15.0.0 (#197)

* update Ansible Galaxy URL of this role

* remove Ubuntu 18.04 support (reached EOL)

* Molecule: rename 'kvm' scenario to 'default'

* Molecule: rename 'kvm' scenario to 'default'

* Molecule: rename 'kvm-single-server' scenario to 'single-server'

* update CHANGELOG

* remove Fedora 36 support (reached EOL) / add support for Fedora 37 + 38

* Molecule: increase memory for all VMs

* Molecule: fix Ubuntu 22.04 box

* update year in all files

* add support for openSUSE 15.5

* add support for Debian 12

* handlers/main.yml: 'Syncconf wireguard' task should not change things if nothing needs doing

* Fix ansible-lint issues

* update CHANGELOG

* update CHANGELOG

* update README

* update README

* Molecule: Upgrade OS and reboot in prepare before converge for Almalinux

* update CHANGELOG

* update README

.github/workflows/release.yml

@@ -1,4 +1,7 @@
 ---
+# Copyright (C) 2018-2023 Robert Wimmer
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
 # This workflow requires a GALAXY_API_KEY secret present in the GitHub
 # repository or organization.
 #

.gitignore

@@ -1,4 +1,4 @@
-# Copyright (C) 2018-2022 Robert Wimmer
+# Copyright (C) 2018-2023 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 molecule/kvm/.vagrant

CHANGELOG.md

@@ -5,14 +5,47 @@ SPDX-License-Identifier: GPL-3.0-or-later
 
 # Changelog
 
+## 15.0.0
+
+Breaking:
+
+- removed support for Ubuntu 18.04 (reached end of life)
+- removed support for Fedora 36 (reached end of life)
+
+Feature:
+
+- add support for Fedora 37
+- add support for Fedora 38
+- add support for openSUSE 15.5
+- add support for Debian 12
+- prefix host name comment with `Name =` for [wg-info](https://github.com/asdil12/wg-info) in WireGuard interface configuration (contribution by @tarag)
+
+Molecule:
+
+- rename `kvm` scenario to `default`
+- rename `kvm-single-server` scenario to `single-server`
+- upgrade OS and reboot in prepare before converge for Almalinux
+
+Other:
+
+- fix `ansible-lint` issues
+
 ## 14.0.0
 
-- **BREAKING** CentOS7: Introduce `wireguard_centos7_kernel_plus_reboot` and `wireguard_centos7_standard_reboot` variables. Both are set to "true" by default. This will cause the host to be rebooted in case the "wireguard" kernel module was installed the very first time. If `wireguard_centos7_installation_method: "kernel-plus"` is set and the host wasn't booted with a `kernel-plus` kernel already you most probably need to reboot. For the `standard` kernel this might not be needed.
-- CentOS7: Add reboot to the standard mode to make sure the WireGuard kernel module is available (contribution by @mofelee)
-- **BREAKING** Introduce `wireguard_update_cache` variable to control if package manager caches should be updated before the installation (contribution by @sebix). Before this release the package manager cache wasn't updated for AlmaLinux 9, Archlinux, Fedora and openSUSE. With `wireguard_update_cache` set to `true` by default those OSes are now also update the package manager cache. If you don't want that set `wireguard_update_cache` to `false` for the host in question.
-- variable `wireguard_ubuntu_update_cache` is deprecated
+Breaking:
+
+- CentOS 7: Introduce `wireguard_centos7_kernel_plus_reboot` and `wireguard_centos7_standard_reboot` variables. Both are set to "true" by default. This will cause the host to be rebooted in case the "wireguard" kernel module was installed the very first time. If `wireguard_centos7_installation_method: "kernel-plus"` is set and the host wasn't booted with a `kernel-plus` kernel already you most probably need to reboot. For the `standard` kernel this might not be needed.
+- CentOS 7: Add reboot to the standard mode to make sure the WireGuard kernel module is available (contribution by @mofelee)
+- Introduce `wireguard_update_cache` variable to control if package manager caches should be updated before the installation (contribution by @sebix). Before this release the package manager cache wasn't updated for AlmaLinux 9, Archlinux, Fedora and openSUSE. With `wireguard_update_cache` set to `true` by default those OSes are now also update the package manager cache. If you don't want that set `wireguard_update_cache` to `false` for the host in question.
+
+Feature:
+
 - add support for Oracle Linux 9 (contribution by @cola-zero)
 
+Deprecation:
+
+- variable `wireguard_ubuntu_update_cache` is deprecated
+
 ## 13.0.1
 
 - [fix](https://github.com/githubixx/ansible-role-wireguard/pull/182) in README

README.md

@@ -7,7 +7,7 @@ SPDX-License-Identifier: GPL-3.0-or-later
 ansible-role-wireguard
 ======================
 
-This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. The latest release is [available via Ansible Galaxy](https://galaxy.ansible.com/githubixx/ansible_role_wireguard).  I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster.
+This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster.
 
 In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/).
 
@@ -16,16 +16,20 @@ Linux
 
 This role should work with:
 
-- Ubuntu 18.04 (Bionic Beaver)
 - Ubuntu 20.04 (Focal Fossa)
 - Ubuntu 22.04 (Jammy Jellyfish)
 - Archlinux
 - Debian 11 (Bullseye)
-- Fedora 36
+- Debian 12 (Bookworm)
+- Fedora 37
+- Fedora 38
 - CentOS 7
-- AlmaLinux
-- Rocky Linux
+- AlmaLinux 8
+- AlmaLinux 9
+- Rocky Linux 8
+- Rocky Linux 9
 - openSUSE Leap 15.4
+- openSUSE Leap 15.5
 - Oracle Linux 9
 
 Best effort:
@@ -66,7 +70,73 @@ Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good
 Changelog
 ---------
 
-see [CHANGELOG.md](https://github.com/githubixx/ansible-role-wireguard/blob/master/CHANGELOG.md)
+**Change history:**
+
+See full [CHANGELOG.md](https://github.com/githubixx/ansible-role-wireguard/blob/master/CHANGELOG.md)
+
+**Changes in the last two versions:**
+
+15.0.0
+
+Breaking:
+
+- removed support for Ubuntu 18.04 (reached end of life)
+- removed support for Fedora 36 (reached end of life)
+
+Feature:
+
+- add support for Fedora 37
+- add support for Fedora 38
+- add support for openSUSE 15.5
+- add support for Debian 12
+- prefix host name comment with `Name =` for [wg-info](https://github.com/asdil12/wg-info) in WireGuard interface configuration (contribution by @tarag)
+
+Molecule:
+
+- rename `kvm` scenario to `default`
+- rename `kvm-single-server` scenario to `single-server`
+- upgrade OS and reboot in prepare before converge for Almalinux
+
+Other:
+
+- fix `ansible-lint` issues
+
+14.0.0
+
+Breaking:
+
+- CentOS 7: Introduce `wireguard_centos7_kernel_plus_reboot` and `wireguard_centos7_standard_reboot` variables. Both are set to "true" by default. This will cause the host to be rebooted in case the "wireguard" kernel module was installed the very fir
+st time. If `wireguard_centos7_installation_method: "kernel-plus"` is set and the host wasn't booted with a `kernel-plus` kernel already you most probably need to reboot. For the `standard` kernel this might not be needed.
+- CentOS 7: Add reboot to the standard mode to make sure the WireGuard kernel module is available (contribution by @mofelee)
+- Introduce `wireguard_update_cache` variable to control if package manager caches should be updated before the installation (contribution by @sebix). Before this release the package manager cache wasn't updated for AlmaLinux 9, Archlinux, Fedora and openSUSE. With `wireguard_update_cache` set to `true` by default those OSes are now also update the package manager cache. If you don't want that set `wireguard_update_cache` to `false` for the host in question.
+
+Feature:
+
+- add support for Oracle Linux 9 (contribution by @cola-zero)
+
+Deprecation:
+
+- variable `wireguard_ubuntu_update_cache` is deprecated
+
+Installation
+------------
+
+- Directly download from Github (change into Ansible role directory before cloning):
+`git clone https://github.com/githubixx/ansible-role-wireguard.git githubixx.ansible_role_wireguard`
+
+- Via `ansible-galaxy` command and download directly from Ansible Galaxy:
+`ansible-galaxy install role githubixx.ansible_role_wireguard`
+
+- Create a `requirements.yml` file with the following content (this will download the role from Github) and install with
+`ansible-galaxy role install -r requirements.yml`:
+
+```yaml
+---
+roles:
+  - name: githubixx.ansible_role_wireguard
+    src: https://github.com/githubixx/ansible-role-wireguard.git
+    version: 15.0.0
+```
 
 Role Variables
 --------------
@@ -258,13 +328,6 @@ wireguard_postup:
 wireguard_postdown:
   - ...
 wireguard_save_config: "true"
-wireguard_unmanaged_peers:
-  client.example.com:
-    public_key: 5zsSBeZZ8P9pQaaJvY9RbELQulcwC5VBXaZ93egzOlI=
-    # preshared_key: ... e.g. from ansible-vault?
-    allowed_ips: 10.0.0.3/32
-    endpoint: client.example.com:51820
-    persistent_keepalive: 0
 ```
 
 `wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples:
@@ -284,6 +347,18 @@ wireguard_preup:
 
 The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8).
 
+Additionally one can add "unmanaged" peers. Those peers are not handled by Ansible and not part of the `vpn` Ansible host group e.g.:
+
+```yaml
+wireguard_unmanaged_peers:
+  client.example.com:
+    public_key: 5zsSBeZZ8P9pQaaJvY9RbELQulcwC5VBXaZ93egzOlI=
+    # preshared_key: ... e.g. from ansible-vault?
+    allowed_ips: 10.0.0.3/32
+    endpoint: client.example.com:51820
+    persistent_keepalive: 0
+```
+
 One of `wireguard_address` (deprecated) or `wireguard_addresses` (recommended) is required as already mentioned. It's the IPs of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs at least one unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s).
 
 Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role.
@@ -519,30 +594,30 @@ Sample playbooks for example above:
 Testing
 -------
 
-This role has a small test setup that is created using [Molecule](https://github.com/ansible-community/molecule), libvirt (vagrant-libvirt) and QEMU/KVM. Please see my blog post [Testing Ansible roles with Molecule, libvirt (vagrant-libvirt) and QEMU/KVM](https://www.tauceti.blog/posts/testing-ansible-roles-with-molecule-libvirt-vagrant-qemu-kvm/) how to setup. The test configuration is [here](https://github.com/githubixx/ansible-role-wireguard/tree/master/molecule/kvm).
+This role has a small test setup that is created using [Molecule](https://github.com/ansible-community/molecule), libvirt (vagrant-libvirt) and QEMU/KVM. Please see my blog post [Testing Ansible roles with Molecule, libvirt (vagrant-libvirt) and QEMU/KVM](https://www.tauceti.blog/posts/testing-ansible-roles-with-molecule-libvirt-vagrant-qemu-kvm/) how to setup. The test configuration is [here](https://github.com/githubixx/ansible-role-wireguard/tree/master/molecule/default).
 
 Afterwards molecule can be executed:
 
 ```bash
-molecule converge -s kvm
+molecule converge
 ```
 
 This will setup quite a few virtual machines (VM) with different supported Linux operating systems. To run a few tests:
 
 ```bash
-molecule verify -s kvm
+molecule verify
 ```
 
 To clean up run
 
 ```bash
-molecule destroy -s kvm
+molecule destroy
 ```
 
-There is also a small Molecule setup that mimics a central WireGuard server with a few clients:
+There is also a small [Molecule setup](https://github.com/githubixx/ansible-role-wireguard/tree/master/molecule/single-server) that mimics a central WireGuard server with a few clients:
 
 ```bash
-molecule converge -s kvm-single-server
+molecule converge -s single-server
 ```
 
 License

defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-# Copyright (C) 2018-2022 Robert Wimmer
+# Copyright (C) 2018-2023 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 #######################################

handlers/main.yml

@@ -1,5 +1,5 @@
 ---
-# Copyright (C) 2018-2022 Robert Wimmer
+# Copyright (C) 2018-2023 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 - name: Restart wireguard
@@ -23,6 +23,9 @@
     systemctl is-active wg-quick@{{ wireguard_interface | quote }} || systemctl start wg-quick@{{ wireguard_interface | quote }}
     wg syncconf {{ wireguard_interface | quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface | quote }}.conf)
     exit 0
+  register: wireguard__syncconf_out
+  changed_when: false
+  failed_when: wireguard__syncconf_out.rc != 0
   args:
     executable: "/bin/bash"
   when:

meta/main.yml

@@ -1,5 +1,5 @@
 ---
-# Copyright (C) 2018-2022 Robert Wimmer
+# Copyright (C) 2018-2023 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 galaxy_info:
@@ -13,23 +13,25 @@ galaxy_info:
     - name: ArchLinux
     - name: Ubuntu
       versions:
-        - "bionic"
         - "focal"
         - "jammy"
     - name: Debian
       versions:
         - "bullseye"
+        - "bookworm"
     - name: EL
       versions:
         - "7"
         - "8"
         - "9"
     - name: Fedora
       versions:
-        - "36"
+        - "37"
+        - "38"
     - name: opensuse
       versions:
         - "15.4"
+        - "15.5"
   galaxy_tags:
     - networking
     - security

molecule/kvm/converge.yml → molecule/default/converge.yml

@@ -1,8 +1,9 @@
 ---
-# Copyright (C) 2020-2022 Robert Wimmer
+# Copyright (C) 2020-2023 Robert Wimmer
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-- hosts: all
+- name: Setup WireGuard
+  hosts: all
   remote_user: vagrant
   become: true
   gather_facts: true