add unmanaged hosts configuration (smartphones, tablets...)

2020-02-16 09:36:47 -05:00 · 2020-02-16 09:36:47 -05:00 · 836559ca51
parent 3322faf576
commit 836559ca51
3 changed files with 67 additions and 0 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -42,6 +42,7 @@
 - name: Get wg subcommands
  command: "wg --help"
  register: wg_subcommands
+  changed_when: false

 - name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available)
  set_fact:
@ -106,6 +107,38 @@
  tags:
    - wg-config

+- name: Create private key for unmanaged hosts
+  shell: "wg genkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
+  args:
+    creates: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
+  register: uh_privkey
+  with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+- name: Validate permissions of unmanaged hosts' private keys
+  file:
+    path: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
+    mode: '0400'
+  with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+- name: Recover existing private key for unmanaged hosts
+  shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
+  register: uh_privkey
+  changed_when: false
+  with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+- name: Derive WireGuard public key for unmanaged hosts
+  shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey | wg pubkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
+  args:
+    creates: "{{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
+  register: uh_pubkey
+  with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
+- name: Recover existing public key for unmanaged hosts
+  shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
+  register: uh_pubkey
+  changed_when: false
+  with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
+
 - name: Generate WireGuard configuration file
  template:
    src: wg.conf.j2
@ -118,6 +151,16 @@
  notify:
    - reconfigure wireguard

+- debug: var=uh_privkey
+- name: Generate WireGuard configuration file for unmanaged systems
+  template:
+    src: wg-unmanaged.conf.j2
+    dest: "{{ wireguard_remote_directory }}/{{ item.item.host }}.conf"
+    owner: root
+    group: root
+    mode: 0600
+  with_items: "{{ uh_privkey.results }}"
+
 - name: Check if reload-module-on-update is set
  stat:
    path: "{{ wireguard_remote_directory }}/.reload-module-on-update"
--- a/templates/wg-unmanaged.conf.j2
+++ b/templates/wg-unmanaged.conf.j2
@ -0,0 +1,16 @@
+{{ ansible_managed | comment }}
+# For unmanaged host {{ item.item.host }}
+# qrencode -t ansiutf8 < /etc/wireguard/{{ item.item.host }}.conf
+[Interface]
+PrivateKey = {{ item.stdout }}
+Address = {{ item.item.allowed_ips }}
+{% if item.item.dns is defined %}
+DNS = {{ item.item.dns }}
+{% endif %}
+
+[Peer]
+Endpoint = {{ wireguard_endpoint }}:{{ wireguard_port }}
+PublicKey = {{ public_key }}
+# PresharedKey = 
+# Using the catch-all AllowedIPs = 0.0.0.0/0, ::/0 will forward all IPv4 (0.0.0.0/0) and IPv6 (::/0) traffic over the VPN. 
+AllowedIPs = 0.0.0.0/0, ::/0
--- a/templates/wg.conf.j2
+++ b/templates/wg.conf.j2
@ -68,3 +68,11 @@ SaveConfig = true
    {% endif %}
  {% endif %}
 {% endfor %}
+{# unmanaged hosts #}
+{% for hostdata in uh_pubkey.results %}
+
+    [Peer]
+    # {{ hostdata.item.host }}
+    PublicKey = {{ hostdata.stdout }}
+    AllowedIPs = {{ hostdata.item.allowed_ips}}
+{% endfor %}