From d1cba570f77f5e189c4a748c84c79e4205616fca Mon Sep 17 00:00:00 2001 From: Robert Wimmer <2039811+githubixx@users.noreply.github.com> Date: Tue, 21 Nov 2023 21:16:51 +0100 Subject: [PATCH] 15.0.0 (#197) * update Ansible Galaxy URL of this role * remove Ubuntu 18.04 support (reached EOL) * Molecule: rename 'kvm' scenario to 'default' * Molecule: rename 'kvm' scenario to 'default' * Molecule: rename 'kvm-single-server' scenario to 'single-server' * update CHANGELOG * remove Fedora 36 support (reached EOL) / add support for Fedora 37 + 38 * Molecule: increase memory for all VMs * Molecule: fix Ubuntu 22.04 box * update year in all files * add support for openSUSE 15.5 * add support for Debian 12 * handlers/main.yml: 'Syncconf wireguard' task should not change things if nothing needs doing * Fix ansible-lint issues * update CHANGELOG * update CHANGELOG * update README * update README * Molecule: Upgrade OS and reboot in prepare before converge for Almalinux * update CHANGELOG * update README --- .github/workflows/release.yml | 3 + .gitignore | 2 +- CHANGELOG.md | 41 ++++++- README.md | 113 +++++++++++++++--- defaults/main.yml | 2 +- handlers/main.yml | 5 +- meta/main.yml | 8 +- molecule/{kvm => default}/converge.yml | 5 +- molecule/{kvm => default}/molecule.yml | 93 +++++++++----- molecule/{kvm => default}/prepare.yml | 37 +++++- molecule/{kvm => default}/verify.yml | 2 +- .../converge.yml | 5 +- .../molecule.yml | 18 +-- .../prepare.yml | 5 +- .../verify.yml | 2 +- tasks/main.yml | 2 +- tasks/setup-almalinux-8.yml | 2 +- tasks/setup-almalinux.yml | 2 +- tasks/setup-archlinux.yml | 2 +- tasks/setup-debian-pve-host-variant.yml | 2 +- tasks/setup-debian-vanilla.yml | 2 +- tasks/setup-elementary os.yml | 2 +- tasks/setup-opensuse leap.yml | 2 +- tasks/setup-rocky-8.yml | 2 +- tasks/setup-rocky.yml | 2 +- tasks/setup-ubuntu.yml | 2 +- templates/etc/wireguard/wg.conf.j2 | 2 +- 27 files changed, 266 insertions(+), 99 deletions(-) rename molecule/{kvm => default}/converge.yml (75%) rename molecule/{kvm => default}/molecule.yml (80%) rename molecule/{kvm => default}/prepare.yml (68%) rename molecule/{kvm => default}/verify.yml (96%) rename molecule/{kvm-single-server => single-server}/converge.yml (76%) rename molecule/{kvm-single-server => single-server}/molecule.yml (79%) rename molecule/{kvm-single-server => single-server}/prepare.yml (75%) rename molecule/{kvm-single-server => single-server}/verify.yml (96%) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 16e3eae..96d8674 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,7 @@ --- +# Copyright (C) 2018-2023 Robert Wimmer +# SPDX-License-Identifier: GPL-3.0-or-later +# # This workflow requires a GALAXY_API_KEY secret present in the GitHub # repository or organization. # diff --git a/.gitignore b/.gitignore index df7a7f7..d15b9a8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ -# Copyright (C) 2018-2022 Robert Wimmer +# Copyright (C) 2018-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later molecule/kvm/.vagrant diff --git a/CHANGELOG.md b/CHANGELOG.md index 15ec97b..b152acf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,14 +5,47 @@ SPDX-License-Identifier: GPL-3.0-or-later # Changelog +## 15.0.0 + +Breaking: + +- removed support for Ubuntu 18.04 (reached end of life) +- removed support for Fedora 36 (reached end of life) + +Feature: + +- add support for Fedora 37 +- add support for Fedora 38 +- add support for openSUSE 15.5 +- add support for Debian 12 +- prefix host name comment with `Name =` for [wg-info](https://github.com/asdil12/wg-info) in WireGuard interface configuration (contribution by @tarag) + +Molecule: + +- rename `kvm` scenario to `default` +- rename `kvm-single-server` scenario to `single-server` +- upgrade OS and reboot in prepare before converge for Almalinux + +Other: + +- fix `ansible-lint` issues + ## 14.0.0 -- **BREAKING** CentOS7: Introduce `wireguard_centos7_kernel_plus_reboot` and `wireguard_centos7_standard_reboot` variables. Both are set to "true" by default. This will cause the host to be rebooted in case the "wireguard" kernel module was installed the very first time. If `wireguard_centos7_installation_method: "kernel-plus"` is set and the host wasn't booted with a `kernel-plus` kernel already you most probably need to reboot. For the `standard` kernel this might not be needed. -- CentOS7: Add reboot to the standard mode to make sure the WireGuard kernel module is available (contribution by @mofelee) -- **BREAKING** Introduce `wireguard_update_cache` variable to control if package manager caches should be updated before the installation (contribution by @sebix). Before this release the package manager cache wasn't updated for AlmaLinux 9, Archlinux, Fedora and openSUSE. With `wireguard_update_cache` set to `true` by default those OSes are now also update the package manager cache. If you don't want that set `wireguard_update_cache` to `false` for the host in question. -- variable `wireguard_ubuntu_update_cache` is deprecated +Breaking: + +- CentOS 7: Introduce `wireguard_centos7_kernel_plus_reboot` and `wireguard_centos7_standard_reboot` variables. Both are set to "true" by default. This will cause the host to be rebooted in case the "wireguard" kernel module was installed the very first time. If `wireguard_centos7_installation_method: "kernel-plus"` is set and the host wasn't booted with a `kernel-plus` kernel already you most probably need to reboot. For the `standard` kernel this might not be needed. +- CentOS 7: Add reboot to the standard mode to make sure the WireGuard kernel module is available (contribution by @mofelee) +- Introduce `wireguard_update_cache` variable to control if package manager caches should be updated before the installation (contribution by @sebix). Before this release the package manager cache wasn't updated for AlmaLinux 9, Archlinux, Fedora and openSUSE. With `wireguard_update_cache` set to `true` by default those OSes are now also update the package manager cache. If you don't want that set `wireguard_update_cache` to `false` for the host in question. + +Feature: + - add support for Oracle Linux 9 (contribution by @cola-zero) +Deprecation: + +- variable `wireguard_ubuntu_update_cache` is deprecated + ## 13.0.1 - [fix](https://github.com/githubixx/ansible-role-wireguard/pull/182) in README diff --git a/README.md b/README.md index ae64207..a2e6894 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ SPDX-License-Identifier: GPL-3.0-or-later ansible-role-wireguard ====================== -This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. The latest release is [available via Ansible Galaxy](https://galaxy.ansible.com/githubixx/ansible_role_wireguard). I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster. +This Ansible role is used in my blog series [Kubernetes the not so hard way with Ansible](https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/) but can be used standalone of course. I use WireGuard and this Ansible role to setup a fully meshed VPN between all nodes of my little Kubernetes cluster. In general WireGuard is a network tunnel (VPN) for IPv4 and IPv6 that uses UDP. If you need more information about [WireGuard](https://www.wireguard.io/) you can find a good introduction here: [Installing WireGuard, the Modern VPN](https://research.kudelskisecurity.com/2017/06/07/installing-wireguard-the-modern-vpn/). @@ -16,16 +16,20 @@ Linux This role should work with: -- Ubuntu 18.04 (Bionic Beaver) - Ubuntu 20.04 (Focal Fossa) - Ubuntu 22.04 (Jammy Jellyfish) - Archlinux - Debian 11 (Bullseye) -- Fedora 36 +- Debian 12 (Bookworm) +- Fedora 37 +- Fedora 38 - CentOS 7 -- AlmaLinux -- Rocky Linux +- AlmaLinux 8 +- AlmaLinux 9 +- Rocky Linux 8 +- Rocky Linux 9 - openSUSE Leap 15.4 +- openSUSE Leap 15.5 - Oracle Linux 9 Best effort: @@ -66,7 +70,73 @@ Nevertheless the `PreUp`, `PreDown`, `PostUp` and `PostDown` hooks may be a good Changelog --------- -see [CHANGELOG.md](https://github.com/githubixx/ansible-role-wireguard/blob/master/CHANGELOG.md) +**Change history:** + +See full [CHANGELOG.md](https://github.com/githubixx/ansible-role-wireguard/blob/master/CHANGELOG.md) + +**Changes in the last two versions:** + +15.0.0 + +Breaking: + +- removed support for Ubuntu 18.04 (reached end of life) +- removed support for Fedora 36 (reached end of life) + +Feature: + +- add support for Fedora 37 +- add support for Fedora 38 +- add support for openSUSE 15.5 +- add support for Debian 12 +- prefix host name comment with `Name =` for [wg-info](https://github.com/asdil12/wg-info) in WireGuard interface configuration (contribution by @tarag) + +Molecule: + +- rename `kvm` scenario to `default` +- rename `kvm-single-server` scenario to `single-server` +- upgrade OS and reboot in prepare before converge for Almalinux + +Other: + +- fix `ansible-lint` issues + +14.0.0 + +Breaking: + +- CentOS 7: Introduce `wireguard_centos7_kernel_plus_reboot` and `wireguard_centos7_standard_reboot` variables. Both are set to "true" by default. This will cause the host to be rebooted in case the "wireguard" kernel module was installed the very fir +st time. If `wireguard_centos7_installation_method: "kernel-plus"` is set and the host wasn't booted with a `kernel-plus` kernel already you most probably need to reboot. For the `standard` kernel this might not be needed. +- CentOS 7: Add reboot to the standard mode to make sure the WireGuard kernel module is available (contribution by @mofelee) +- Introduce `wireguard_update_cache` variable to control if package manager caches should be updated before the installation (contribution by @sebix). Before this release the package manager cache wasn't updated for AlmaLinux 9, Archlinux, Fedora and openSUSE. With `wireguard_update_cache` set to `true` by default those OSes are now also update the package manager cache. If you don't want that set `wireguard_update_cache` to `false` for the host in question. + +Feature: + +- add support for Oracle Linux 9 (contribution by @cola-zero) + +Deprecation: + +- variable `wireguard_ubuntu_update_cache` is deprecated + +Installation +------------ + +- Directly download from Github (change into Ansible role directory before cloning): +`git clone https://github.com/githubixx/ansible-role-wireguard.git githubixx.ansible_role_wireguard` + +- Via `ansible-galaxy` command and download directly from Ansible Galaxy: +`ansible-galaxy install role githubixx.ansible_role_wireguard` + +- Create a `requirements.yml` file with the following content (this will download the role from Github) and install with +`ansible-galaxy role install -r requirements.yml`: + +```yaml +--- +roles: + - name: githubixx.ansible_role_wireguard + src: https://github.com/githubixx/ansible-role-wireguard.git + version: 15.0.0 +``` Role Variables -------------- @@ -258,13 +328,6 @@ wireguard_postup: wireguard_postdown: - ... wireguard_save_config: "true" -wireguard_unmanaged_peers: - client.example.com: - public_key: 5zsSBeZZ8P9pQaaJvY9RbELQulcwC5VBXaZ93egzOlI= - # preshared_key: ... e.g. from ansible-vault? - allowed_ips: 10.0.0.3/32 - endpoint: client.example.com:51820 - persistent_keepalive: 0 ``` `wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples: @@ -284,6 +347,18 @@ wireguard_preup: The commands are executed in order as described in [wg-quick.8](https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8). +Additionally one can add "unmanaged" peers. Those peers are not handled by Ansible and not part of the `vpn` Ansible host group e.g.: + +```yaml +wireguard_unmanaged_peers: + client.example.com: + public_key: 5zsSBeZZ8P9pQaaJvY9RbELQulcwC5VBXaZ93egzOlI= + # preshared_key: ... e.g. from ansible-vault? + allowed_ips: 10.0.0.3/32 + endpoint: client.example.com:51820 + persistent_keepalive: 0 +``` + One of `wireguard_address` (deprecated) or `wireguard_addresses` (recommended) is required as already mentioned. It's the IPs of the interface name defined with `wireguard_interface` variable (`wg0` by default). Every host needs at least one unique VPN IP of course. If you don't set `wireguard_endpoint` the playbook will use the hostname defined in the `vpn` hosts group (the Ansible inventory hostname). If you set `wireguard_endpoint` to `""` (empty string) that peer won't have a endpoint. That means that this host can only access hosts that have a `wireguard_endpoint`. That's useful for clients that don't expose any services to the VPN and only want to access services on other hosts. So if you only define one host with `wireguard_endpoint` set and all other hosts have `wireguard_endpoint` set to `""` (empty string) that basically means you've only clients besides one which in that case is the WireGuard server. The third possibility is to set `wireguard_endpoint` to some hostname. E.g. if you have different hostnames for the private and public DNS of that host and need different DNS entries for that case setting `wireguard_endpoint` becomes handy. Take for example the IP above: `wireguard_address: "10.8.0.101"`. That's a private IP and I've created a DNS entry for that private IP like `host01.i.domain.tld` (`i` for internal in that case). For the public IP I've created a DNS entry like `host01.p.domain.tld` (`p` for public). The `wireguard_endpoint` needs to be a interface that the other members in the `vpn` group can connect to. So in that case I would set `wireguard_endpoint` to `host01.p.domain.tld` because WireGuard normally needs to be able to connect to the public IP of the other host(s). Here is a litte example for what I use the playbook: I use WireGuard to setup a fully meshed VPN (every host can directly connect to every other host) and run my Kubernetes (K8s) cluster at Hetzner Cloud (but you should be able to use any hoster you want). So the important components like the K8s controller and worker nodes (which includes the pods) only communicate via encrypted WireGuard VPN. Also (as already mentioned) I've two clients. Both have `kubectl` installed and are able to talk to the internal Kubernetes API server by using WireGuard VPN. One of the two clients also exposes a WireGuard endpoint because the Postfix mailserver in the cloud and my internal Postfix needs to be able to talk to each other. I guess that's maybe a not so common use case for WireGuard :D But it shows what's possible. So let me explain the setup which might help you to use this Ansible role. @@ -519,30 +594,30 @@ Sample playbooks for example above: Testing ------- -This role has a small test setup that is created using [Molecule](https://github.com/ansible-community/molecule), libvirt (vagrant-libvirt) and QEMU/KVM. Please see my blog post [Testing Ansible roles with Molecule, libvirt (vagrant-libvirt) and QEMU/KVM](https://www.tauceti.blog/posts/testing-ansible-roles-with-molecule-libvirt-vagrant-qemu-kvm/) how to setup. The test configuration is [here](https://github.com/githubixx/ansible-role-wireguard/tree/master/molecule/kvm). +This role has a small test setup that is created using [Molecule](https://github.com/ansible-community/molecule), libvirt (vagrant-libvirt) and QEMU/KVM. Please see my blog post [Testing Ansible roles with Molecule, libvirt (vagrant-libvirt) and QEMU/KVM](https://www.tauceti.blog/posts/testing-ansible-roles-with-molecule-libvirt-vagrant-qemu-kvm/) how to setup. The test configuration is [here](https://github.com/githubixx/ansible-role-wireguard/tree/master/molecule/default). Afterwards molecule can be executed: ```bash -molecule converge -s kvm +molecule converge ``` This will setup quite a few virtual machines (VM) with different supported Linux operating systems. To run a few tests: ```bash -molecule verify -s kvm +molecule verify ``` To clean up run ```bash -molecule destroy -s kvm +molecule destroy ``` -There is also a small Molecule setup that mimics a central WireGuard server with a few clients: +There is also a small [Molecule setup](https://github.com/githubixx/ansible-role-wireguard/tree/master/molecule/single-server) that mimics a central WireGuard server with a few clients: ```bash -molecule converge -s kvm-single-server +molecule converge -s single-server ``` License diff --git a/defaults/main.yml b/defaults/main.yml index 0e24d37..19988fd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2022 Robert Wimmer +# Copyright (C) 2018-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later ####################################### diff --git a/handlers/main.yml b/handlers/main.yml index 84dca6d..afb4960 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2022 Robert Wimmer +# Copyright (C) 2018-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Restart wireguard @@ -23,6 +23,9 @@ systemctl is-active wg-quick@{{ wireguard_interface | quote }} || systemctl start wg-quick@{{ wireguard_interface | quote }} wg syncconf {{ wireguard_interface | quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface | quote }}.conf) exit 0 + register: wireguard__syncconf_out + changed_when: false + failed_when: wireguard__syncconf_out.rc != 0 args: executable: "/bin/bash" when: diff --git a/meta/main.yml b/meta/main.yml index 26afbe8..6a6d678 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2022 Robert Wimmer +# Copyright (C) 2018-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later galaxy_info: @@ -13,12 +13,12 @@ galaxy_info: - name: ArchLinux - name: Ubuntu versions: - - "bionic" - "focal" - "jammy" - name: Debian versions: - "bullseye" + - "bookworm" - name: EL versions: - "7" @@ -26,10 +26,12 @@ galaxy_info: - "9" - name: Fedora versions: - - "36" + - "37" + - "38" - name: opensuse versions: - "15.4" + - "15.5" galaxy_tags: - networking - security diff --git a/molecule/kvm/converge.yml b/molecule/default/converge.yml similarity index 75% rename from molecule/kvm/converge.yml rename to molecule/default/converge.yml index 0c9a877..65ebfab 100644 --- a/molecule/kvm/converge.yml +++ b/molecule/default/converge.yml @@ -1,8 +1,9 @@ --- -# Copyright (C) 2020-2022 Robert Wimmer +# Copyright (C) 2020-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later -- hosts: all +- name: Setup WireGuard + hosts: all remote_user: vagrant become: true gather_facts: true diff --git a/molecule/kvm/molecule.yml b/molecule/default/molecule.yml similarity index 80% rename from molecule/kvm/molecule.yml rename to molecule/default/molecule.yml index b9fc094..b8dbc93 100644 --- a/molecule/kvm/molecule.yml +++ b/molecule/default/molecule.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2020-2022 Robert Wimmer +# Copyright (C) 2020-2023 Robert Wimmer # Copyright (C) 2020 Pierre Ozoux # SPDX-License-Identifier: GPL-3.0-or-later @@ -15,7 +15,7 @@ driver: platforms: - name: test-wg-ubuntu2004 box: generic/ubuntu2004 - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -25,9 +25,9 @@ platforms: groups: - vpn - ubuntu - - name: test-wg-ubuntu1804 - box: generic/ubuntu1804 - memory: 1024 + - name: test-wg-fedora37 + box: generic/fedora37 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -36,22 +36,22 @@ platforms: ip: 192.168.10.20 groups: - vpn - - ubuntu - - name: test-wg-fedora36 - box: generic/fedora36 - memory: 1024 + - fedora + - name: test-wg-fedora38 + box: generic/fedora38 + memory: 1536 cpus: 2 interfaces: - auto_config: true network_name: private_network type: static - ip: 192.168.10.40 + ip: 192.168.10.30 groups: - vpn - fedora - name: test-wg-centos7 box: generic/centos7 - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -63,7 +63,7 @@ platforms: - el7 - name: test-wg-arch box: archlinux/archlinux - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -75,7 +75,7 @@ platforms: - archlinux - name: test-wg-debian11 box: generic/debian11 - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -85,9 +85,21 @@ platforms: groups: - vpn - debian + - name: test-wg-debian12 + box: generic/debian12 + memory: 1536 + cpus: 2 + interfaces: + - auto_config: true + network_name: private_network + type: static + ip: 192.168.10.110 + groups: + - vpn + - debian - name: test-wg-rocky8 box: generic/rocky8 - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -99,7 +111,7 @@ platforms: - el8 - name: test-wg-alma8 box: generic/alma8 - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -109,9 +121,10 @@ platforms: groups: - vpn - el8 + - almalinux8 - name: test-wg-centos7-kernel-plus box: generic/centos7 - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -123,7 +136,7 @@ platforms: - el7 - name: test-wg-rocky8-dkms box: generic/rocky8 - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -135,8 +148,8 @@ platforms: - el8 - el8dkms - name: test-wg-ubuntu2204 - box: generic/ubuntu2004 - memory: 1024 + box: generic/ubuntu2204 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -148,7 +161,7 @@ platforms: - ubuntu - name: test-wg-opensuse-leap-15-4 box: opensuse/Leap-15.4.x86_64 - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -158,9 +171,21 @@ platforms: groups: - vpn - opensuse + - name: test-wg-opensuse-leap-15-5 + box: opensuse/Leap-15.5.x86_64 + memory: 1536 + cpus: 2 + interfaces: + - auto_config: true + network_name: private_network + type: static + ip: 192.168.10.190 + groups: + - vpn + - opensuse - name: test-wg-rocky9 box: generic/rocky9 - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -172,7 +197,7 @@ platforms: - el9 - name: test-wg-alma9 box: generic/alma9 - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -184,7 +209,7 @@ platforms: - el9 - name: test-wg-oracle9 box: generic/oracle9 - memory: 1024 + memory: 1536 cpus: 2 interfaces: - auto_config: true @@ -210,16 +235,17 @@ provisioner: wireguard_port: 51820 wireguard_persistent_keepalive: "30" wireguard_endpoint: "192.168.10.10" - test-wg-ubuntu1804: + test-wg-fedora37: wireguard_address: "10.10.10.20/24" wireguard_port: 51820 wireguard_persistent_keepalive: "30" wireguard_endpoint: "192.168.10.20" - test-wg-fedora36: - wireguard_address: "10.10.10.40/24" + wireguard_interface_restart: true + test-wg-fedora38: + wireguard_address: "10.10.10.30/24" wireguard_port: 51820 wireguard_persistent_keepalive: "30" - wireguard_endpoint: "192.168.10.40" + wireguard_endpoint: "192.168.10.30" wireguard_interface_restart: true test-wg-centos7: wireguard_address: "10.10.10.50/24" @@ -239,6 +265,12 @@ provisioner: wireguard_persistent_keepalive: "30" wireguard_endpoint: "192.168.10.70" ansible_python_interpreter: "/usr/bin/python3" + test-wg-debian12: + wireguard_address: "10.10.10.110/24" + wireguard_port: 51820 + wireguard_persistent_keepalive: "30" + wireguard_endpoint: "192.168.10.110" + ansible_python_interpreter: "/usr/bin/python3" test-wg-rocky8: wireguard_address: "10.10.10.80/24" wireguard_port: 51820 @@ -271,6 +303,11 @@ provisioner: wireguard_port: 51820 wireguard_persistent_keepalive: "30" wireguard_endpoint: "192.168.10.150" + test-wg-opensuse-leap-15-5: + wireguard_address: "10.10.10.190/24" + wireguard_port: 51820 + wireguard_persistent_keepalive: "30" + wireguard_endpoint: "192.168.10.190" test-wg-rocky9: wireguard_address: "10.10.10.160/24" wireguard_port: 51820 @@ -288,7 +325,7 @@ provisioner: wireguard_endpoint: "192.168.10.180" scenario: - name: kvm + name: default test_sequence: - prepare - converge diff --git a/molecule/kvm/prepare.yml b/molecule/default/prepare.yml similarity index 68% rename from molecule/kvm/prepare.yml rename to molecule/default/prepare.yml index bd3c101..4db45fe 100644 --- a/molecule/kvm/prepare.yml +++ b/molecule/default/prepare.yml @@ -2,7 +2,8 @@ # Copyright (C) 2021-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later -- hosts: opensuse +- name: Prepare opensuse hosts + hosts: opensuse remote_user: vagrant become: true gather_facts: true @@ -14,7 +15,8 @@ changed_when: false failed_when: false -- hosts: archlinux +- name: Prepare Archlinux hosts + hosts: archlinux remote_user: vagrant become: true gather_facts: false @@ -27,7 +29,9 @@ failed_when: false - name: Updating pacman cache - raw: pacman -Sy + ansible.builtin.raw: pacman -Sy + changed_when: false + failed_when: false - name: Install Python ansible.builtin.raw: | @@ -36,7 +40,8 @@ executable: /bin/bash changed_when: false -- hosts: proxmox +- name: Prepare Proxmox hosts + hosts: proxmox remote_user: vagrant become: true gather_facts: true @@ -46,7 +51,8 @@ name: /var/lib/apt/lists/lock state: absent -- hosts: ubuntu +- name: Prepare Ubuntu hosts + hosts: ubuntu remote_user: vagrant become: true gather_facts: true @@ -56,7 +62,8 @@ update_cache: true cache_valid_time: 3600 -- hosts: el8dkms +- name: Prepare Enterprise Linux 8 hosts (DKMS) + hosts: el8dkms remote_user: vagrant become: true gather_facts: true @@ -68,3 +75,21 @@ dnf --enablerepo=elrepo-kernel install -y kernel-ml changed_when: false failed_when: false + + - name: Reboot for kernel updates + ansible.builtin.reboot: + +- name: Prepare Almalinux 8 hosts + hosts: almalinux8 + remote_user: vagrant + become: true + gather_facts: true + tasks: + - name: Install ELRepo mainline kernel + ansible.builtin.raw: | + dnf -y upgrade + changed_when: false + failed_when: false + + - name: Reboot for kernel updates + ansible.builtin.reboot: diff --git a/molecule/kvm/verify.yml b/molecule/default/verify.yml similarity index 96% rename from molecule/kvm/verify.yml rename to molecule/default/verify.yml index 4551ce3..066d440 100644 --- a/molecule/kvm/verify.yml +++ b/molecule/default/verify.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2022 Robert Wimmer +# Copyright (C) 2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Verify setup diff --git a/molecule/kvm-single-server/converge.yml b/molecule/single-server/converge.yml similarity index 76% rename from molecule/kvm-single-server/converge.yml rename to molecule/single-server/converge.yml index 546010a..ee3886c 100644 --- a/molecule/kvm-single-server/converge.yml +++ b/molecule/single-server/converge.yml @@ -1,8 +1,9 @@ --- -# Copyright (C) 2022 Robert Wimmer +# Copyright (C) 2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later -- hosts: all +- name: Setup WireGuard + hosts: all remote_user: vagrant become: true gather_facts: true diff --git a/molecule/kvm-single-server/molecule.yml b/molecule/single-server/molecule.yml similarity index 79% rename from molecule/kvm-single-server/molecule.yml rename to molecule/single-server/molecule.yml index 7cf5fee..7af646e 100644 --- a/molecule/kvm-single-server/molecule.yml +++ b/molecule/single-server/molecule.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2022 Robert Wimmer +# Copyright (C) 2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later dependency: @@ -25,16 +25,6 @@ platforms: groups: - vpn - ubuntu - - name: test-wg-ubuntu1804 - box: generic/ubuntu1804 - interfaces: - - auto_config: true - network_name: private_network - type: static - ip: 192.168.10.20 - groups: - - vpn - - ubuntu - name: test-wg-debian11 box: generic/debian11 interfaces: @@ -71,10 +61,6 @@ provisioner: wireguard_port: 51820 wireguard_persistent_keepalive: "30" wireguard_endpoint: "192.168.10.10" - test-wg-ubuntu1804: - wireguard_address: "10.10.10.20/24" - wireguard_persistent_keepalive: "30" - wireguard_endpoint: "" test-wg-debian11: wireguard_address: "10.10.10.30/24" wireguard_persistent_keepalive: "30" @@ -86,7 +72,7 @@ provisioner: wireguard_endpoint: "" scenario: - name: kvm-single-server + name: single-server test_sequence: - prepare - converge diff --git a/molecule/kvm-single-server/prepare.yml b/molecule/single-server/prepare.yml similarity index 75% rename from molecule/kvm-single-server/prepare.yml rename to molecule/single-server/prepare.yml index 8b00225..4b5f465 100644 --- a/molecule/kvm-single-server/prepare.yml +++ b/molecule/single-server/prepare.yml @@ -1,8 +1,9 @@ --- -# Copyright (C) 2022 Robert Wimmer +# Copyright (C) 2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later -- hosts: ubuntu +- name: Setup Ubuntu hosts + hosts: ubuntu remote_user: vagrant become: true gather_facts: true diff --git a/molecule/kvm-single-server/verify.yml b/molecule/single-server/verify.yml similarity index 96% rename from molecule/kvm-single-server/verify.yml rename to molecule/single-server/verify.yml index 4551ce3..066d440 100644 --- a/molecule/kvm-single-server/verify.yml +++ b/molecule/single-server/verify.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2022 Robert Wimmer +# Copyright (C) 2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Verify setup diff --git a/tasks/main.yml b/tasks/main.yml index f28fddb..fe415fd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2022 Robert Wimmer +# Copyright (C) 2018-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: Gather instance facts diff --git a/tasks/setup-almalinux-8.yml b/tasks/setup-almalinux-8.yml index 7e3f896..75c92e3 100644 --- a/tasks/setup-almalinux-8.yml +++ b/tasks/setup-almalinux-8.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2021-2022 Robert Wimmer +# Copyright (C) 2021-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (AlmaLinux 8) Install EPEL & ELRepo repository diff --git a/tasks/setup-almalinux.yml b/tasks/setup-almalinux.yml index 2463081..1b5c990 100644 --- a/tasks/setup-almalinux.yml +++ b/tasks/setup-almalinux.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2022 Robert Wimmer +# Copyright (C) 2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (AlmaLinux) Install wireguard-tools package diff --git a/tasks/setup-archlinux.yml b/tasks/setup-archlinux.yml index 999cc1f..f5cfae4 100644 --- a/tasks/setup-archlinux.yml +++ b/tasks/setup-archlinux.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2022 Robert Wimmer +# Copyright (C) 2018-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (Archlinux) Refresh the master package lists diff --git a/tasks/setup-debian-pve-host-variant.yml b/tasks/setup-debian-pve-host-variant.yml index c41505e..52ac6fb 100644 --- a/tasks/setup-debian-pve-host-variant.yml +++ b/tasks/setup-debian-pve-host-variant.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2022 Robert Wimmer +# Copyright (C) 2018-2023 Robert Wimmer # Copyright (C) 2019-2020 Ties de Kock # Copyright (C) 2021 Steve Fan # SPDX-License-Identifier: GPL-3.0-or-later diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml index 664827a..e6ce173 100644 --- a/tasks/setup-debian-vanilla.yml +++ b/tasks/setup-debian-vanilla.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2022 Robert Wimmer +# Copyright (C) 2018-2023 Robert Wimmer # Copyright (C) 2019-2020 Ties de Kock # SPDX-License-Identifier: GPL-3.0-or-later diff --git a/tasks/setup-elementary os.yml b/tasks/setup-elementary os.yml index 0aebefa..7e6679a 100644 --- a/tasks/setup-elementary os.yml +++ b/tasks/setup-elementary os.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2022 Robert Wimmer +# Copyright (C) 2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (elementary OS) Update APT package cache diff --git a/tasks/setup-opensuse leap.yml b/tasks/setup-opensuse leap.yml index 054ced1..4857c14 100644 --- a/tasks/setup-opensuse leap.yml +++ b/tasks/setup-opensuse leap.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2020-2022 Robert Wimmer +# Copyright (C) 2020-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (openSUSE Leap) Install WireGuard packages diff --git a/tasks/setup-rocky-8.yml b/tasks/setup-rocky-8.yml index 0210167..73e3b81 100644 --- a/tasks/setup-rocky-8.yml +++ b/tasks/setup-rocky-8.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2021-2022 Robert Wimmer +# Copyright (C) 2021-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (Rocky Linux 8) Tasks for standard kernel diff --git a/tasks/setup-rocky.yml b/tasks/setup-rocky.yml index a26d1de..4581978 100644 --- a/tasks/setup-rocky.yml +++ b/tasks/setup-rocky.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2022 Robert Wimmer +# Copyright (C) 2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (Rocky Linux) Install wireguard-tools package diff --git a/tasks/setup-ubuntu.yml b/tasks/setup-ubuntu.yml index 376f6f9..57a4067 100644 --- a/tasks/setup-ubuntu.yml +++ b/tasks/setup-ubuntu.yml @@ -1,5 +1,5 @@ --- -# Copyright (C) 2018-2022 Robert Wimmer +# Copyright (C) 2018-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later - name: (Ubuntu) Update APT package cache diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2 index cb71573..c7d2ee2 100644 --- a/templates/etc/wireguard/wg.conf.j2 +++ b/templates/etc/wireguard/wg.conf.j2 @@ -1,5 +1,5 @@ #jinja2: lstrip_blocks:"True",trim_blocks:"True" -{# Copyright (C) 2018-2022 Robert Wimmer +{# Copyright (C) 2018-2023 Robert Wimmer # SPDX-License-Identifier: GPL-3.0-or-later #} # {{ ansible_managed }}