add unmanaged hosts configuration (smartphones, tablets...)

tasks/main.yml

@@ -42,6 +42,7 @@
 - name: Get wg subcommands
   command: "wg --help"
   register: wg_subcommands
+  changed_when: false
 
 - name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available)
   set_fact:
@@ -106,6 +107,38 @@
   tags:
     - wg-config
 
+- name: Create private key for unmanaged hosts
+  shell: "wg genkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
+  args:
+    creates: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
+  register: uh_privkey
+  with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+- name: Validate permissions of unmanaged hosts' private keys
+  file:
+    path: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
+    mode: '0400'
+  with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+- name: Recover existing private key for unmanaged hosts
+  shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
+  register: uh_privkey
+  changed_when: false
+  with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+- name: Derive WireGuard public key for unmanaged hosts
+  shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey | wg pubkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
+  args:
+    creates: "{{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
+  register: uh_pubkey
+  with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+- name: Recover existing public key for unmanaged hosts
+  shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
+  register: uh_pubkey
+  changed_when: false
+  with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
 - name: Generate WireGuard configuration file
   template:
     src: wg.conf.j2
@@ -118,6 +151,16 @@
   notify:
     - reconfigure wireguard
 
+- debug: var=uh_privkey
+- name: Generate WireGuard configuration file for unmanaged systems
+  template:
+    src: wg-unmanaged.conf.j2
+    dest: "{{ wireguard_remote_directory }}/{{ item.item.host }}.conf"
+    owner: root
+    group: root
+    mode: 0600
+  with_items: "{{ uh_privkey.results }}"
+
 - name: Check if reload-module-on-update is set
   stat:
     path: "{{ wireguard_remote_directory }}/.reload-module-on-update"

templates/wg-unmanaged.conf.j2

@@ -0,0 +1,16 @@
+{{ ansible_managed | comment }}
+# For unmanaged host {{ item.item.host }}
+# qrencode -t ansiutf8 < /etc/wireguard/{{ item.item.host }}.conf
+[Interface]
+PrivateKey = {{ item.stdout }}
+Address = {{ item.item.allowed_ips }}
+{% if item.item.dns is defined %}
+DNS = {{ item.item.dns }}
+{% endif %}
+
+[Peer]
+Endpoint = {{ wireguard_endpoint }}:{{ wireguard_port }}
+PublicKey = {{ public_key }}
+# PresharedKey = 
+# Using the catch-all AllowedIPs = 0.0.0.0/0, ::/0 will forward all IPv4 (0.0.0.0/0) and IPv6 (::/0) traffic over the VPN. 
+AllowedIPs = 0.0.0.0/0, ::/0

templates/wg.conf.j2

@@ -68,3 +68,11 @@ SaveConfig = true
     {% endif %}
   {% endif %}
 {% endfor %}
+{# unmanaged hosts #}
+{% for hostdata in uh_pubkey.results %}
+
+    [Peer]
+    # {{ hostdata.item.host }}
+    PublicKey = {{ hostdata.stdout }}
+    AllowedIPs = {{ hostdata.item.allowed_ips}}
+{% endfor %}