changes after githubixx code review

CHANGELOG.md

@@ -1,6 +1,13 @@
 Changelog
 ---------
 
+**4.0.0**
+
+- While the changes introduced are backwards compatible in general if you stay with your current settings some variables are no longer needed. So this is partly a breaking change and therefore justifies a new major version.
+- Support multiple Wireguard interfaces. See README for examples (contribution by fbourqui)
+- Make role stateless: In the previous versions the private and public keys of the Wireguard hosts were stored locally in the directory defined with the `wireguard_cert_directory` variable. This is no longer the case. The variables `wireguard_cert_directory`, `wireguard_cert_owner` and `wireguard_cert_group` are no longer needed and were removed. If you used this role before this release it's safe to remove them from your settings. The directory that was defined with the `wireguard_cert_directory` variable will be kept. While not tested it may enable you to go back to an older version of this role and it should still work (contribution by fbourqui)
+- Reminder: `wireguard_cert_directory` default was `~/wireguard/certs`. Public and Private keys where stored on the host running ansible playbook. As a security best practice private keys of all your WireGuard endpoints should not be kept locally.
+
 **3.2.2**
 
 - remove unneeded `with_inventory_hostnames` loops (thanks to pierreozoux for initial PR)

README.md

@@ -27,25 +27,16 @@ see [CHANGELOG.md](https://github.com/githubixx/ansible-role-wireguard/blob/mast
 Role Variables
 --------------
 
-This variables can be changed in `group_vars/`:
+Those variables can be changed in `group_vars/`:
 
 ```
-# LOCAL directory where the WireGuard certificates used to be stored 
-# in older version of this role.
-# Private keys are now read from the remote host, public key are derived 
-# from private key
-#
-# This config is kept to be able to delete the old folder, as having 
-# all the private keys locally is not a security best practice.
-wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}"
-
 # Directory to store WireGuard configuration on the remote hosts
 wireguard_remote_directory: "/etc/wireguard"
 
-# The port WireGuard will listen on.
+# The default port WireGuard will listen if not specified otherwise.
 wireguard_port: "51820"
 
-# The interface name that wireguard should use.
+# The default interface name that wireguard should use if not specified otherwise.
 wireguard_interface: "wg0"
 ```
 

defaults/main.yml

@@ -1,18 +1,9 @@
 ---
-# LOCAL directory where the WireGuard certificates used to be stored 
-# in older version of this role.
-# Private keys are now read from the remote host, public key are derived 
-# from private key
-#
-# This config is kept to be able to delete the old folder, as having 
-# all the private keys locally is not a security best practice.
-wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}"
-
 # Directory to store WireGuard configuration on the remote hosts
 wireguard_remote_directory: "/etc/wireguard"
 
-# The port WireGuard will listen on.
+# The default port WireGuard will listen if not specified otherwise.
 wireguard_port: "51820"
 
-# The interface name that wireguard should use.
+# The default interface name that wireguard should use if not specified otherwise.
 wireguard_interface: "wg0"

tasks/main.yml

@@ -121,12 +121,3 @@
     name: "wg-quick@{{ wireguard_interface }}"
     state: started
     enabled: yes
-
-- name: Delete local cert directory
-  file:
-    path: "{{ wireguard_cert_directory }}"
-    state: absent
-  delegate_to: localhost
-  run_once: true
-  tags:
-    - wg-config

templates/wg.conf.j2

@@ -36,6 +36,8 @@ SaveConfig = true
       {% endif %}
     {% elif hostvars[host].wireguard_endpoint is defined and hostvars[host].wireguard_endpoint != "" %}
     Endpoint = {{hostvars[host].wireguard_endpoint}}:{{wireguard_port}}
+    {% elif hostvars[host].wireguard_endpoint == "" %}
+    # No endpoint defined
     {% else %}
     Endpoint = {{host}}:{{wireguard_port}}
     {% endif %}