You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The syncconf method only applies wg(8) configuration that's produced by wg-quick strip, which excludes routes and the interface address that would be set up by wg-quick up ordinarily. This means that if we want to change the IP on a previously configured interface, wireguard_interface_restart must be set to true. This should be noted in the readme.
A subsequent problem is the loss of idempotence. Restart/syncconf is only applied if there was a change to the interface configuration file; but the configuration file does not necessary reflect the actual interface configuration. This means that if the runtime configuration was mangled, Ansible will not detect it. Conversely, if we change the IP without wireguard_interface_restart, the IP will not change and the next ansible run will not change it even with wireguard_interface_restart because the configuration file already reflects the change from the previous run so restart/syncconf is not applied.
One possible workaround to this problem would be to do wg-quick save prior to generating the new configuration file, but that's a kludge because it would require the role configuration template to behave exactly like the output of wg-quick save.
Realistically, correct update of the interface routes and IP is not possible with wg-quick without restarting the interface. This is because the functionality that wg-quick up invokes is not exposed.
It appears that the readme should be explicit that for proper idempotence, restarts (and therefore interruption of traffic) are not optional.
The text was updated successfully, but these errors were encountered:
The syncconf method only applies wg(8) configuration that's produced by wg-quick strip, which excludes routes and the interface address that would be set up by wg-quick up ordinarily. This means that if we want to change the IP on a previously configured interface, wireguard_interface_restart must be set to true. This should be noted in the readme.
A subsequent problem is the loss of idempotence. Restart/syncconf is only applied if there was a change to the interface configuration file; but the configuration file does not necessary reflect the actual interface configuration. This means that if the runtime configuration was mangled, Ansible will not detect it. Conversely, if we change the IP without wireguard_interface_restart, the IP will not change and the next ansible run will not change it even with wireguard_interface_restart because the configuration file already reflects the change from the previous run so restart/syncconf is not applied.
One possible workaround to this problem would be to do wg-quick save prior to generating the new configuration file, but that's a kludge because it would require the role configuration template to behave exactly like the output of wg-quick save.
Realistically, correct update of the interface routes and IP is not possible with wg-quick without restarting the interface. This is because the functionality that wg-quick up invokes is not exposed.
It appears that the readme should be explicit that for proper idempotence, restarts (and therefore interruption of traffic) are not optional.
The text was updated successfully, but these errors were encountered: