Discontinue use of the WireGuard PPA (trailofbits#1855)

* Discontinue use of the WireGuard PPA * Add instructions to update the system * Change reboot instruction
firasah · Aug 6, 2020 · 8894dd0 · 8894dd0
1 parent 5fc738b
commit 8894dd0
Show file tree

Hide file tree

Showing 6 changed files with 9 additions and 37 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -39,7 +39,6 @@ jobs:
       - name: Install dependencies
         run: |
           sudo apt update -y
-          sudo add-apt-repository -yu ppa:wireguard/wireguard
           sudo apt install -y \
             python3-pip \
             lxd \
@@ -108,7 +107,6 @@ jobs:
       - name: Install dependencies
         run: |
           set -x
-          sudo add-apt-repository -yu ppa:wireguard/wireguard
           sudo add-apt-repository -yu ppa:ubuntu-lxc/stable
           sudo apt update -y
           sudo apt install -y \

diff --git a/docs/client-linux-wireguard.md b/docs/client-linux-wireguard.md
@@ -2,14 +2,16 @@
 
 ## Install WireGuard
 
-To connect to your AlgoVPN using [WireGuard](https://www.wireguard.com) from Ubuntu, first install WireGuard:
+To connect to your AlgoVPN using [WireGuard](https://www.wireguard.com) from Ubuntu, make sure your system is up-to-date then install WireGuard:
 
 ```shell
-# Ubuntu 16.04 only: Add the WireGuard repository
-sudo add-apt-repository ppa:wireguard/wireguard
-sudo apt update
+# Update your system:
+sudo apt update && sudo apt upgrade
 
-# Install the tools:
+# If the file /var/run/reboot-required exists then reboot:
+[ -e /var/run/reboot-required ] && sudo reboot
+
+# Install WireGuard:
 sudo apt install wireguard openresolv
 ```
 

diff --git a/docs/faq.md b/docs/faq.md
@@ -21,7 +21,7 @@ No. This project is under active development. We're happy to [accept and fix iss
 
 ## What's the current status of WireGuard?
 
-[WireGuard reached "stable" 1.0.0 release](https://lists.zx2c4.com/pipermail/wireguard/2020-March/005206.html) in Spring 2020. It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review. Releases are tagged with their build date -- "0.0.YYYYMMDD" -- and users should be advised to apply new updates when they are available. Your Algo server will automatically upgrade and restart WireGuard. For Ubuntu 18.04 LTS, it will retrieve updates from the [official WireGuard PPA for Ubuntu](https://launchpad.net/~wireguard/+archive/ubuntu/wireguard) by default.
+[WireGuard reached "stable" 1.0.0 release](https://lists.zx2c4.com/pipermail/wireguard/2020-March/005206.html) in Spring 2020. It has undergone [substantial](https://www.wireguard.com/formal-verification/) security review.
 
 ## Why aren't you using Tor?
 

diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-install_headers: true
+install_headers: false
 aip_supported_providers:
   - digitalocean
 snat_aipv4: false

diff --git a/roles/wireguard/files/50-wireguard-unattended-upgrades b/roles/wireguard/files/50-wireguard-unattended-upgrades
diff --git a/roles/wireguard/tasks/ubuntu.yml b/roles/wireguard/tasks/ubuntu.yml
@@ -1,34 +1,10 @@
 ---
-- block:
-  - name: WireGuard repository configured
-    apt_repository:
-      repo: ppa:wireguard/wireguard
-      state: present
-    register: result
-    until: result is succeeded
-    retries: 10
-    delay: 3
-
-  - name: Configure unattended-upgrades
-    copy:
-      src: 50-wireguard-unattended-upgrades
-      dest: /etc/apt/apt.conf.d/50-wireguard-unattended-upgrades
-      owner: root
-      group: root
-      mode: 0644
-  when: ansible_facts['distribution_version'] is version('20.04', '<')
-
 - name: WireGuard installed
   apt:
     name: wireguard
     state: present
     update_cache: true
 
-- name: WireGuard reload-module-on-update
-  file:
-    dest: /etc/wireguard/.reload-module-on-update
-    state: touch
-
 - name: Set OS specific facts
   set_fact:
     service_name: "wg-quick@{{ wireguard_interface }}"