wireguard_cert_directory` variable. This is no longer the case. The variables `wireguard_cert_directory`, `wireguard_cert_owner` and `wireguard_cert_group` are no longer needed and were removed. If you used this role before this release it's safe to remove them from your settings. The directory that was defined with the `wireguard_cert_directory` variable will be kept. While not tested it may enable you to go back to an older version of this role and it should still work (contribution by fbourqui)
|
||||
- Reminder: `wireguard_cert_directory` default was `~/wireguard/certs`. Public and Private keys where stored on the host running ansible playbook. As a security best practice private keys of all your WireGuard endpoints should not be kept locally.
|
||||
|
||||
**3.2.2**
|
||||
|
||||
- remove unneeded `with_inventory_hostnames` loops (thanks to pierreozoux for initial PR)
|
||||
|
|
15
README.md
15
README.md
|
@ -27,25 +27,16 @@ see [CHANGELOG.md](https://github.com/githubixx/ansible-role-wireguard/blob/mast
|
|||
Role Variables
|
||||
--------------
|
||||
|
||||
This variables can be changed in `group_vars/`:
|
||||
Those variables can be changed in `group_vars/`:
|
||||
|
||||
```
|
||||
# LOCAL directory where the WireGuard certificates used to be stored
|
||||
# in older version of this role.
|
||||
# Private keys are now read from the remote host, public key are derived
|
||||
# from private key
|
||||
#
|
||||
# This config is kept to be able to delete the old folder, as having
|
||||
# all the private keys locally is not a security best practice.
|
||||
wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}"
|
||||
|
||||
# Directory to store WireGuard configuration on the remote hosts
|
||||
wireguard_remote_directory: "/etc/wireguard"
|
||||
|
||||
# The port WireGuard will listen on.
|
||||
# The default port WireGuard will listen if not specified otherwise.
|
||||
wireguard_port: "51820"
|
||||
|
||||
# The interface name that wireguard should use.
|
||||
# The default interface name that wireguard should use if not specified otherwise.
|
||||
wireguard_interface: "wg0"
|
||||
```
|
||||
|
||||
|
|
|
@ -1,18 +1,9 @@
|
|||
---
|
||||
# LOCAL directory where the WireGuard certificates used to be stored
|
||||
# in older version of this role.
|
||||
# Private keys are now read from the remote host, public key are derived
|
||||
# from private key
|
||||
#
|
||||
# This config is kept to be able to delete the old folder, as having
|
||||
# all the private keys locally is not a security best practice.
|
||||
wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}"
|
||||
|
||||
# Directory to store WireGuard configuration on the remote hosts
|
||||
wireguard_remote_directory: "/etc/wireguard"
|
||||
|
||||
# The port WireGuard will listen on.
|
||||
# The default port WireGuard will listen if not specified otherwise.
|
||||
wireguard_port: "51820"
|
||||
|
||||
# The interface name that wireguard should use.
|
||||
# The default interface name that wireguard should use if not specified otherwise.
|
||||
wireguard_interface: "wg0"
|
||||
|
|
|
@ -121,12 +121,3 @@
|
|||
name: "wg-quick@{{ wireguard_interface }}"
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: Delete local cert directory
|
||||
file:
|
||||
path: "{{ wireguard_cert_directory }}"
|
||||
state: absent
|
||||
delegate_to: localhost
|
||||
run_once: true
|
||||
tags:
|
||||
- wg-config
|
||||
|
|
|
@ -36,6 +36,8 @@ SaveConfig = true
|
|||
{% endif %}
|
||||
{% elif hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
|
||||
Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
|
||||
{% elif hostvars[host].wireguard_endpoint == "" %}
|
||||
# No endpoint defined
|
||||
{% else %}
|
||||
Endpoint = {{host}}:{{wireguard_port}}
|
||||
{% endif %}
|
||||
|
|
Reference in New Issue