From f821bee77122c8d405fd1563ad718f3f7686e2d1 Mon Sep 17 00:00:00 2001 From: Robin Schneider Date: Sun, 27 Sep 2020 15:48:10 +0200 Subject: [PATCH] Put private key into separate file instead of main config --- tasks/main.yml | 54 +++++++++++++++++++++++------- templates/etc/wireguard/wg.conf.j2 | 2 +- 2 files changed, 43 insertions(+), 13 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index cd2072d..0ba3fb8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -24,7 +24,7 @@ - wg-install when: not ansible_os_family == 'Darwin' -- name: Register if config/private key already exists on target host +- name: Register if config already exists on target host stat: path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" register: wireguard__register_config_file @@ -32,6 +32,14 @@ - wg-generate-keys - wg-config +- name: Register if private key file already exists on target host + stat: + path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.privkey" + register: wireguard__register_private_key_file + tags: + - wg-generate-keys + - wg-config + - name: Get wg subcommands command: "wg --help" register: wireguard__register_subcommands @@ -50,30 +58,39 @@ command: "wg genkey" register: wireguard__register_private_key changed_when: false - tags: - - wg-generate-keys - name: Set private key fact set_fact: wireguard__fact_private_key: "{{ wireguard__register_private_key.stdout }}" - tags: - - wg-generate-keys - when: not wireguard__register_config_file.stat.exists + when: not wireguard__register_config_file.stat.exists and not wireguard__register_private_key_file.stat.exists + tags: + - wg-generate-keys - block: - name: Read WireGuard config file slurp: src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" register: wireguard__register_config - tags: - - wg-config - - name: Set private key fact + - name: Set private key fact from config file set_fact: wireguard__fact_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}" - tags: - - wg-config - when: wireguard__register_config_file.stat.exists + when: wireguard__register_config_file.stat.exists and not wireguard__register_private_key_file.stat.exists + tags: + - wg-config + +- block: + - name: Read WireGuard private key file + slurp: + src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.privkey" + register: wireguard__register_config + + - name: Set private key fact from file + set_fact: + wireguard__fact_private_key: "{{ wireguard__register_config['content'] | b64decode }}" + when: wireguard__register_private_key_file.stat.exists + tags: + - wg-config - name: Derive WireGuard public key command: "wg pubkey" @@ -98,6 +115,19 @@ tags: - wg-config +- name: Save WireGuard private key as separate file + copy: + content: | + {{ wireguard__fact_private_key }} + dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.privkey" + owner: "{{ wireguard_conf_owner }}" + group: "{{ wireguard_conf_group }}" + mode: "{{ wireguard_conf_mode }}" + tags: + - wg-config + notify: + - reconfigure wireguard + - name: Generate WireGuard configuration file template: src: etc/wireguard/wg.conf.j2 diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2 index 1a8d489..3a4edb3 100644 --- a/templates/etc/wireguard/wg.conf.j2 +++ b/templates/etc/wireguard/wg.conf.j2 @@ -4,7 +4,7 @@ [Interface] # {{ inventory_hostname }} Address = {{ wireguard_address }} -PrivateKey = {{ wireguard__fact_private_key }} +PostUp = wg set %i private-key /etc/wireguard/%i.privkey ListenPort = {{ wireguard_port }} {% if wireguard_dns is defined %} DNS = {{ wireguard_dns }}