From eb472df1d1b0c909c5523b4673c5039dd063058f Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 27 Sep 2020 17:42:42 +0200 Subject: [PATCH] Support to wg reload with private key in file Cleanup Ansible handlers: * `systemctl start` is redundant because that is already ensured by the main tasks. * `wg syncconf` is done by the systemd unit file. No need for us to duplicate this. * Drop support for WireGuard before v1.0.20191226 so that we can drop the workaround where `wg syncconf` is not present. --- CHANGELOG.md | 7 ++++- .../system/wg-quick@.service.d/local.conf | 7 +++++ handlers/main.yml | 28 +++---------------- tasks/main.yml | 26 ++++++++--------- tasks/setup-debian-vanilla.yml | 1 + 5 files changed, 29 insertions(+), 40 deletions(-) create mode 100644 files/etc/systemd/system/wg-quick@.service.d/local.conf diff --git a/CHANGELOG.md b/CHANGELOG.md index e76d5f6..83e5486 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ Changelog --------- +**7.4.0** + +- Put private key into separate file instead of main config. This is done for two reasons: Avoid shoulder surfing and to avoid the need for regex configuration parsing in the role. (contribution by @ypid) +- Remove workaround for missing `wg syncconf` subcommand. It was introduced with v1.0.20191226 which very relevant distro has caught up to by now. Upgrade your wireguard packages before updating to this release of the role. (contribution by @ypid) + **7.3.0** - Fix spelling and typos in docs. (contribution by @ypid) @@ -85,7 +90,7 @@ Changelog **6.0.0** -- Newer versions of WireGuard (around November 2019) introduced `wg syncconf` subcommand. This has the advantage that changes to the WireGuard configuration can be applied without disturbing existing connections. With this change this role tries to use `wg syncconf` subcommand when available. This even works if you have hosts with older and newer WireGuard versions. +- v1.0.20191226 WireGuard introduced the `wg syncconf` subcommand. This has the advantage that changes to the WireGuard configuration can be applied without disturbing existing connections. With this change this role tries to use `wg syncconf` subcommand when available. This even works if you have hosts with older and newer WireGuard versions. **5.0.0** diff --git a/files/etc/systemd/system/wg-quick@.service.d/local.conf b/files/etc/systemd/system/wg-quick@.service.d/local.conf new file mode 100644 index 0000000..907124f --- /dev/null +++ b/files/etc/systemd/system/wg-quick@.service.d/local.conf @@ -0,0 +1,7 @@ +# Copyright (C) 2020 Robin Schneider +# Copyright (C) 2020 DebOps +# SPDX-License-Identifier: GPL-3.0-only + +[Service] +ExecReload= +ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(/usr/bin/wg-quick strip %i | /usr/bin/crudini --set - Interface PrivateKey $(/usr/bin/cat /etc/wireguard/%i.privkey))' diff --git a/handlers/main.yml b/handlers/main.yml index c30268b..94a5fa0 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,27 +1,7 @@ --- -- name: restart wireguard + +- name: "Reload WireGuard interface" service: name: "wg-quick@{{ wireguard_interface }}" - state: "{{ item }}" - loop: - - stopped - - started - when: > - not wg_syncconf and - not ansible_os_family == 'Darwin' - listen: "reconfigure wireguard" - -- name: syncconf wireguard - shell: | - set -o errexit - set -o pipefail - set -o nounset - systemctl is-active wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }} - wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf) - exit 0 - args: - executable: "/bin/bash" - when: > - wg_syncconf and - not ansible_os_family == 'Darwin' - listen: "reconfigure wireguard" + state: "reloaded" + when: (ansible_os_family != 'Darwin') diff --git a/tasks/main.yml b/tasks/main.yml index 0ba3fb8..92f0a5d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -40,19 +40,6 @@ - wg-generate-keys - wg-config -- name: Get wg subcommands - command: "wg --help" - register: wireguard__register_subcommands - changed_when: false - -- name: Check if wg syncconf subcommand is available - set_fact: - wg_syncconf: "{{ 'syncconf:' in wireguard__register_subcommands.stdout }}" - -- name: Show syncconf subcommand status - debug: - var: wg_syncconf - - block: - name: Generate WireGuard private key command: "wg genkey" @@ -126,7 +113,7 @@ tags: - wg-config notify: - - reconfigure wireguard + - Reload WireGuard interface - name: Generate WireGuard configuration file template: @@ -138,7 +125,7 @@ tags: - wg-config notify: - - reconfigure wireguard + - Reload WireGuard interface - name: Ensure legacy reload-module-on-update is absent file: @@ -147,8 +134,17 @@ tags: - wg-config +- name: Create systemd drop-in file for wg-quick@.service + copy: + src: "etc/systemd/system/wg-quick@.service.d" + dest: "/etc/systemd/system" + owner: "root" + group: "root" + mode: "0644" + - name: Start and enable WireGuard service service: + daemon_reload: True name: "wg-quick@{{ wireguard_interface }}" state: started enabled: yes diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml index 6a6ce06..b371393 100644 --- a/tasks/setup-debian-vanilla.yml +++ b/tasks/setup-debian-vanilla.yml @@ -22,6 +22,7 @@ apt: name: - "wireguard" + - "crudini" state: present tags: - wg-install