ansible-role-wireguard
ansible-role-wireguard copied to clipboard
Support use of wireguard-go on non-OS X platforms
Not all Linux hosts have access to their kernel (e.g. LXD containers, OpenVZ guests) to load a kernel module. For such environments, wireguard-go is required: it would be great if this role could provide such support.
(I'm going to spend a bit of time experimenting on getting this working.)
Applying this to 5178a9a097a324d84608cf3c32a5071c637ae049 seems to have done the trick for me, I have a working connection between my module-using local system and remote wireguard-go-using OpenVZ system!
This is obviously pretty rough: it presupposes an apt-based system, uses an unofficial PPA for Go, and could definitely be better Ansible, but I'm unblocked at least!
diff --git a/defaults/main.yml b/defaults/main.yml
index fea6eec..b3c98fb 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -24,6 +24,8 @@ wireguard_conf_group: "{{ 'root' if not ansible_os_family == 'Darwin' else 'whee
# The default mode of the wg.conf file
wireguard_conf_mode: 0600
+wireguard_use_wireguard_go: false
+
#######################################
# Settings only relevant for Ubuntu
diff --git a/tasks/main.yml b/tasks/main.yml
index 9f0a42a..6264ab1 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -25,7 +25,7 @@
failed_when: wireguard__register_module_enabled is failure
tags:
- wg-install
- when: not ansible_os_family == 'Darwin'
+ when: not ansible_os_family == 'Darwin' and not wireguard_use_wireguard_go
- block:
# Key handling [[[1
diff --git a/tasks/setup-ubuntu.yml b/tasks/setup-ubuntu.yml
index c25b724..003cd06 100644
--- a/tasks/setup-ubuntu.yml
+++ b/tasks/setup-ubuntu.yml
@@ -22,6 +22,7 @@
- wg-install
when:
- ansible_lsb.major_release is version('19.10', '<')
+ - not wireguard_use_wireguard_go
- name: (Ubuntu) Ensure WireGuard DKMS package is removed
apt:
@@ -31,9 +32,70 @@
tags:
- wg-install
+# TODO: Could likely just do wireguard-tools?
- name: (Ubuntu) Install wireguard package
apt:
name: "wireguard"
state: present
tags:
- wg-install
+
+# TODO: No need for this on more recent Ubuntu releases
+- name: "(Ubuntu | wireguard-go) Add PPA for Go 1.16"
+ apt_repository:
+ repo: ppa:longsleep/golang-backports
+ when:
+ - wireguard_use_wireguard_go
+
+- name: (Ubuntu | wireguard-go) Install packages required to compile wireguard-go
+ apt:
+ name:
+ - golang-go
+ - make
+ - unzip
+ when:
+ - wireguard_use_wireguard_go
+
+- name: (Ubuntu | wireguard-go) Download wireguard-go source
+ get_url:
+ url: https://git.zx2c4.com/wireguard-go/snapshot/wireguard-go-0.0.20201118.zip
+ dest: /tmp/wireguard-go.zip
+ when:
+ - wireguard_use_wireguard_go
+
+- name: (Ubuntu | wireguard-go) Create working directory
+ file:
+ state: directory
+ path: /tmp/wireguard-go/src
+ when:
+ - wireguard_use_wireguard_go
+
+- name: (Ubuntu | wireguard-go) Unzip wireguard-go source
+ unarchive:
+ src: /tmp/wireguard-go.zip
+ dest: /tmp/wireguard-go/src
+ remote_src: true
+ when:
+ - wireguard_use_wireguard_go
+
+- name: (Ubuntu | wireguard-go) Move archive contents to predictable path
+ shell: mv /tmp/wireguard-go/src/wireguard-go-*/* /tmp/wireguard-go/
+ args:
+ creates: /tmp/wireguard-go/main.go
+ when:
+ - wireguard_use_wireguard_go
+
+- name: (Ubuntu | wireguard-go) Build wireguard-go
+ command: make
+ args:
+ chdir: /tmp/wireguard-go
+ creates: /tmp/wireguard-go/wireguard-go
+ when:
+ - wireguard_use_wireguard_go
+
+- name: (Ubuntu | wireguard-go) Install wireguard-go to /usr/local
+ command: mv /tmp/wireguard-go/wireguard-go /usr/local/bin/
+ args:
+ creates: /usr/local/bin/wireguard-go
+ when:
+ - wireguard_use_wireguard_go
Well, to be honest I don't think it makes sense to compile wireguard-go
in every OpenVZ guest. This is definitely something that should take place outside of this role. So the Go binary should be already available somewhere on the Ansible' host ready to copy it on the target OpenVZ guest e.g.
So instead of wireguard_use_wireguard_go
you could define a variable like wireguard_go_binary_src: "{{ '~/bin' | expanduser }}"
where to find the binary that should be copied. And you most probably also want a wireguard_go_binary_dst: /usr/local/sbin
variable to allow the user to specify the destination directory for wireguard-go
binary.
If someone defines ``wireguard_go_binary_srcyou can assume that he/she wants to use
wireguard-goand act accordingly. But what the current implementation doesn't handle (or doesn't allow for later inclusion) is OpenVZ for other distributions besides Ubuntu. I'd assume that the resulting Go binary is not depended on the OS you use (at least as long as you stay on AMD64 arch...). So if you don't compile the Go binary on the target host you also don't need to handle that case. And then it should also be possible to handle the
wireguard-gocase in the includes for the different operating systems. Then Ansible's
blockcan be used to together with
whento decide if the Go binary +
wireguard-toolspackage should be installed or the "normal"
wireguard` package. Look at https://github.com/githubixx/ansible-role-wireguard/blob/master/tasks/main.yml#L54-L69 for an example. This allows to combine tasks that belongs together.
That's my 2 cents for now :wink:
Thanks for the thoughtful review, much appreciated! Yep, I agree that compilation on-host is unnecessary (in the majority of cases, at least) and that removing it would simplify matters substantially.