From ae17b8f662a79684c2510943ac90298ce7965ec5 Mon Sep 17 00:00:00 2001 From: pierreozoux Date: Wed, 18 Sep 2019 10:28:26 +0200 Subject: [PATCH] Makes the role stateless. --- defaults/main.yml | 15 ++----- tasks/main.yml | 90 +++++++++----------------------------- templates/wg-privatekey.j2 | 1 - templates/wg-publickey.j2 | 1 - templates/wg.conf.j2 | 4 +- 5 files changed, 26 insertions(+), 85 deletions(-) delete mode 100644 templates/wg-privatekey.j2 delete mode 100644 templates/wg-publickey.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 51c4e92..01ff4b4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,16 +1,4 @@ --- -# The LOCAL directory where the WireGuard certificates are stored after they -# were generated. By default this will expand to user's LOCAL ${HOME} -# (the user that run's "ansible-playbook" command) plus -# "/wireguard/certs". That means if the user's ${HOME} directory is e.g. -# "/home/da_user" then "wireguard_cert_directory" will have a value of -# "/home/da_user/wireguard/certs". If you change this make sure that -# the parent directory is writable by the user that runs "ansible-playbook" -# command. -wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}" -wireguard_cert_owner: "root" -wireguard_cert_group: "root" - # Directory to store WireGuard configuration on the remote hosts wireguard_remote_directory: "/etc/wireguard" @@ -19,3 +7,6 @@ wireguard_port: "51820" # The interface name that wireguard should use. wireguard_interface: "wg0" + +# Wireguard config file path +wg_conf_path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" diff --git a/tasks/main.yml b/tasks/main.yml index c99ded7..f530bc1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,46 +28,35 @@ tags: - wg-install -- name: Create WireGuard certificates directory - file: - dest: "{{ wireguard_cert_directory }}" - state: directory - owner: "{{ wireguard_cert_owner }}" - group: "{{ wireguard_cert_group }}" - mode: 0700 - run_once: true - delegate_to: localhost - tags: - wg-generate-keys - - name: Set WireGuard IP (without mask) set_fact: wireguard_ip: "{{ wireguard_address.split('/')[0] }}" -- name: Set path to private key file - set_fact: - private_key_file_path: "{{ wireguard_cert_directory }}/{{ inventory_hostname }}.private.key" - tags: - wg-generate-keys - -- name: Set path to public key file - set_fact: - public_key_file_path: "{{ wireguard_cert_directory }}/{{ inventory_hostname }}.public.key" - tags: - wg-generate-keys - -- name: Register if private key already exists +# lookup ini plugin doesn't work on remote hosts... +- name: Check if WireGuard file exists stat: - path: "{{ private_key_file_path }}" - register: private_key_file_stat - delegate_to: localhost + path: "{{ wg_conf_path }}" + register: wg_conf + +- name: Read WireGuard private key + shell: "cat {{ wg_conf_path }} | grep PrivateKey | cut -d= -f2- | tr -d [:space:]" + register: wg_private_key_result + changed_when: false + when: wg_conf.stat.exists + tags: + - wg-generate-keys + +- name: Set private key fact + set_fact: + wg_private_key: "{{ wg_private_key_result.stdout }}" + when: wg_conf.stat.exists tags: - wg-generate-keys - name: Generate WireGuard private key shell: "wg genkey" register: wg_private_key_result - when: not private_key_file_stat.stat.exists + when: not wg_conf.stat.exists changed_when: false tags: - wg-generate-keys @@ -76,11 +65,11 @@ - name: Set private key fact set_fact: wg_private_key: "{{ wg_private_key_result.stdout }}" - when: not private_key_file_stat.stat.exists + when: not wg_conf.stat.exists tags: - wg-generate-keys -- name: Generate WireGuard public key +- name: Derive WireGuard public key shell: "echo '{{ wg_private_key }}' | wg pubkey" register: wg_public_key_result when: not private_key_file_stat.stat.exists @@ -91,46 +80,9 @@ - name: Set public key fact set_fact: wg_public_key: "{{ wg_public_key_result.stdout }}" - when: not private_key_file_stat.stat.exists tags: - wg-generate-keys -- name: Store hosts private key locally - template: - src: "wg-privatekey.j2" - dest: "{{ private_key_file_path }}" - owner: "{{ wireguard_cert_owner }}" - group: "{{ wireguard_cert_group }}" - mode: 0644 - when: not private_key_file_stat.stat.exists - delegate_to: localhost - tags: - - wg-generate-keys - -- name: Store hosts public key locally - template: - src: "wg-publickey.j2" - dest: "{{ public_key_file_path }}" - owner: "{{ wireguard_cert_owner }}" - group: "{{ wireguard_cert_group }}" - mode: 0644 - when: not private_key_file_stat.stat.exists - delegate_to: localhost - tags: - - wg-generate-keys - -- name: Read private key - set_fact: - private_key: "{{ lookup('file', private_key_file_path) }}" - tags: - wg-config - -- name: Read public key - set_fact: - public_key: "{{ lookup('file', public_key_file_path) }}" - tags: - wg-config - - name: Create WireGuard configuration directory file: dest: "{{ wireguard_remote_directory }}" @@ -142,7 +94,7 @@ - name: Generate WireGuard configuration file template: src: wg.conf.j2 - dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" + dest: "{{ wg_conf_path }}" owner: root group: root mode: 0600 diff --git a/templates/wg-privatekey.j2 b/templates/wg-privatekey.j2 deleted file mode 100644 index 84b77fa..0000000 --- a/templates/wg-privatekey.j2 +++ /dev/null @@ -1 +0,0 @@ -{{hostvars[inventory_hostname]['wg_private_key']}} diff --git a/templates/wg-publickey.j2 b/templates/wg-publickey.j2 deleted file mode 100644 index ca2953a..0000000 --- a/templates/wg-publickey.j2 +++ /dev/null @@ -1 +0,0 @@ -{{hostvars[inventory_hostname]['wg_public_key']}} diff --git a/templates/wg.conf.j2 b/templates/wg.conf.j2 index 81e0d48..aa7ed59 100644 --- a/templates/wg.conf.j2 +++ b/templates/wg.conf.j2 @@ -1,7 +1,7 @@ #jinja2: lstrip_blocks:"True",trim_blocks:"True" [Interface] Address = {{hostvars[inventory_hostname].wireguard_address}} -PrivateKey = {{private_key}} +PrivateKey = {{wg_private_key}} ListenPort = {{wireguard_port}} {% if hostvars[inventory_hostname].wireguard_dns is defined %} DNS = {{hostvars[inventory_hostname].wireguard_dns}} @@ -19,7 +19,7 @@ SaveConfig = true {% for host in groups["vpn"] %} {% if host != inventory_hostname %} [Peer] - PublicKey = {{hostvars[host].public_key}} + PublicKey = {{hostvars[host].wg_public_key}} {% if hostvars[host].wireguard_allowed_ips is defined %} AllowedIPs = {{hostvars[host].wireguard_allowed_ips}} {% else %}