diff --git a/tasks/main.yml b/tasks/main.yml index 7dd79ae..8649506 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -42,6 +42,7 @@ - name: Get wg subcommands command: "wg --help" register: wg_subcommands + changed_when: false - name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available) set_fact: @@ -106,6 +107,38 @@ tags: - wg-config +- name: Create private key for unmanaged hosts + shell: "wg genkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-privatekey" + args: + creates: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey" + register: uh_privkey + with_items: "{{ wireguard_unmanaged_hosts | default([]) }}" + +- name: Validate permissions of unmanaged hosts' private keys + file: + path: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey" + mode: '0400' + with_items: "{{ wireguard_unmanaged_hosts | default([]) }}" + +- name: Recover existing private key for unmanaged hosts + shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey" + register: uh_privkey + changed_when: false + with_items: "{{ wireguard_unmanaged_hosts | default([]) }}" + +- name: Derive WireGuard public key for unmanaged hosts + shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey | wg pubkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-pubkey" + args: + creates: "{{ wireguard_remote_directory }}/{{ item.host }}-pubkey" + register: uh_pubkey + with_items: "{{ wireguard_unmanaged_hosts | default([]) }}" + +- name: Recover existing public key for unmanaged hosts + shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-pubkey" + register: uh_pubkey + changed_when: false + with_items: "{{ wireguard_unmanaged_hosts | default([]) }}" + - name: Generate WireGuard configuration file template: src: wg.conf.j2 @@ -118,6 +151,16 @@ notify: - reconfigure wireguard +- debug: var=uh_privkey +- name: Generate WireGuard configuration file for unmanaged systems + template: + src: wg-unmanaged.conf.j2 + dest: "{{ wireguard_remote_directory }}/{{ item.item.host }}.conf" + owner: root + group: root + mode: 0600 + with_items: "{{ uh_privkey.results }}" + - name: Check if reload-module-on-update is set stat: path: "{{ wireguard_remote_directory }}/.reload-module-on-update" diff --git a/templates/wg-unmanaged.conf.j2 b/templates/wg-unmanaged.conf.j2 new file mode 100644 index 0000000..488bbf0 --- /dev/null +++ b/templates/wg-unmanaged.conf.j2 @@ -0,0 +1,16 @@ +{{ ansible_managed | comment }} +# For unmanaged host {{ item.item.host }} +# qrencode -t ansiutf8 < /etc/wireguard/{{ item.item.host }}.conf +[Interface] +PrivateKey = {{ item.stdout }} +Address = {{ item.item.allowed_ips }} +{% if item.item.dns is defined %} +DNS = {{ item.item.dns }} +{% endif %} + +[Peer] +Endpoint = {{ wireguard_endpoint }}:{{ wireguard_port }} +PublicKey = {{ public_key }} +# PresharedKey = +# Using the catch-all AllowedIPs = 0.0.0.0/0, ::/0 will forward all IPv4 (0.0.0.0/0) and IPv6 (::/0) traffic over the VPN. +AllowedIPs = 0.0.0.0/0, ::/0 diff --git a/templates/wg.conf.j2 b/templates/wg.conf.j2 index 0ab144b..8300d42 100644 --- a/templates/wg.conf.j2 +++ b/templates/wg.conf.j2 @@ -68,3 +68,11 @@ SaveConfig = true {% endif %} {% endif %} {% endfor %} +{# unmanaged hosts #} +{% for hostdata in uh_pubkey.results %} + + [Peer] + # {{ hostdata.item.host }} + PublicKey = {{ hostdata.stdout }} + AllowedIPs = {{ hostdata.item.allowed_ips}} +{% endfor %}