Put private key into separate file instead of main config

CHANGELOG.md

@@ -1,6 +1,11 @@
 Changelog
 ---------
 
+**7.4.0**
+
+- Put private key into separate file instead of main config. This is done for two reasons: Avoid shoulder surfing and to avoid the need for regex configuration parsing in the role. Old configuration will be migrated on the next role run. (contribution by @ypid)
+- Remove workaround for missing `wg syncconf` subcommand. It was introduced with v1.0.20191226 which every relevant distro has caught up to by now. Upgrade your wireguard packages before updating to this release of the role. (contribution by @ypid)
+
 **7.3.0**
 
 - Fix spelling and typos in docs. (contribution by @ypid)
@@ -85,7 +90,7 @@ Changelog
 
 **6.0.0**
 
-- Newer versions of WireGuard (around November 2019) introduced `wg syncconf` subcommand. This has the advantage that changes to the WireGuard configuration can be applied without disturbing existing connections. With this change this role tries to use `wg syncconf` subcommand when available. This even works if you have hosts with older and newer WireGuard versions.
+- v1.0.20191226 WireGuard introduced the `wg syncconf` subcommand. This has the advantage that changes to the WireGuard configuration can be applied without disturbing existing connections. With this change this role tries to use `wg syncconf` subcommand when available. This even works if you have hosts with older and newer WireGuard versions.
 
 **5.0.0**
 

files/etc/systemd/system/wg-quick@.service.d/local.conf

@@ -0,0 +1,7 @@
+# Copyright (C) 2020 Robin Schneider <[email protected]>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+[Service]
+ExecReload=
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(/usr/bin/wg-quick strip %i | /usr/bin/crudini --set - Interface PrivateKey $(/usr/bin/cat /etc/wireguard/%i.privkey))'

handlers/main.yml

@@ -1,27 +1,7 @@
 ---
-- name: restart wireguard
+
+- name: "Reload WireGuard interface"
   service:
     name: "wg-quick@{{ wireguard_interface }}"
-    state: "{{ item }}"
-  loop:
-  - stopped
-  - started
-  when: >
-    not wg_syncconf and
-    not ansible_os_family == 'Darwin'
-  listen: "reconfigure wireguard"
-
-- name: syncconf wireguard
-  shell: |
-      set -o errexit
-      set -o pipefail
-      set -o nounset
-      systemctl is-active wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
-      wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
-      exit 0
-  args:
-    executable: "/bin/bash"
-  when: >
-    wg_syncconf and
-    not ansible_os_family == 'Darwin'
-  listen: "reconfigure wireguard"
+    state: "reloaded"
+  when: (ansible_os_family != 'Darwin')

tasks/main.yml

@@ -24,56 +24,60 @@
         - wg-install
   when: not ansible_os_family == 'Darwin'
 
-- name: Register if config/private key already exists on target host
+- name: Register if config already exists on target host
   stat:
     path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
   register: wireguard__register_config_file
   tags:
     - wg-generate-keys
     - wg-config
 
-- name: Get wg subcommands
-  command: "wg --help"
-  register: wireguard__register_subcommands
-  changed_when: false
-
-- name: Check if wg syncconf subcommand is available
-  set_fact:
-    wg_syncconf: "{{ 'syncconf:' in wireguard__register_subcommands.stdout }}"
-
-- name: Show syncconf subcommand status
-  debug:
-    var: wg_syncconf
+- name: Register if private key file already exists on target host
+  stat:
+    path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.privkey"
+  register: wireguard__register_private_key_file
+  tags:
+    - wg-generate-keys
+    - wg-config
 
 - block:
   - name: Generate WireGuard private key
     command: "wg genkey"
     register: wireguard__register_private_key
     changed_when: false
-    tags:
-      - wg-generate-keys
 
   - name: Set private key fact
     set_fact:
       wireguard__fact_private_key: "{{ wireguard__register_private_key.stdout }}"
-    tags:
-      - wg-generate-keys
-  when: not wireguard__register_config_file.stat.exists
+  when: not wireguard__register_config_file.stat.exists and not wireguard__register_private_key_file.stat.exists
+  tags:
+    - wg-generate-keys
 
 - block:
   - name: Read WireGuard config file
     slurp:
       src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
     register: wireguard__register_config
-    tags:
-      - wg-config
 
-  - name: Set private key fact
+  - name: Set private key fact from config file
     set_fact:
       wireguard__fact_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
-    tags:
-      - wg-config
-  when: wireguard__register_config_file.stat.exists
+  when: wireguard__register_config_file.stat.exists and not wireguard__register_private_key_file.stat.exists
+  tags:
+    - wg-config
+
+- block:
+  - name: Read WireGuard private key file
+    slurp:
+      src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.privkey"
+    register: wireguard__register_config
+
+  - name: Set private key fact from file
+    set_fact:
+      wireguard__fact_private_key: "{{ wireguard__register_config['content'] | b64decode }}"
+  when: wireguard__register_private_key_file.stat.exists
+  tags:
+    - wg-config
 
 - name: Derive WireGuard public key
   command: "wg pubkey"
@@ -98,6 +102,19 @@
   tags:
     - wg-config
 
+- name: Save WireGuard private key as separate file
+  copy:
+    content: |
+      {{ wireguard__fact_private_key }}
+    dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.privkey"
+    owner: "{{ wireguard_conf_owner }}"
+    group: "{{ wireguard_conf_group }}"
+    mode: "{{ wireguard_conf_mode }}"
+  tags:
+    - wg-config
+  notify:
+    - Reload WireGuard interface
+
 - name: Generate WireGuard configuration file
   template:
     src: etc/wireguard/wg.conf.j2
@@ -108,7 +125,7 @@
   tags:
     - wg-config
   notify:
-    - reconfigure wireguard
+    - Reload WireGuard interface
 
 - name: Ensure legacy reload-module-on-update is absent
   file:
@@ -117,8 +134,17 @@
   tags:
     - wg-config
 
+- name: Create systemd drop-in file for [email protected]
+  copy:
+    src: "etc/systemd/system/[email protected]"
+    dest: "/etc/systemd/system"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+
 - name: Start and enable WireGuard service
   service:
+    daemon_reload: True
     name: "wg-quick@{{ wireguard_interface }}"
     state: started
     enabled: yes

tasks/setup-debian-vanilla.yml

@@ -22,6 +22,7 @@
   apt:
     name:
       - "wireguard"
+      - "crudini"
     state: present
   tags:
     - wg-install

templates/etc/wireguard/wg.conf.j2

@@ -4,7 +4,7 @@
 [Interface]
 # {{ inventory_hostname }}
 Address = {{ wireguard_address }}
-PrivateKey = {{ wireguard__fact_private_key }}
+PostUp = wg set %i private-key /etc/wireguard/%i.privkey
 ListenPort = {{ wireguard_port }}
 {% if wireguard_dns is defined %}
 DNS = {{ wireguard_dns }}