Compare commits
No commits in common. "master" and "6.0.4" have entirely different histories.
28
CHANGELOG.md
28
CHANGELOG.md
|
@ -1,32 +1,18 @@
|
|||
Changelog
|
||||
---------
|
||||
|
||||
**6.3.1**
|
||||
|
||||
- Support Openstack Debian images (contribution by @pallinger)
|
||||
|
||||
**6.3.0**
|
||||
|
||||
- Support Raspbian (contribution by @penguineer)
|
||||
|
||||
**6.2.0**
|
||||
|
||||
- Support Ubuntu 20.04 (Focal Fossa)
|
||||
- Introduce `wireguard_ubuntu_update_cache` and `wireguard_ubuntu_cache_valid_time` variables to specifiy individual Ubuntu package cache settings. Default values are the same as before.
|
||||
- As kernel >= 5.6 (and kernel 5.4 in Ubuntu 20.04) now have `wireguard` module included `wireguard-dkms` package is no longer needed in that case. That's why WireGuard package installation is now part of the includes for the specific OS to make it easier to handle various cases.
|
||||
|
||||
**6.1.0**
|
||||
|
||||
- Archlinux: Linux kernel >= 5.6 contains `wireguard` module now. No need to install `wireguard-dkms` anymore in this case. Installations with LTS kernel installs `wireguard-lts` package now instead of `wireguard-dkms`. Installations with kernel <= 5.6 will still install `wireguard-dkms` package.
|
||||
|
||||
**6.0.4**
|
||||
|
||||
- Use the buster-backports repository on Debian Buster (or older), use package standard repositories on sid/bullseye.
|
||||
- Use the buster-backports repository on Debian Buster (or older), use package
|
||||
standard repositories on sid/bullseye.
|
||||
|
||||
The role no longer adds the unstable _repo_ nor the _apt preference_ for that repo. There is no need to clean the preference and unstable repository, since packages from your release have a higher priority.
|
||||
The role no longer adds the unstable _repo_ nor the _apt preference_ for that repo.
|
||||
There is no need to clean the preference and unstable repository, since packages
|
||||
from your release have a higher priority.
|
||||
|
||||
If you remove the apt preference (`/etc/apt/preferences.d/limit-unstable`) updates from `unstable` are accepted by apt. This likely is not what you want and may lead to an unstable state.
|
||||
If you remove the apt preference (`/etc/apt/preferences.d/limit-unstable`)
|
||||
updates from `unstable` are accepted by apt. This likely is not what you want
|
||||
and may lead to an unstable state.
|
||||
|
||||
If you want to clean up:
|
||||
* remove `/etc/apt/preferences.d/limit-unstable` and
|
||||
|
|
10
README.md
10
README.md
|
@ -1,5 +1,3 @@
|
|||
# Fork of https://github.com/githubixx/ansible-role-wireguard.git with some minor tweaks to ensure PiFrameFleet can be provisioned properly
|
||||
|
||||
ansible-role-wireguard
|
||||
======================
|
||||
|
||||
|
@ -9,7 +7,7 @@ I used [PeerVPN](https://peervpn.net/) before but that wasn't updated for a whil
|
|||
|
||||
In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/).
|
||||
|
||||
This role is tested with Ubuntu 18.04 (Bionic Beaver), Ubuntu 20 (Focal Fossa) and Archlinux. Ubuntu 16.04 (Xenial Xerus), Debian 9 (Stretch), Debian 10 (Buster), Fedora 31 (or later) and CentOS 7 might also work or other distributions but haven't tested it (code for this operating systems was submitted by other contributors). If someone tested it let me please know if it works or send a pull request to make it work ;-)
|
||||
This role was tested with Ubuntu 18.04 (Bionic Beaver), Debian 9 (Stretch), Archlinux, Fedora 31 and CentOS. It might also work with Ubuntu 16.04 (Xenial Xerus), Debian 10 (Buster) or other distributions but haven't tested it. If someone tested it let me please know if it works or send a pull request to make it work ;-)
|
||||
|
||||
Versions
|
||||
--------
|
||||
|
@ -296,13 +294,11 @@ vpn1:
|
|||
|
||||
vpn2:
|
||||
hosts:
|
||||
# Use a different name, and define ansible_host, to avoid mixing of vars without
|
||||
# needing to prefix vars with interface name.
|
||||
# use a different name, and define ansible_host, to avoid mixing of vars without needing to prefix vars with interface name
|
||||
multi-wg1:
|
||||
ansible_host: multi
|
||||
wireguard_interface: wg1
|
||||
# when using several interface on one host, we must use different ports
|
||||
wireguard_port: 51821
|
||||
wireguard_port: 51821 # when using several interface on one host, we must use different ports
|
||||
wireguard_address: 10.9.1.1/32
|
||||
wireguard_endpoint: multi.exemple.com
|
||||
another:
|
||||
|
|
|
@ -1,8 +1,4 @@
|
|||
---
|
||||
#######################################
|
||||
# General settings
|
||||
#######################################
|
||||
|
||||
# Directory to store WireGuard configuration on the remote hosts
|
||||
wireguard_remote_directory: "/etc/wireguard"
|
||||
|
||||
|
@ -11,17 +7,3 @@ wireguard_port: "51820"
|
|||
|
||||
# The default interface name that wireguard should use if not specified otherwise.
|
||||
wireguard_interface: "wg0"
|
||||
|
||||
# Whether or not WireGuard is running in a container
|
||||
wireguard_containerized: false
|
||||
|
||||
|
||||
#######################################
|
||||
# Settings only relevant for Ubuntu
|
||||
#######################################
|
||||
|
||||
# Set to "false" if package cache should not be updated
|
||||
wireguard_ubuntu_update_cache: "true"
|
||||
|
||||
# Set package cache valid time
|
||||
wireguard_ubuntu_cache_valid_time: "3600"
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
loop:
|
||||
- stopped
|
||||
- started
|
||||
when: not wg_syncconf and not wireguard_containerized
|
||||
when: not wg_syncconf
|
||||
listen: "reconfigure wireguard"
|
||||
|
||||
- name: syncconf wireguard
|
||||
|
@ -19,10 +19,5 @@
|
|||
exit 0
|
||||
args:
|
||||
executable: "/bin/bash"
|
||||
when: wg_syncconf and not wireguard_containerized
|
||||
listen: "reconfigure wireguard"
|
||||
|
||||
- name: restart wireguard (container)
|
||||
command: /usr/bin/s6-svc -r /var/run/s6/services/wireguard
|
||||
when: wireguard_containerized
|
||||
when: wg_syncconf
|
||||
listen: "reconfigure wireguard"
|
||||
|
|
|
@ -8,11 +8,9 @@ galaxy_info:
|
|||
- name: Ubuntu
|
||||
versions:
|
||||
- bionic
|
||||
- focal
|
||||
- name: Debian
|
||||
versions:
|
||||
- stretch
|
||||
- buster
|
||||
- name: EL
|
||||
versions:
|
||||
- 7
|
||||
|
|
|
@ -3,7 +3,17 @@
|
|||
setup:
|
||||
|
||||
- include_tasks: "setup-{{ ansible_distribution|lower }}.yml"
|
||||
when: not wireguard_containerized
|
||||
|
||||
- name: Install WireGuard
|
||||
package:
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
vars:
|
||||
packages:
|
||||
- wireguard-dkms
|
||||
- wireguard-tools
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: Enable WireGuard kernel module
|
||||
modprobe:
|
||||
|
@ -32,7 +42,6 @@
|
|||
- name: Get wg subcommands
|
||||
command: "wg --help"
|
||||
register: wg_subcommands
|
||||
changed_when: false
|
||||
|
||||
- name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available)
|
||||
set_fact:
|
||||
|
@ -49,9 +58,8 @@
|
|||
|
||||
- block:
|
||||
- name: Generate WireGuard private key
|
||||
command: "wg genkey"
|
||||
shell: "wg genkey"
|
||||
register: wg_private_key_result
|
||||
changed_when: false
|
||||
tags:
|
||||
- wg-generate-keys
|
||||
|
||||
|
@ -130,4 +138,3 @@
|
|||
name: "wg-quick@{{ wireguard_interface }}"
|
||||
state: started
|
||||
enabled: yes
|
||||
when: not wireguard_containerized
|
||||
|
|
|
@ -1,32 +1,11 @@
|
|||
---
|
||||
- name: (Archlinux) Install wireguard-lts package
|
||||
- name: Install required packages
|
||||
pacman:
|
||||
name: "{{ item.name }}"
|
||||
state: "{{ item.state }}"
|
||||
with_items:
|
||||
- { name: wireguard-dkms, state: absent }
|
||||
- { name: wireguard-lts, state: present }
|
||||
become: yes
|
||||
tags:
|
||||
- wg-install
|
||||
when:
|
||||
- ansible_kernel is match(".*-lts$")
|
||||
- ansible_kernel is version('5.6', '<')
|
||||
|
||||
- name: (Archlinux) Install wireguard-dkms package
|
||||
pacman:
|
||||
name: wireguard-dkms
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
become: yes
|
||||
tags:
|
||||
- wg-install
|
||||
when:
|
||||
- not ansible_kernel is match(".*-lts$")
|
||||
- ansible_kernel is version('5.6', '<')
|
||||
|
||||
- name: (Archlinux) Install wireguard-tools package
|
||||
pacman:
|
||||
name: wireguard-tools
|
||||
state: present
|
||||
vars:
|
||||
packages:
|
||||
- linux-headers
|
||||
tags:
|
||||
- wg-install
|
||||
|
|
|
@ -1,19 +1,11 @@
|
|||
---
|
||||
- name: (CentOS) Add WireGuard repository
|
||||
|
||||
- name: Add WireGuard repository
|
||||
get_url:
|
||||
url: https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
|
||||
dest: /etc/yum.repos.d/wireguard.repo
|
||||
|
||||
- name: (CentOS) Install EPEL repository
|
||||
- name: Install EPEL repository
|
||||
yum:
|
||||
name: epel-release
|
||||
update_cache: yes
|
||||
|
||||
- name: (CentOS) Install wireguard packages
|
||||
yum:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
- "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
||||
|
|
|
@ -1,93 +0,0 @@
|
|||
---
|
||||
|
||||
- name: (Raspbian) Install GPG - required to add wireguard key
|
||||
apt:
|
||||
name: gnupg
|
||||
state: present
|
||||
|
||||
- name: (Raspbian) Add Debian repository key
|
||||
apt_key:
|
||||
keyserver: "keyserver.ubuntu.com"
|
||||
id: "04EE7237B7D453EC"
|
||||
state: present
|
||||
when: ansible_lsb.id == "Raspbian"
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Add Debian Unstable repository for WireGuard
|
||||
apt_repository:
|
||||
repo: "deb http://deb.debian.org/debian unstable main"
|
||||
state: present
|
||||
update_cache: yes
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Install latest kernel
|
||||
apt:
|
||||
name:
|
||||
- "raspberrypi-kernel"
|
||||
state: latest
|
||||
register: kernel_update
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Reboot after kernel update (Ansible >= 2.8)
|
||||
reboot:
|
||||
search_paths: ['/lib/molly-guard', '/usr/sbin']
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '>=')
|
||||
- kernel_update is changed
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Check if molly-guard is installed (Ansible < 2.8)
|
||||
stat:
|
||||
path: /lib/molly-guard/
|
||||
register: molly_guard
|
||||
|
||||
- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, no molly-guard)
|
||||
reboot:
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '<')
|
||||
- kernel_update is changed
|
||||
- not molly_guard.stat.exists
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Reboot after kernel update (Ansible < 2.8, with molly-guard)
|
||||
command: /lib/molly-guard/shutdown -r now
|
||||
async: 1
|
||||
poll: 0
|
||||
ignore_unreachable: yes
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '<')
|
||||
- kernel_update is changed
|
||||
- molly_guard.stat.exists
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Waiting for host to be available (Ansible < 2.8, with molly-guard)
|
||||
wait_for_connection:
|
||||
when:
|
||||
- ansible_version.full is version('2.8.0', '<')
|
||||
- kernel_update is changed
|
||||
- molly_guard.stat.exists
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Install latest kernel headers to compile Wireguard with DKMS
|
||||
apt:
|
||||
name:
|
||||
- "raspberrypi-kernel-headers"
|
||||
state: latest
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Raspbian) Install wireguard packages
|
||||
apt:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
- "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
|
@ -1,37 +0,0 @@
|
|||
---
|
||||
- name: (Debian) Install GPG - required to add wireguard key
|
||||
apt:
|
||||
name: gnupg
|
||||
state: present
|
||||
|
||||
- name: (Debian) Add WireGuard repository on buster or earlier
|
||||
apt_repository:
|
||||
repo: "deb http://deb.debian.org/debian buster-backports main"
|
||||
state: present
|
||||
update_cache: yes
|
||||
when: ansible_distribution_version | int <= 10
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Debian) Get architecture
|
||||
command: "dpkg --print-architecture"
|
||||
register: dpkg_arch
|
||||
changed_when: False
|
||||
|
||||
- set_fact:
|
||||
kernel_header_version: "{{ ('-cloud-' in ansible_kernel) | ternary(ansible_kernel,dpkg_arch.stdout) }}"
|
||||
|
||||
- name: (Debian) Install kernel headers to compile Wireguard with DKMS
|
||||
apt:
|
||||
name:
|
||||
- "linux-headers-{{ kernel_header_version }}"
|
||||
state: present
|
||||
|
||||
- name: (Debian) Install wireguard packages
|
||||
apt:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
- "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
|
@ -1,8 +1,25 @@
|
|||
---
|
||||
- name: Install GPG - required to add wireguard key
|
||||
apt:
|
||||
name: gnupg
|
||||
state: present
|
||||
|
||||
- include_tasks: "setup-debian-raspbian.yml"
|
||||
when: ansible_lsb.id == "Raspbian"
|
||||
register: raspbian_setup
|
||||
- name: Add WireGuard repository on buster or earlier
|
||||
apt_repository:
|
||||
repo: "deb http://deb.debian.org/debian buster-backports main"
|
||||
state: present
|
||||
update_cache: yes
|
||||
when: ansible_distribution_version | int <= 10
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- include_tasks: "setup-debian-vanilla.yml"
|
||||
when: raspbian_setup is skipped
|
||||
- name: Get architecture
|
||||
shell: dpkg --print-architecture
|
||||
register: dpkg_arch
|
||||
changed_when: False
|
||||
|
||||
- name: Install kernel headers to compile wireguard with DKMS
|
||||
apt:
|
||||
name:
|
||||
- "linux-headers-{{ dpkg_arch.stdout }}"
|
||||
state: present
|
||||
|
|
|
@ -1,17 +1,8 @@
|
|||
---
|
||||
- name: (Fedora) Add wireguard COPR
|
||||
- name: Add wireguard COPR
|
||||
yum_repository:
|
||||
name: "jdoss-wireguard"
|
||||
description: "Copr repo for wireguard owned by jdoss"
|
||||
baseurl: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/fedora-$releasever-$basearch/"
|
||||
gpgkey: "https://copr-be.cloud.fedoraproject.org/results/jdoss/wireguard/pubkey.gpg"
|
||||
gpgcheck: yes
|
||||
|
||||
- name: (Fedora) Install wireguard packages
|
||||
yum:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
- "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
||||
|
|
|
@ -1,13 +1,12 @@
|
|||
---
|
||||
- name: (Ubuntu) Update APT package cache
|
||||
- name: Update APT package cache
|
||||
apt:
|
||||
update_cache: "{{ wireguard_ubuntu_update_cache }}"
|
||||
cache_valid_time: "{{ wireguard_ubuntu_cache_valid_time }}"
|
||||
update_cache: true
|
||||
cache_valid_time: 3600
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- block:
|
||||
- name: (Ubuntu) Install support packages needed for Wireguard (for Ubuntu < 19.10)
|
||||
- name: Install required packages
|
||||
package:
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
|
@ -18,31 +17,10 @@
|
|||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Ubuntu) Add WireGuard repository (for Ubuntu < 19.10)
|
||||
- name: Add WireGuard repository
|
||||
apt_repository:
|
||||
repo: "ppa:wireguard/wireguard"
|
||||
state: present
|
||||
update_cache: yes
|
||||
tags:
|
||||
- wg-install
|
||||
|
||||
- name: (Ubuntu) Install wireguard packages (for Ubuntu < 19.10)
|
||||
apt:
|
||||
name:
|
||||
- "wireguard-dkms"
|
||||
- "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
||||
when:
|
||||
- ansible_lsb.major_release is version('19.10', '<')
|
||||
|
||||
- block:
|
||||
- name: (Ubuntu) Install wireguard-tools package (for Ubuntu > 19.04)
|
||||
apt:
|
||||
name: "wireguard-tools"
|
||||
state: present
|
||||
tags:
|
||||
- wg-install
|
||||
when:
|
||||
- ansible_lsb.major_release is version('19.04', '>')
|
||||
|
|
|
@ -39,7 +39,7 @@ PostDown = {{ wg_postdown }}
|
|||
{% if hostvars[inventory_hostname].wireguard_save_config is defined %}
|
||||
SaveConfig = true
|
||||
{% endif %}
|
||||
{% for host in ansible_play_hosts_all %}
|
||||
{% for host in ansible_play_hosts %}
|
||||
{% if host != inventory_hostname %}
|
||||
|
||||
[Peer]
|
||||
|
|
Reference in a new issue