From 594dcafc32462f8674e97963191bf3724cad3fb2 Mon Sep 17 00:00:00 2001 From: Robert Wimmer <2039811+githubixx@users.noreply.github.com> Date: Wed, 6 Nov 2024 20:34:59 +0100 Subject: [PATCH] Prep for 17.1.0 (#212) * remove whitespace * update .yamllint * ansible-lint: Fix forbidden implicit octal value * use ansible.builtin.dnf instead of ansible.builtin.yum for Fedora * update .gitignore * add missing wg-config tag * hide peers with empty endpoints for unmanaged peers * Revert "hide peers with empty endpoints for unmanaged peers" This reverts commit 85818e1ca5c5da74dcf01e44a800a85998faacbf. * update README * update dates --- .gitignore | 3 ++- .yamllint | 11 ++++++++++- CHANGELOG.md | 2 +- README.md | 16 +++++++++------- defaults/main.yml | 4 ++-- handlers/main.yml | 2 +- meta/main.yml | 2 +- molecule/default/converge.yml | 2 +- molecule/default/molecule.yml | 4 ++-- molecule/default/prepare.yml | 2 +- molecule/default/verify.yml | 2 +- molecule/single-server/converge.yml | 2 +- molecule/single-server/molecule.yml | 2 +- molecule/single-server/prepare.yml | 2 +- molecule/single-server/verify.yml | 2 +- tasks/main.yml | 5 +++-- tasks/setup-almalinux-8.yml | 2 +- tasks/setup-almalinux.yml | 2 +- tasks/setup-archlinux.yml | 2 +- tasks/setup-centos-7.yml | 2 +- tasks/setup-debian-pve-guest-variant.yml | 2 +- tasks/setup-debian-pve-host-variant.yml | 6 +++--- tasks/setup-debian-raspbian-buster.yml | 2 +- tasks/setup-debian-vanilla.yml | 4 ++-- tasks/setup-debian.yml | 4 ++-- tasks/setup-elementary os.yml | 2 +- tasks/setup-fedora.yml | 6 +++--- tasks/setup-macosx.yml | 2 +- tasks/setup-opensuse leap.yml | 2 +- tasks/setup-oraclelinux.yml | 2 +- tasks/setup-rocky-8.yml | 2 +- tasks/setup-rocky.yml | 2 +- tasks/setup-ubuntu.yml | 2 +- templates/etc/wireguard/wg.conf.j2 | 2 +- 34 files changed, 62 insertions(+), 49 deletions(-) diff --git a/.gitignore b/.gitignore index d15b9a8e..c28bfeff 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ -# Copyright (C) 2018-2023 Robert Wimmer +# Copyright (C) 2018-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later molecule/kvm/.vagrant +.vscode diff --git a/.yamllint b/.yamllint index 3186f8da..c2d348ab 100644 --- a/.yamllint +++ b/.yamllint @@ -1,9 +1,18 @@ --- +# Copyright (C) 2018-2024 Robert Wimmer +# SPDX-License-Identifier: GPL-3.0-or-later extends: default rules: line-length: max: 150 level: warning - comments-indentation: disable + comments: + min-spaces-from-content: 1 + braces: + min-spaces-inside: 0 + max-spaces-inside: 1 + octal-values: + forbid-implicit-octal: true + forbid-explicit-octal: true diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e92fb35..8a3b9969 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ SPDX-License-Identifier: GPL-3.0-or-later - replace Vagrant box `rockylinux/9` with `bento/rockylinux-9` - use `ansible.builtin.package` for AlmaLinux - remove `AlmaLinux 8`, `Rocky Linux 8` and `CentOS 7` (outdated Python makes it hard to test with Ansible) - + ## 16.0.2 - **OTHER** diff --git a/README.md b/README.md index 3d823eea..1a13ab68 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ @@ -10,7 +10,9 @@ This Ansible role is used in my blog series [Kubernetes the not so hard way with In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/). -## Linux +## Supported operating systems + +### Linux This role should work with: @@ -27,16 +29,14 @@ This role should work with: - openSUSE Leap 15.6 - Oracle Linux 9 -## Best effort +### Linux - Best effort - AlmaLinux 8 - Rocky Linux 8 - elementary OS 6 - CentOS 7 (end of life since end June 2024) -Molecule tests are [available](https://github.com/githubixx/ansible-role-wireguard#testing) (see further down below). It should also work with `Raspbian Buster` but for this one there is no test available. MacOS (see below) should also work partially but is only best effort. - -## MacOS +### MacOS While this playbook configures, enables and starts a `systemd` service on Linux in a such a way that no additional action is needed, on MacOS it installs the required packages and it just generates the correct `wg0.conf` file that is then placed in the specified `wireguard_remote_directory` (`/opt/local/etc/wireguard` by default). In order to run the VPN, then, you need to: @@ -376,6 +376,8 @@ wireguard_unmanaged_peers: One of `wireguard_address` (deprecated) or `wireguard_addresses` (recommended) is required as already mentioned. It's the IPs of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs at least one unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s). +## Example + Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role. First, here is a part of my Ansible `hosts` file: @@ -585,7 +587,7 @@ vpn2: - "10.9.1.1/32" wireguard_endpoint: multi.example.com another: - wireguard_address: + wireguard_addresses: - "10.9.1.2/32" wireguard_endpoint: another.example.com ``` diff --git a/defaults/main.yml b/defaults/main.yml index 1f942f7e..326f9029 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2023 Robert Wimmer +# Copyright (C) 2018-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later ####################################### @@ -35,7 +35,7 @@ wireguard_conf_filename: "{{ wireguard_interface }}.conf" wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'wheel' }}" # The default mode of the wg.conf file -wireguard_conf_mode: 0600 +wireguard_conf_mode: "0600" # Whether any change to the wg.conf file should be backup wireguard_conf_backup: false diff --git a/handlers/main.yml b/handlers/main.yml index ce155480..6ff24543 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2023 Robert Wimmer +# Copyright (C) 2018-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Restart wireguard diff --git a/meta/main.yml b/meta/main.yml index 89c258f9..4afad9bf 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2023 Robert Wimmer +# Copyright (C) 2018-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later galaxy_info: diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 65ebfab8..ca478007 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2020-2023 Robert Wimmer +# Copyright (C) 2020-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Setup WireGuard diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index ba1b8006..7ebdb2ec 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -1,6 +1,6 @@ --- -# Copyright (C) 2020-2023 Robert Wimmer -# Copyright (C) 2020 Pierre Ozoux +# Copyright (C) 2020-2024 Robert Wimmer +# Copyright (C) 2020-2024 Pierre Ozoux # SPDX-License-Identifier: GPL-3.0-or-later dependency: diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 34e0044a..cfaa56e9 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2021-2023 Robert Wimmer +# Copyright (C) 2021-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Prepare opensuse hosts diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 066d4404..bd85a951 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2023 Robert Wimmer +# Copyright (C) 2023-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Verify setup diff --git a/molecule/single-server/converge.yml b/molecule/single-server/converge.yml index ee3886c6..261edd6b 100644 --- a/molecule/single-server/converge.yml +++ b/molecule/single-server/converge.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2023 Robert Wimmer +# Copyright (C) 2023-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Setup WireGuard diff --git a/molecule/single-server/molecule.yml b/molecule/single-server/molecule.yml index 6f0296b2..5235a2ea 100644 --- a/molecule/single-server/molecule.yml +++ b/molecule/single-server/molecule.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2023 Robert Wimmer +# Copyright (C) 2023-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later dependency: diff --git a/molecule/single-server/prepare.yml b/molecule/single-server/prepare.yml index 4b5f465f..3558e055 100644 --- a/molecule/single-server/prepare.yml +++ b/molecule/single-server/prepare.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2023 Robert Wimmer +# Copyright (C) 2023-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Setup Ubuntu hosts diff --git a/molecule/single-server/verify.yml b/molecule/single-server/verify.yml index 066d4404..bd85a951 100644 --- a/molecule/single-server/verify.yml +++ b/molecule/single-server/verify.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2023 Robert Wimmer +# Copyright (C) 2023-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Verify setup diff --git a/tasks/main.yml b/tasks/main.yml index 0bc2723a..1a78a229 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2023 Robert Wimmer +# Copyright (C) 2018-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Gather instance facts @@ -45,6 +45,7 @@ false {%- endif %} tags: + - wg-config - skip_ansible_lint - name: Make sure wg syncconf option is available @@ -160,7 +161,7 @@ ansible.builtin.file: dest: "{{ wireguard_remote_directory }}" state: directory - mode: 0700 + mode: "0700" tags: - wg-config when: not wireguard_ubuntu_use_netplan diff --git a/tasks/setup-almalinux-8.yml b/tasks/setup-almalinux-8.yml index 4cde148f..ee105e70 100644 --- a/tasks/setup-almalinux-8.yml +++ b/tasks/setup-almalinux-8.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2021-2023 Robert Wimmer +# Copyright (C) 2021-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (AlmaLinux 8) Install EPEL & ELRepo repository diff --git a/tasks/setup-almalinux.yml b/tasks/setup-almalinux.yml index 1b5c9908..d10663b2 100644 --- a/tasks/setup-almalinux.yml +++ b/tasks/setup-almalinux.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2023 Robert Wimmer +# Copyright (C) 2023-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (AlmaLinux) Install wireguard-tools package diff --git a/tasks/setup-archlinux.yml b/tasks/setup-archlinux.yml index f5cfae4f..d7f3a3ea 100644 --- a/tasks/setup-archlinux.yml +++ b/tasks/setup-archlinux.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2023 Robert Wimmer +# Copyright (C) 2018-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (Archlinux) Refresh the master package lists diff --git a/tasks/setup-centos-7.yml b/tasks/setup-centos-7.yml index d06bc2e7..d58e510d 100644 --- a/tasks/setup-centos-7.yml +++ b/tasks/setup-centos-7.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2020 Roman Danko +# Copyright (C) 2020-2024 Roman Danko # SPDX-License-Identifier: GPL-3.0-or-later - name: (CentOS 7) Tasks for standard kernel diff --git a/tasks/setup-debian-pve-guest-variant.yml b/tasks/setup-debian-pve-guest-variant.yml index 6eaa508c..dad30f04 100644 --- a/tasks/setup-debian-pve-guest-variant.yml +++ b/tasks/setup-debian-pve-guest-variant.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2021 Tobias Richter +# Copyright (C) 2021-2024 Tobias Richter # SPDX-License-Identifier: GPL-3.0-or-later - name: (Proxmox) Add WireGuard repository diff --git a/tasks/setup-debian-pve-host-variant.yml b/tasks/setup-debian-pve-host-variant.yml index 52ac6fb7..5706ef55 100644 --- a/tasks/setup-debian-pve-host-variant.yml +++ b/tasks/setup-debian-pve-host-variant.yml @@ -1,7 +1,7 @@ --- -# Copyright (C) 2018-2023 Robert Wimmer -# Copyright (C) 2019-2020 Ties de Kock -# Copyright (C) 2021 Steve Fan +# Copyright (C) 2018-2024 Robert Wimmer +# Copyright (C) 2019-2024 Ties de Kock +# Copyright (C) 2021-2024 Steve Fan # SPDX-License-Identifier: GPL-3.0-or-later - name: (Proxmox) Add WireGuard repository diff --git a/tasks/setup-debian-raspbian-buster.yml b/tasks/setup-debian-raspbian-buster.yml index b6098090..4920d4a0 100644 --- a/tasks/setup-debian-raspbian-buster.yml +++ b/tasks/setup-debian-raspbian-buster.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2020 Stefan Haun +# Copyright (C) 2020-2024 Stefan Haun # SPDX-License-Identifier: GPL-3.0-or-later # Note: This setup is called for Raspbian 10 (Buster) and lower. diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml index e6ce173b..85316279 100644 --- a/tasks/setup-debian-vanilla.yml +++ b/tasks/setup-debian-vanilla.yml @@ -1,6 +1,6 @@ --- -# Copyright (C) 2018-2023 Robert Wimmer -# Copyright (C) 2019-2020 Ties de Kock +# Copyright (C) 2018-2024 Robert Wimmer +# Copyright (C) 2019-2024 Ties de Kock # SPDX-License-Identifier: GPL-3.0-or-later - name: (Debian) Install WireGuard packages diff --git a/tasks/setup-debian.yml b/tasks/setup-debian.yml index 4dccfd95..631dfee2 100644 --- a/tasks/setup-debian.yml +++ b/tasks/setup-debian.yml @@ -1,6 +1,6 @@ --- -# Copyright (C) 2020 Stefan Haun -# Copyright (C) 2021 Steve Fan +# Copyright (C) 2020-2024 Stefan Haun +# Copyright (C) 2021-2024 Steve Fan # SPDX-License-Identifier: GPL-3.0-or-later - name: Setup for Raspbian diff --git a/tasks/setup-elementary os.yml b/tasks/setup-elementary os.yml index 7e6679aa..ed31260f 100644 --- a/tasks/setup-elementary os.yml +++ b/tasks/setup-elementary os.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2023 Robert Wimmer +# Copyright (C) 2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (elementary OS) Update APT package cache diff --git a/tasks/setup-fedora.yml b/tasks/setup-fedora.yml index ef98f63a..86bdaf7e 100644 --- a/tasks/setup-fedora.yml +++ b/tasks/setup-fedora.yml @@ -1,12 +1,12 @@ --- -# Copyright (C) 2020 Ties de Kock -# Copyright (C) 2023 Robert Wimmer +# Copyright (C) 2020-2024 Ties de Kock +# Copyright (C) 2023-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (Fedora) Install WireGuard packages when: - ansible_pkg_mgr != "atomic_container" - ansible.builtin.yum: + ansible.builtin.dnf: name: - "wireguard-tools" state: present diff --git a/tasks/setup-macosx.yml b/tasks/setup-macosx.yml index 05592be1..a7b6358a 100644 --- a/tasks/setup-macosx.yml +++ b/tasks/setup-macosx.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2020 Ruben Di Battista +# Copyright (C) 2020-2024 Ruben Di Battista # SPDX-License-Identifier: GPL-3.0-or-later - name: (MacOS) Install wireguard package diff --git a/tasks/setup-opensuse leap.yml b/tasks/setup-opensuse leap.yml index 4857c148..0227a1e3 100644 --- a/tasks/setup-opensuse leap.yml +++ b/tasks/setup-opensuse leap.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2020-2023 Robert Wimmer +# Copyright (C) 2020-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (openSUSE Leap) Install WireGuard packages diff --git a/tasks/setup-oraclelinux.yml b/tasks/setup-oraclelinux.yml index dee0c2ce..8ea7a5d4 100644 --- a/tasks/setup-oraclelinux.yml +++ b/tasks/setup-oraclelinux.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2022 Masahiro Koga +# Copyright (C) 2022-2024 Masahiro Koga # SPDX-License-Identifier: GPL-3.0-or-later - name: (OracleLinux) Install wireguard-tools package diff --git a/tasks/setup-rocky-8.yml b/tasks/setup-rocky-8.yml index 73e3b81e..d57da078 100644 --- a/tasks/setup-rocky-8.yml +++ b/tasks/setup-rocky-8.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2021-2023 Robert Wimmer +# Copyright (C) 2021-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (Rocky Linux 8) Tasks for standard kernel diff --git a/tasks/setup-rocky.yml b/tasks/setup-rocky.yml index 45819782..0abfd796 100644 --- a/tasks/setup-rocky.yml +++ b/tasks/setup-rocky.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2023 Robert Wimmer +# Copyright (C) 2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (Rocky Linux) Install wireguard-tools package diff --git a/tasks/setup-ubuntu.yml b/tasks/setup-ubuntu.yml index 436a34c0..635a90aa 100644 --- a/tasks/setup-ubuntu.yml +++ b/tasks/setup-ubuntu.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2023 Robert Wimmer +# Copyright (C) 2018-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Check if Netplan is supported diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2 index 35a2ed71..ea1f8ebf 100644 --- a/templates/etc/wireguard/wg.conf.j2 +++ b/templates/etc/wireguard/wg.conf.j2 @@ -1,5 +1,5 @@ #jinja2: lstrip_blocks:"True",trim_blocks:"True" -{# Copyright (C) 2018-2023 Robert Wimmer +{# Copyright (C) 2018-2024 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later #} # {{ ansible_managed }}