From 5cfcd0b18a99d07be3bd899b45140fe21e31eb3f Mon Sep 17 00:00:00 2001 From: fbourqui Date: Mon, 29 Apr 2019 21:20:50 +0200 Subject: [PATCH 1/9] Fix typo subnet not consistent. 10.3.0 vs 10.8.0 (#8) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 45019dc..0ab843b 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ wireguard_interface: "wg0" The following variable is mandatory and needs to be configured for every host in `host_vars/`: ``` -wireguard_address: "10.3.0.101/24" +wireguard_address: "10.8.0.101/24" ``` Of course all IP's should be in the same subnet like `/24` we see in the example above. If `wireguard_allowed_ips` is not set then the default value is the value from `wireguard_address` without the CIDR but instead with `/32` which is basically a host route (have a look `templates/wg.conf.j2`). Let's see this example and let's assume you don't set `wireguard_allowed_ips` explicitly: From 897053ae0207bad0d33a88d48f452830b57686d6 Mon Sep 17 00:00:00 2001 From: githubixx Date: Mon, 29 Apr 2019 21:25:02 +0200 Subject: [PATCH 2/9] fix address in README --- CHANGELOG.md | 4 ++++ README.md | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bf286bb..32d7d4f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ Changelog --------- +**3.0.1** + +- fix address in README + **3.0.0** - support for Debian added (contribution by ties) diff --git a/README.md b/README.md index 0ab843b..b6090a2 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ wireguard_postdown: "..." wireguard_save_config: "true" ``` -`wireguard_address` is required as already mentioned. It's the IP of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs a unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries, for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.3.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s). +`wireguard_address` is required as already mentioned. It's the IP of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs a unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s). Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already) mentioned I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role. From 59eac1706ca8ca24e008fa567354399520ddc919 Mon Sep 17 00:00:00 2001 From: Alex Hanselka Date: Tue, 4 Jun 2019 14:51:25 -0500 Subject: [PATCH 3/9] update tasks to use the new preferred looping syntax (#10) --- tasks/main.yml | 5 +++-- tasks/setup-archlinux.yml | 7 ++++--- tasks/setup-ubuntu.yml | 5 +++-- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2ad482f..3c3ac6e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,9 +6,10 @@ - name: Install WireGuard package: - name: "{{ item }}" + name: "{{ packages }}" state: present - with_items: + vars: + packages: - wireguard-dkms - wireguard-tools tags: diff --git a/tasks/setup-archlinux.yml b/tasks/setup-archlinux.yml index 1ebe15b..dd0b901 100644 --- a/tasks/setup-archlinux.yml +++ b/tasks/setup-archlinux.yml @@ -1,10 +1,11 @@ --- - name: Install required packages pacman: - name: "{{ item }}" + name: "{{ packages }}" state: present become: yes - with_items: - - linux-headers + vars: + packages: + - linux-headers tags: - wg-install diff --git a/tasks/setup-ubuntu.yml b/tasks/setup-ubuntu.yml index c14591a..17ae4f8 100644 --- a/tasks/setup-ubuntu.yml +++ b/tasks/setup-ubuntu.yml @@ -8,9 +8,10 @@ - name: Install required packages package: - name: "{{ item }}" + name: "{{ packages }}" state: present - with_items: + vars: + packages: - software-properties-common - linux-headers-{{ ansible_kernel }} tags: From 663dfcb2f25d66b69e4ce7200020d5cd2ff1fa12 Mon Sep 17 00:00:00 2001 From: Robert Wimmer <2039811+githubixx@users.noreply.github.com> Date: Tue, 4 Jun 2019 21:55:28 +0200 Subject: [PATCH 4/9] update CHANGELOG for version 3.1.0 (#11) --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 32d7d4f..287225c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ Changelog --------- +**3.1.0** + +- pass package list directly to some modules by using the new and prefered syntax instead `loop` or `with_items` (contribution by ahanselka) + **3.0.1** - fix address in README From 21706b822ab4c4bd2157a343787e8dabeb7ecc83 Mon Sep 17 00:00:00 2001 From: Alex Hanselka Date: Thu, 6 Jun 2019 12:37:02 -0500 Subject: [PATCH 5/9] add CentOS support (#9) --- CHANGELOG.md | 4 ++++ tasks/setup-centos.yml | 11 +++++++++++ 2 files changed, 15 insertions(+) create mode 100644 tasks/setup-centos.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 287225c..ef567ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ Changelog --------- +**3.2.0** + +- add support for RHEL/CentOS (contribution by ahanselka) + **3.1.0** - pass package list directly to some modules by using the new and prefered syntax instead `loop` or `with_items` (contribution by ahanselka) diff --git a/tasks/setup-centos.yml b/tasks/setup-centos.yml new file mode 100644 index 0000000..50cdc33 --- /dev/null +++ b/tasks/setup-centos.yml @@ -0,0 +1,11 @@ +--- + +- name: Add WireGuard repository + get_url: + url: https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo + dest: /etc/yum.repos.d/wireguard.repo + +- name: Install EPEL repository + yum: + name: epel-release + update_cache: yes From 5a1488a2cd05945ab3aa9c876b397b2451a5c13c Mon Sep 17 00:00:00 2001 From: Robert Wimmer <2039811+githubixx@users.noreply.github.com> Date: Thu, 6 Jun 2019 19:49:19 +0200 Subject: [PATCH 6/9] add metadata for CentOS/EL (#12) --- meta/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/main.yml b/meta/main.yml index 0f185ef..938896e 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -11,6 +11,9 @@ galaxy_info: - name: Debian versions: - stretch + - name: EL + versions: + - 7 galaxy_tags: - networking - security From 493d407637f6d8c00513721b0f859790ca6ebd42 Mon Sep 17 00:00:00 2001 From: Pierre Ozoux Date: Wed, 18 Sep 2019 20:45:52 +0200 Subject: [PATCH 7/9] Cleans unecessary files. (#19) --- tests/inventory | 2 -- tests/test.yml | 5 ----- vars/main.yml | 1 - 3 files changed, 8 deletions(-) delete mode 100644 tests/inventory delete mode 100644 tests/test.yml delete mode 100644 vars/main.yml diff --git a/tests/inventory b/tests/inventory deleted file mode 100644 index 878877b..0000000 --- a/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/tests/test.yml b/tests/test.yml deleted file mode 100644 index a31e13a..0000000 --- a/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - . \ No newline at end of file diff --git a/vars/main.yml b/vars/main.yml deleted file mode 100644 index ed97d53..0000000 --- a/vars/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- From fa595d8f35302c0e1445d64152ecee3c39618408 Mon Sep 17 00:00:00 2001 From: Robert Wimmer <2039811+githubixx@users.noreply.github.com> Date: Wed, 18 Sep 2019 20:48:18 +0200 Subject: [PATCH 8/9] update CHANGELOG (#21) --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ef567ee..d85f188 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ Changelog --------- +**3.2.1** + +- remove unecessary files (contribution by pierreozoux) + **3.2.0** - add support for RHEL/CentOS (contribution by ahanselka) From 9a0e70ee25a5376a52658b97dd4b19bf4495db8f Mon Sep 17 00:00:00 2001 From: Robert Wimmer <2039811+githubixx@users.noreply.github.com> Date: Thu, 26 Sep 2019 22:36:36 +0200 Subject: [PATCH 9/9] remove unneeded with_inventory_hostnames loops (#27) * remove unneeded with_inventory_hostnames loops * update CHANGELOG --- CHANGELOG.md | 4 ++++ tasks/main.yml | 8 ++------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d85f188..4ad5178 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ Changelog --------- +**3.2.2** + +- remove unneeded `with_inventory_hostnames` loops (thanks to pierreozoux for initial PR) + **3.2.1** - remove unecessary files (contribution by pierreozoux) diff --git a/tasks/main.yml b/tasks/main.yml index 3c3ac6e..dea3068 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -67,8 +67,6 @@ - name: Generate WireGuard private key shell: "wg genkey" register: wg_private_key_result - with_inventory_hostnames: - - vpn when: not private_key_file_stat.stat.exists tags: - wg-generate-keys @@ -76,7 +74,7 @@ - name: Set private key fact set_fact: - wg_private_key: "{{ wg_private_key_result.results[0].stdout }}" + wg_private_key: "{{ wg_private_key_result.stdout }}" when: not private_key_file_stat.stat.exists tags: - wg-generate-keys @@ -85,14 +83,12 @@ shell: "echo '{{ wg_private_key }}' | wg pubkey" register: wg_public_key_result when: not private_key_file_stat.stat.exists - with_inventory_hostnames: - - vpn tags: - wg-generate-keys - name: Set public key fact set_fact: - wg_public_key: "{{ wg_public_key_result.results[0].stdout }}" + wg_public_key: "{{ wg_public_key_result.stdout }}" when: not private_key_file_stat.stat.exists tags: - wg-generate-keys