CentOS 7 hardening and ELRepo

[john-p-potter]

Running the role on a hardened CentOS 7 instance requires installing the elrepo GPGkey in order to install the module. More importantly, the module is not signed. While it installs, this error is observed in dmesg "Request for unknown module key 'The ELRepo Project (http://elrepo.org/): ELRepo.org Secure Boot Key: f365ad3481a7b20e3427b61b2a26635b83fe427b' err -11
wireguard: module verification failed: signature and/or required key missing - tainting kernel". This can be remedied by installing the key (http://elrepo.org/tiki/SecureBootKey), but this requires UEFI key management.

Per https://www.wireguard.com/install/, there are 3 methods to install WireGuard on CentOS 7:
Method 1: a signed module is available as built-in to CentOS's kernel-plus:
$ sudo yum install yum-utils epel-release
$ sudo yum-config-manager --setopt=centosplus.includepkgs=kernel-plus --enablerepo=centosplus --save
$ sudo sed -e 's/^DEFAULTKERNEL=kernel$/DEFAULTKERNEL=kernel-plus/' -i /etc/sysconfig/kernel
$ sudo yum install kernel-plus wireguard-tools
$ sudo reboot

Method 2: users wishing to stick with the standard kernel may use ELRepo's pre-built module:
$ sudo yum install epel-release elrepo-release
$ sudo yum install yum-plugin-elrepo
$ sudo yum install kmod-wireguard wireguard-tools

Method 3: users running non-standard kernels may wish to use the DKMS package instead:
$ sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
$ sudo yum install wireguard-dkms wireguard-tools

The role currently uses the second option, which uses the standard kernel and requires no reboots. I have forked the role here: https://github.com/john-p-potter/ansible-role-wireguard/tree/kernel-plus and submitted MR #129 to upstream to address this issue.

[githubixx]

See my comment: #129 (review)