Merge bfcfbd8362 into d5b81cb75e

2020-07-12 17:55:52 -04:00 · 2020-07-12 17:55:52 -04:00 · 408123281b
parent d5b81cb75e bfcfbd8362
commit 408123281b
6 changed files with 100 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,10 @@
 Changelog
 ---------

+**6.4.0**
+
+- Allow to generate keys and configuration for non-ansible hosts like smartphones with `wireguard_unmanaged_hosts` (see `defaults/main.yml`) (contribution by @juju4)
+
 **6.3.1**

 - Support Openstack Debian images (contribution by @pallinger)
@ -34,6 +38,7 @@ Changelog

  The backports repository has a lower priority and does not need an apt preference.

+
 **6.0.3**

 - If `wg syncconf` command is not available do stop/start service instead of restart (contribution by @cristichiru)
--- a/README.md
+++ b/README.md
@ -257,6 +257,20 @@ Endpoint = server.at.home.p.domain.tld:51820

 The other WireGuard config files (`wg0.conf` by default) looks similar but of course `[Interface]` includes the config of that specific host and the `[Peer]` entries lists the config of the other hosts.

+The following variable allows to configure unmanaged hosts which are not configured by Ansible, typically smartphones and tablets. In this case, private key and client configuration are generated on Wireguard hub. They can be shared through qrcode (also see https://fukuchi.org/works/qrencode/).
+
+Example: `qrencode --type=ANSIUTF8 < /etc/wireguard/{{ item.item.host }}.conf`
+
+```
+wireguard_unmanaged_hosts:
+  - host: 'test'
+    allowed_ips: 10.200.10.10/32
+    dns: 10.200.10.1
+  - host: 'test2'
+    allowed_ips: 10.200.10.11/32
+    dns: 10.200.10.1
+```
+
 Example Playbook
 ----------------

--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -12,6 +12,13 @@ wireguard_port: "51820"
 # The default interface name that wireguard should use if not specified otherwise.
 wireguard_interface: "wg0"

+#wireguard_unmanaged_hosts:
+#  - host: 'test1'
+#    allowed_ips: 10.200.10.10/32
+#    dns: 10.200.10.1
+#  - host: 'test2'
+#    allowed_ips: 10.200.10.11/32
+#    dns: 10.200.10.1

 #######################################
 # Settings only relevant for Ubuntu
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -97,6 +97,46 @@
  tags:
    - wg-config

+- block:
+    - name: Create private key for unmanaged hosts
+      shell: |
+        set -o errexit
+        set -o pipefail
+        wg genkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-privatekey
+        exit 0
+      args:
+        executable: /bin/bash
+        creates: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
+      register: uh_private_key
+      with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+    - name: Validate permissions of unmanaged hosts' private keys
+      file:
+        path: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
+        mode: '0400'
+      with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+    - name: Recover existing private key for unmanaged hosts
+      shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
+      register: uh_private_key
+      changed_when: false
+      with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+    - name: Derive WireGuard public key for unmanaged hosts
+      shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey | wg pubkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
+      args:
+        creates: "{{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
+        executable: "/bin/bash"
+      register: uh_public_key
+      with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+    - name: Recover existing public key for unmanaged hosts
+      shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
+      register: uh_public_key
+      changed_when: false
+      with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+  when: wireguard_unmanaged_hosts is defined and wireguard_unmanaged_hosts
+
 - name: Generate WireGuard configuration file
  template:
    src: wg.conf.j2
@ -109,6 +149,15 @@
  notify:
    - reconfigure wireguard

+- name: Generate WireGuard configuration file for unmanaged systems
+  template:
+    src: wg-unmanaged.conf.j2
+    dest: "{{ wireguard_remote_directory }}/{{ item.item.host }}.conf"
+    owner: root
+    group: root
+    mode: 0600
+  with_items: "{{ uh_private_key.results }}"
+
 - name: Check if reload-module-on-update is set
  stat:
    path: "{{ wireguard_remote_directory }}/.reload-module-on-update"
--- a/templates/wg-unmanaged.conf.j2
+++ b/templates/wg-unmanaged.conf.j2
@ -0,0 +1,16 @@
+{{ ansible_managed | comment }}
+# For unmanaged host {{ item.item.host }}
+# qrencode -t ansiutf8 < /etc/wireguard/{{ item.item.host }}.conf
+[Interface]
+PrivateKey = {{ item.stdout }}
+Address = {{ item.item.allowed_ips }}
+{% if item.item.dns is defined %}
+DNS = {{ item.item.dns }}
+{% endif %}
+
+[Peer]
+Endpoint = {{ wireguard_endpoint }}:{{ wireguard_port }}
+PublicKey = {{ public_key }}
+# PresharedKey = 
+# Using the catch-all AllowedIPs = 0.0.0.0/0, ::/0 will forward all IPv4 (0.0.0.0/0) and IPv6 (::/0) traffic over the VPN. 
+AllowedIPs = 0.0.0.0/0, ::/0
--- a/templates/wg.conf.j2
+++ b/templates/wg.conf.j2
@ -68,3 +68,12 @@ SaveConfig = true
    {% endif %}
  {% endif %}
 {% endfor %}
+{% if wireguard_unmanaged_hosts is defined %}
+{% for hostdata in uh_public_key.results %}
+
+    [Peer]
+    # {{ hostdata.item.host }}
+    PublicKey = {{ hostdata.stdout }}
+    AllowedIPs = {{ hostdata.item.allowed_ips}}
+{% endfor %}
+{% endif %}