Initial commits

config.cfg

@@ -5,9 +5,10 @@
 # You can generate up to 250 users at one time.
 # Usernames with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
 users:
-  - phone
-  - laptop
-  - desktop
+  - phone-dns
+  - phone-full
+  - laptop-dns
+  - laptop-full
 
 ### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
 
@@ -16,7 +17,7 @@ users:
 ssh_port: 4160
 
 # Deploy StrongSwan to enable IPsec support
-ipsec_enabled: true
+ipsec_enabled: false
 
 # Deploy WireGuard
 # WireGuard will listen on 51820/UDP. You might need to change to another port
@@ -46,7 +47,7 @@ adblock_lists:
 # Enable DNS encryption.
 # If 'false', 'dns_servers' should be specified below.
 # DNS encryption can not be disabled if DNS adblocking is enabled
-dns_encryption: true
+dns_encryption: false
 
 # Block traffic between connected clients. Change this to false to enable
 # connected clients to reach each other, as well as other computers on the
@@ -66,7 +67,7 @@ block_netbios: true
 # which case a reboot will take place if necessary at the time specified (as
 # HH:MM) in the time zone of your Algo server. The default time zone is UTC.
 unattended_reboot:
-  enabled: false
+  enabled: true
   time: 06:00
 
 ### Advanced users only below this line ###
@@ -114,7 +115,7 @@ strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
 # If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
 # This option will keep the "connection" open in the eyes of NAT.
 # See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
-wireguard_PersistentKeepalive: 0
+wireguard_PersistentKeepalive: 25
 
 # WireGuard network configuration
 wireguard_network_ipv4: 10.19.49.0/24
@@ -165,8 +166,8 @@ cloud_providers:
       owner: "099720109477"
   gce:
     size: f1-micro
-    image: ubuntu-1904
-    external_static_ip: false
+    image: debian-10
+    external_static_ip: true
   lightsail:
     size: nano_1_0
     image: ubuntu_18_04

input.yml

@@ -89,14 +89,6 @@
           when: store_pki is undefined
         when: ipsec_enabled
 
-      - name: DNS adblocking prompt
-        pause:
-          prompt: |
-            Do you want to enable DNS ad blocking on this VPN server?
-            [y/N]
-        register: _dns_adblocking
-        when: dns_adblocking is undefined
-
       - name: SSH tunneling prompt
         pause:
           prompt: |
@@ -126,10 +118,7 @@
             {%- elif _ondemand_wifi_exclude.user_input is defined and _ondemand_wifi_exclude.user_input|length > 0 -%}
             {{ _ondemand_wifi_exclude.user_input | b64encode }}
             {%- else %}{{ '_null' | b64encode }}{% endif %}
-          algo_dns_adblocking: >-
-            {% if dns_adblocking is defined %}{{ dns_adblocking | bool }}
-            {%- elif _dns_adblocking.user_input is defined %}{{ booleans_map[_dns_adblocking.user_input] | default(defaults['dns_adblocking']) }}
-            {%- else %}false{% endif %}
+          algo_dns_adblocking: false
           algo_ssh_tunneling: >-
             {% if ssh_tunneling is defined %}{{ ssh_tunneling | bool }}
             {%- elif _ssh_tunneling.user_input is defined %}{{ booleans_map[_ssh_tunneling.user_input] | default(defaults['ssh_tunneling']) }}

roles/adguard/defaults/main.yml

@@ -0,0 +1,15 @@
+---
+adguard_home_version: '0.98.1'
+
+adguard_home_base_path: /opt/AdGuardHome
+adguard_home_user: root
+
+adguard_home_path: "{{ adguard_home_base_path }}/AdGuardHome"
+adguard_home_executable: "{{ adguard_home_path }}/AdGuardHome"
+adguard_home_group: "{{ adguard_home_user }}"
+adguard_home_host: "{{ ansible_default_ipv4.address }}"
+adguard_home_arch: "{{ (ansible_architecture == 'x86_64') | ternary('amd64', 'arm') }}"
+adguard_home_archive: "AdGuardHome_linux_{{ adguard_home_arch }}.tar.gz"
+adguard_home_download_url: "https://static.adguard.com/adguardhome/release/AdGuardHome_linux_{{ adguard_home_arch }}.tar.gz"
+
+adguard_home_tmp_path: /tmp/

roles/adguard/files/AdGuardHome.yaml

@@ -0,0 +1,198 @@
+bind_host: 0.0.0.0
+bind_port: 80
+users: []
+language: ""
+rlimit_nofile: 0
+web_session_ttl: 720
+dns:
+  bind_host: 0.0.0.0
+  port: 53
+  statistics_interval: 1
+  querylog_enabled: true
+  querylog_interval: 1
+  querylog_memsize: 0
+  protection_enabled: true
+  blocking_mode: nxdomain
+  blocking_ipv4: ""
+  blocking_ipv6: ""
+  blocked_response_ttl: 10
+  ratelimit: 20
+  ratelimit_whitelist: []
+  refuse_any: true
+  bootstrap_dns:
+  - 8.8.8.8:53
+  - 8.8.4.4:53
+  all_servers: false
+  edns_client_subnet: true
+  allowed_clients: []
+  disallowed_clients: []
+  blocked_hosts: []
+  parental_block_host: family-block.dns.adguard.com
+  safebrowsing_block_host: standard-block.dns.adguard.com
+  cache_size: 4194304
+  upstream_dns:
+  - https://dns.google/dns-query
+  - tls://8.8.8.8
+  - tls://8.8.4.4
+  - https://dns.cloudflare.com/dns-query
+  - tls://1.1.1.1
+  - tls://1.0.0.1
+  filtering_enabled: true
+  filters_update_interval: 24
+  parental_sensitivity: 0
+  parental_enabled: false
+  safesearch_enabled: false
+  safebrowsing_enabled: false
+  safebrowsing_cache_size: 1048576
+  safesearch_cache_size: 1048576
+  parental_cache_size: 1048576
+  cache_time: 30
+  rewrites: []
+  blocked_services: []
+tls:
+  enabled: false
+  server_name: ""
+  force_https: false
+  port_https: 443
+  port_dns_over_tls: 853
+  allow_unencrypted_doh: false
+  certificate_chain: ""
+  private_key: ""
+  certificate_path: ""
+  private_key_path: ""
+filters:
+- enabled: true
+  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
+  name: AdGuard Simplified Domain Names filter
+  id: 1
+- enabled: true
+  url: https://adaway.org/hosts.txt
+  name: AdAway
+  id: 2
+- enabled: true
+  url: https://hosts-file.net/ad_servers.txt
+  name: hpHosts - Ad and Tracking servers only
+  id: 3
+- enabled: true
+  url: https://www.malwaredomainlist.com/hostslist/hosts.txt
+  name: MalwareDomainList.com Hosts List
+  id: 4
+- enabled: true
+  url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
+  name: Steven Black Hosts
+  id: 5
+- enabled: true
+  url: http://sysctl.org/cameleon/hosts
+  name: Cameleon
+  id: 6
+- enabled: true
+  url: https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
+  name: Disconnect Simple Tracking
+  id: 7
+- enabled: true
+  url: https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
+  name: Disconnect Simple Ads
+  id: 8
+- enabled: true
+  url: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=0&mimetype=plaintext
+  name: Peter Lowe's list
+  id: 9
+- enabled: true
+  url: https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts
+  name: Minimal Hosts
+  id: 10
+- enabled: true
+  url: https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
+  name: Anudeep ND
+  id: 11
+- enabled: true
+  url: https://someonewhocares.org/hosts/hosts
+  name: Dan Pollock's list
+  id: 12
+- enabled: true
+  url: https://www.squidblacklist.org/downloads/dg-ads.acl
+  name: Squid Blacklist
+  id: 13
+- enabled: true
+  url: https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
+  name: Disconnect Simple Malvertising
+  id: 15
+- enabled: true
+  url: https://zerodot1.gitlab.io/CoinBlockerLists/hosts
+  name: Coinblocker
+  id: 16
+- enabled: true
+  url: https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Formats/GoodbyeAds-AdBlock-Filter.txt
+  name: Goodbye Ads
+  id: 1576635076
+- enabled: true
+  url: https://raw.githubusercontent.com/Strappazzon/filterlists/master/Filterlists/Tracking.txt
+  name: Strappazzon's Tracking list
+  id: 1576779870
+- enabled: true
+  url: https://raw.githubusercontent.com/rodeodomino/Scripts/master/Filters/AdGuardHome.txt
+  name: Personal filters
+  id: 1577993820
+user_rules:
+- ""
+dhcp:
+  enabled: false
+  interface_name: ""
+  gateway_ip: ""
+  subnet_mask: ""
+  range_start: ""
+  range_end: ""
+  lease_duration: 86400
+  icmp_timeout_msec: 1000
+clients:
+- name: Phone - Full
+  ids:
+  - 10.19.49.4
+  - fd9d:bc11:4021::4
+  use_global_settings: true
+  filtering_enabled: false
+  parental_enabled: false
+  safebrowsing_enabled: false
+  safesearch_enabled: false
+  use_global_blocked_services: true
+  blocked_services: []
+  upstreams: []
+- name: Laptop - Full
+  ids:
+  - 10.19.49.5
+  - fd9d:bc11:4021::5
+  use_global_settings: true
+  filtering_enabled: false
+  parental_enabled: false
+  safebrowsing_enabled: false
+  safesearch_enabled: false
+  use_global_blocked_services: true
+  blocked_services: []
+  upstreams: []
+- name: Phone - DNS Only
+  ids:
+  - 10.19.49.2
+  - fd9d:bc11:4021::2
+  use_global_settings: true
+  filtering_enabled: false
+  parental_enabled: false
+  safebrowsing_enabled: false
+  safesearch_enabled: false
+  use_global_blocked_services: true
+  blocked_services: []
+  upstreams: []
+- name: Laptop - DNS Only
+  ids:
+  - 10.19.49.3
+  - fd9d:bc11:4021::3
+  use_global_settings: true
+  filtering_enabled: false
+  parental_enabled: false
+  safebrowsing_enabled: false
+  safesearch_enabled: false
+  use_global_blocked_services: true
+  blocked_services: []
+  upstreams: []
+log_file: ""
+verbose: false
+schema_version: 6

roles/adguard/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart adguard-home
+  service:
+    name: adguard-home
+    state: restarted

roles/adguard/meta/main.yml

@@ -0,0 +1,25 @@
+---
+dependencies: []
+
+galaxy_info:
+  min_ansible_version: 2.1
+  author: WoodenDoors
+  description: "Ansible role to install the ad-blocking DNS-server Adguard Home (https://github.com/AdguardTeam/AdGuardHome)."
+  license: MIT
+  platforms:
+    - name: Debian
+      versions:
+      - jessie
+      - stretch
+    - name: Ubuntu
+      versions:
+      - xenial
+      - yakkety
+      - zesty
+      - artful
+      - bionic
+  galaxy_tags:
+    - adguard
+    - dns
+    - adblocking
+    - networking

roles/adguard/tasks/adguard_home.yml

@@ -0,0 +1,69 @@
+---
+- name: ensure user exists
+  user:
+    name: "{{ adguard_home_user }}"
+    state: present
+
+- name: ensure base directory exists
+  file:
+    dest: "{{ adguard_home_base_path }}"
+    owner: "{{ adguard_home_user }}"
+    group: "{{ adguard_home_group }}"
+    recurse: yes
+    state: directory
+
+- name: check if adguard is already installed
+  stat:
+    path: "{{ adguard_home_executable }}"
+  register: adguard_home_executable_stat
+
+- name: check adguard version if it is already installed
+  command: "{{ adguard_home_executable }} --help"
+  register: adguard_home_version_exists_check
+  check_mode: no
+  changed_when: adguard_home_version_exists_check.stderr.find('version v' + adguard_home_version) == -1
+  failed_when: adguard_home_version_exists_check.rc != 64
+  when: adguard_home_executable_stat.stat.exists
+
+- name: download adguard-home archive
+  get_url:
+    url: "{{ adguard_home_download_url }}"
+    dest: "{{ adguard_home_tmp_path }}"
+    checksum: "{{ adguard_home_checksum | default(omit, true) }}"
+  when: >
+    (not adguard_home_executable_stat.stat.exists)
+    or (adguard_home_version_exists_check | changed)
+
+- name: unarchive adguard-home
+  unarchive:
+    copy: no
+    src: "{{ adguard_home_tmp_path }}/{{ adguard_home_archive }}"
+    dest: "{{ adguard_home_base_path }}"
+    owner: "{{ adguard_home_user }}"
+    group: "{{ adguard_home_group }}"
+  become: yes
+  become_user: "{{ adguard_home_user }}"
+  when: >
+    (not adguard_home_executable_stat.stat.exists)
+    or (adguard_home_version_exists_check | changed)
+
+- name: Restore AdGuard settings
+  copy:
+    src: AdGuardHome.yaml
+    dest: "{{ adguard_home_base_path }}/AdGuardHome.yaml"
+    owner: root
+    group: root
+    mode: 0644
+    force: yes
+
+- name: Install AdGuardHome
+  command: "sudo {{ adguard_home_base_path }}/AdGuardHome -s install"
+  changed_when: false
+
+- name: Start AdGuardHome
+  command: "sudo {{ adguard_home_base_path }}/AdGuardHome -s start"
+  changed_when: false
+
+- name: Set AdGuardHome permissions
+  command: "sudo setcap CAP_NET_BIND_SERVICE=+eip {{ adguard_home_base_path }}/AdGuardHome"
+  changed_when: false

roles/adguard/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- include: adguard_home.yml
+  tags: adguard_home

roles/adguard/templates/adguard-home.service.j2

@@ -0,0 +1,15 @@
+[Unit]
+Description=AdGuard Home
+After=syslog.target
+After=network.target
+
+[Service]
+Type=simple
+User={{ adguard_home_user }}
+Group={{ adguard_home_group }}
+WorkingDirectory={{ adguard_home_path }}
+ExecStart={{ adguard_home_executable }} --host {{ adguard_home_host }}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/common/tasks/facts.yml

@@ -11,7 +11,7 @@
 
 - name: Set IPv6 support as a fact
   set_fact:
-    ipv6_support: "{% if ansible_default_ipv6['gateway'] is defined %}true{% else %}false{% endif %}"
+    ipv6_support: true
   tags: always
 
 - name: Check size of MTU

roles/common/tasks/ubuntu.yml

@@ -45,13 +45,6 @@
     - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
     - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
 
-- name: Loopback for services configured
-  template:
-    src: 10-algo-lo100.network.j2
-    dest: /etc/systemd/network/10-algo-lo100.network
-  notify:
-    - restart systemd-networkd
-
 - name: systemd services enabled and started
   systemd:
     name: "{{ item }}"
@@ -107,7 +100,6 @@
 - name: Install headers
   apt:
     name:
-      - linux-headers-generic
       - "linux-headers-{{ ansible_kernel }}"
     state: present
   when: install_headers

roles/common/tasks/unattended-upgrades.yml

@@ -15,7 +15,7 @@
 - name: Periodic upgrades configured
   template:
     src: 10periodic.j2
-    dest: /etc/apt/apt.conf.d/10periodic
+    dest: /etc/apt/apt.conf.d/20auto-upgrades
     owner: root
     group: root
     mode: 0644

roles/common/templates/50unattended-upgrades.j2

@@ -1,31 +1,67 @@
-// Automatically upgrade packages from these (origin:archive) pairs
+// Unattended-Upgrade::Origins-Pattern controls which packages are
+// upgraded.
 //
-// Note that in Ubuntu security updates may pull in new dependencies
-// from non-security sources (e.g. chromium). By allowing the release
-// pocket these get automatically pulled in.
-Unattended-Upgrade::Allowed-Origins {
-    "${distro_id}:${distro_codename}-security";
-    // Extended Security Maintenance; doesn't necessarily exist for
-    // every release and this system may not have it installed, but if
-    // available, the policy for updates is such that unattended-upgrades
-    // should also install from here by default.
-    "${distro_id}ESM:${distro_codename}";
-    "${distro_id}:${distro_codename}-updates";
-    //	"${distro_id}:${distro_codename}-proposed";
-    //	"${distro_id}:${distro_codename}-backports";
+// Lines below have the format format is "keyword=value,...".  A
+// package will be upgraded only if the values in its metadata match
+// all the supplied keywords in a line.  (In other words, omitted
+// keywords are wild cards.) The keywords originate from the Release
+// file, but several aliases are accepted.  The accepted keywords are:
+//   a,archive,suite (eg, "stable")
+//   c,component     (eg, "main", "contrib", "non-free")
+//   l,label         (eg, "Debian", "Debian-Security")
+//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
+//   n,codename      (eg, "jessie", "jessie-updates")
+//     site          (eg, "http.debian.net")
+// The available values on the system are printed by the command
+// "apt-cache policy", and can be debugged by running
+// "unattended-upgrades -d" and looking at the log file.
+//
+// Within lines unattended-upgrades allows 2 macros whose values are
+// derived from /etc/debian_version:
+//   ${distro_id}            Installed origin.
+//   ${distro_codename}      Installed codename (eg, "buster")
+Unattended-Upgrade::Origins-Pattern {
+        // Codename based matching:
+        // This will follow the migration of a release through different
+        // archives (e.g. from testing to stable and later oldstable).
+        // Software will be the latest available for the named release,
+        // but the Debian release itself will not be automatically upgraded.
+        "origin=Debian,codename=${distro_codename}-updates";
+//      "origin=Debian,codename=${distro_codename}-proposed-updates";
+        "origin=Debian,codename=${distro_codename},label=Debian";
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
+
+        // Archive or Suite based matching:
+        // Note that this will silently match a different release after
+        // migration to the specified archive (e.g. testing becomes the
+        // new stable).
+//      "o=Debian,a=stable";
+//      "o=Debian,a=stable-updates";
+//      "o=Debian,a=proposed-updates";
+//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
 };
 
-// List of packages to not update (regexp are supported)
+// Python regular expressions, matching packages to exclude from upgrading
 Unattended-Upgrade::Package-Blacklist {
-//	"vim";
-//	"libc6";
-//	"libc6-dev";
-//	"libc6-i686";
-};
+    // The following matches all packages starting with linux-
+//  "linux-";
 
-// This option will controls whether the development release of Ubuntu will be
-// upgraded automatically.
-Unattended-Upgrade::DevRelease "false";
+    // Use $ to explicitely define the end of a package name. Without
+    // the $, "libc6" would match all of them.
+//  "libc6$";
+//  "libc6-dev$";
+//  "libc6-i686$";
+
+    // Special characters need escaping
+//  "libstdc\+\+6$";
+
+    // The following matches packages like xen-system-amd64, xen-utils-4.1,
+    // xenstore-utils and libxenstore3.0
+//  "(lib)?xen(store)?";
+
+    // For more information about Python regular expressions, see
+    // https://docs.python.org/3/howto/regex.html
+};
 
 // This option allows you to control if on a unclean dpkg exit
 // unattended-upgrades will automatically run
@@ -39,37 +75,50 @@ Unattended-Upgrade::AutoFixInterruptedDpkg "true";
 // is running is possible (with a small delay)
 Unattended-Upgrade::MinimalSteps "true";
 
-// Install all unattended-upgrades when the machine is shutting down
-// instead of doing it in the background while the machine is running
-// This will (obviously) make shutdown slower
-//Unattended-Upgrade::InstallOnShutdown "true";
+// Install all updates when the machine is shutting down
+// instead of doing it in the background while the machine is running.
+// This will (obviously) make shutdown slower.
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+//Unattended-Upgrade::InstallOnShutdown "false";
 
 // Send email to this address for problems or packages upgrades
 // If empty or unset then no email is sent, make sure that you
 // have a working mail setup on your system. A package that provides
 // 'mailx' must be installed. E.g. "user@example.com"
-//Unattended-Upgrade::Mail "root";
+//Unattended-Upgrade::Mail "";
 
 // Set this value to "true" to get emails only on errors. Default
 // is to always send a mail if Unattended-Upgrade::Mail is set
-//Unattended-Upgrade::MailOnlyOnError "true";
+//Unattended-Upgrade::MailOnlyOnError "false";
 
 // Remove unused automatically installed kernel-related packages
 // (kernel images, kernel headers and kernel version locked tools).
 Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
 
-// Do automatic removal of new unused dependencies after the upgrade
+// Do automatic removal of newly unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+
+// Do automatic removal of unused packages after the upgrade
 // (equivalent to apt-get autoremove)
 Unattended-Upgrade::Remove-Unused-Dependencies "true";
 
-// Automatically reboot *WITHOUT CONFIRMATION*
-//  if the file /var/run/reboot-required is found after the upgrade
-Unattended-Upgrade::Automatic-Reboot "{{ unattended_reboot.enabled|lower }}";
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "true";
+
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
 
 // If automatic reboot is enabled and needed, reboot at the specific
 // time instead of immediately
 //  Default: "now"
-Unattended-Upgrade::Automatic-Reboot-Time "{{ unattended_reboot.time }}";
+Unattended-Upgrade::Automatic-Reboot-Time "02:00";
 
 // Use apt bandwidth limit feature, this example limits the download
 // speed to 70kb/sec
@@ -89,8 +138,9 @@ Unattended-Upgrade::SyslogEnable "true";
 // (i.e. skip or gracefully stop updates on a metered connection)
 // Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
 
-// Keep the custom conffile when upgrading
-Dpkg::Options {
-   "--force-confdef";
-   "--force-confold";
-};
+// Verbose logging
+// Unattended-Upgrade::Verbose "false";
+
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+// Unattended-Upgrade::Debug "false";

roles/wireguard/defaults/main.yml

@@ -7,14 +7,12 @@ wireguard_port_avoid: 53
 wireguard_port_actual: 51820
 keys_clean_all: false
 wireguard_dns_servers: >-
-  {% if algo_dns_adblocking|default(false)|bool or dns_encryption|default(false)|bool %}
-  {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }}
-  {% else %}
-  {% for host in dns_servers.ipv4 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% if ipv6_support %},{% for host in dns_servers.ipv6 %}{{ host }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %}
-  {% endif %}
+  {{ wireguard_network_ipv4 | ipaddr('1') }}
+  {{ ',' + wireguard_network_ipv6 | ipaddr('1') if ipv6_support else '' }}
 wireguard_client_ip: >-
   {{ wireguard_network_ipv4 | ipaddr(index|int+2) }}
   {{ ',' + wireguard_network_ipv6 | ipaddr(index|int+2) if ipv6_support else '' }}
 wireguard_server_ip: >-
   {{ wireguard_network_ipv4 | ipaddr('1') }}
   {{ ',' + wireguard_network_ipv6 | ipaddr('1') if ipv6_support else '' }}
+dns_allowed_ips: "{{ wireguard_network_ipv4 | ipaddr(1) }}{{ ', ' + wireguard_network_ipv6 | ipaddr(1) if ipv6_support else '' }}"

roles/wireguard/tasks/ubuntu.yml

@@ -1,12 +1,28 @@
 ---
-- name: WireGuard repository configured
+- name: Install wireguard repo (Debian)
   apt_repository:
-    repo: ppa:wireguard/wireguard
-    state: present
-  register: result
-  until: result is succeeded
-  retries: 10
-  delay: 3
+    filename: unstable
+    repo: 'deb http://deb.debian.org/debian/ unstable main'
+    update_cache: yes
+  when: ansible_distribution == 'Debian'
+
+- name: Configure wireguard repo (Debian)
+  blockinfile:
+    path: /etc/apt/preferences.d/limit-unstable
+    create: yes
+    block: |-
+      Package: *
+      Pin: release a=unstable
+      Pin-Priority: 90
+
+- name: Configure wireguard repo (Debian)
+  blockinfile:
+    path: /etc/apt/preferences.d/wireguard
+    create: yes
+    block: |-
+      Package: /wireguard/
+      Pin: release a=unstable
+      Pin-Priority: 500
 
 - name: WireGuard installed
   apt:
@@ -19,13 +35,19 @@
     dest: /etc/wireguard/.reload-module-on-update
     state: touch
 
-- name: Configure unattended-upgrades
-  copy:
-    src: 50-wireguard-unattended-upgrades
-    dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades
+- name: Wireguard updater
+  template:
+    src: wireguard-updater.sh.j2
+    dest: /usr/local/sbin/wireguard-updater.sh
     owner: root
-    group: root
-    mode: 0644
+    group: "{{ root_group|default('root') }}"
+    mode: 0755
+
+- name: Add Wireguard updater to cron
+  cron:
+    name: "Update Wireguard"
+    special_time: daily
+    job: "/usr/local/sbin/wireguard_update.sh >/dev/null 2>&1"
 
 - name: Set OS specific facts
   set_fact:

roles/wireguard/templates/client.conf.j2

@@ -8,6 +8,6 @@ DNS = {{ wireguard_dns_servers }}
 [Peer]
 PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + IP_subject_alt_name) }}
 PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + item.1) }}
-AllowedIPs = 0.0.0.0/0,::/0
+AllowedIPs = {% if item.1 is search("dns") %}{{ dns_allowed_ips }}{% else %}0.0.0.0/0{{ ', ::/0'  if ipv6_support else '' }}{% endif %}{{''}}
 Endpoint = {{ IP_subject_alt_name }}:{{ wireguard_port }}
 {{ 'PersistentKeepalive = ' + wireguard_PersistentKeepalive|string if wireguard_PersistentKeepalive > 0 else '' }}

roles/wireguard/templates/wireguard-updater.sh.j2

@@ -0,0 +1,13 @@
+#!/bin/sh
+VERSION_OLD="$(cat /sys/module/wireguard/version)"
+sudo apt-get install wireguard
+VERSION_NEW="$(cat /sys/module/wireguard/version)"
+#Check if wireguard updated
+if [ "$VERSION_OLD" = "$VERSION_NEW" ]
+then
+    echo "No reboot needed"
+else
+    echo "Rebooting"
+    sudo reboot
+fi
+exit 0

server.yml

@@ -43,10 +43,7 @@
         tags: common
 
       - import_role:
-          name: dns
-        when:
-          - algo_dns_adblocking or
-            dns_encryption
+          name: adguard
         tags: dns
 
       - import_role: