1
0
Fork 0

add unmanaged hosts configuration (smartphones, tablets...)

This commit is contained in:
juju4 2020-02-16 09:36:47 -05:00
parent 3322faf576
commit 836559ca51
3 changed files with 67 additions and 0 deletions

View file

@ -42,6 +42,7 @@
- name: Get wg subcommands
command: "wg --help"
register: wg_subcommands
changed_when: false
- name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available)
set_fact:
@ -106,6 +107,38 @@
tags:
- wg-config
- name: Create private key for unmanaged hosts
shell: "wg genkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
args:
creates: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
register: uh_privkey
with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
- name: Validate permissions of unmanaged hosts' private keys
file:
path: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
mode: '0400'
with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
- name: Recover existing private key for unmanaged hosts
shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey"
register: uh_privkey
changed_when: false
with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
- name: Derive WireGuard public key for unmanaged hosts
shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey | wg pubkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
args:
creates: "{{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
register: uh_pubkey
with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
- name: Recover existing public key for unmanaged hosts
shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-pubkey"
register: uh_pubkey
changed_when: false
with_items: "{{ wireguard_unmanaged_hosts | default([]) }}"
- name: Generate WireGuard configuration file
template:
src: wg.conf.j2
@ -118,6 +151,16 @@
notify:
- reconfigure wireguard
- debug: var=uh_privkey
- name: Generate WireGuard configuration file for unmanaged systems
template:
src: wg-unmanaged.conf.j2
dest: "{{ wireguard_remote_directory }}/{{ item.item.host }}.conf"
owner: root
group: root
mode: 0600
with_items: "{{ uh_privkey.results }}"
- name: Check if reload-module-on-update is set
stat:
path: "{{ wireguard_remote_directory }}/.reload-module-on-update"

View file

@ -0,0 +1,16 @@
{{ ansible_managed | comment }}
# For unmanaged host {{ item.item.host }}
# qrencode -t ansiutf8 < /etc/wireguard/{{ item.item.host }}.conf
[Interface]
PrivateKey = {{ item.stdout }}
Address = {{ item.item.allowed_ips }}
{% if item.item.dns is defined %}
DNS = {{ item.item.dns }}
{% endif %}
[Peer]
Endpoint = {{ wireguard_endpoint }}:{{ wireguard_port }}
PublicKey = {{ public_key }}
# PresharedKey =
# Using the catch-all AllowedIPs = 0.0.0.0/0, ::/0 will forward all IPv4 (0.0.0.0/0) and IPv6 (::/0) traffic over the VPN.
AllowedIPs = 0.0.0.0/0, ::/0

View file

@ -68,3 +68,11 @@ SaveConfig = true
{% endif %}
{% endif %}
{% endfor %}
{# unmanaged hosts #}
{% for hostdata in uh_pubkey.results %}
[Peer]
# {{ hostdata.item.host }}
PublicKey = {{ hostdata.stdout }}
AllowedIPs = {{ hostdata.item.allowed_ips}}
{% endfor %}