From ae17b8f662a79684c2510943ac90298ce7965ec5 Mon Sep 17 00:00:00 2001
From: pierreozoux <pierre@ozoux.net>
Date: Wed, 18 Sep 2019 10:28:26 +0200
Subject: [PATCH] Makes the role stateless.

---
 defaults/main.yml          | 15 ++-----
 tasks/main.yml             | 90 +++++++++-----------------------------
 templates/wg-privatekey.j2 |  1 -
 templates/wg-publickey.j2  |  1 -
 templates/wg.conf.j2       |  4 +-
 5 files changed, 26 insertions(+), 85 deletions(-)
 delete mode 100644 templates/wg-privatekey.j2
 delete mode 100644 templates/wg-publickey.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 51c4e92..01ff4b4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,16 +1,4 @@
 ---
-# The LOCAL directory where the WireGuard certificates are stored after they
-# were generated. By default this will expand to user's LOCAL ${HOME}
-# (the user that run's "ansible-playbook" command) plus
-# "/wireguard/certs". That means if the user's ${HOME} directory is e.g.
-# "/home/da_user" then "wireguard_cert_directory" will have a value of
-# "/home/da_user/wireguard/certs". If you change this make sure that
-# the parent directory is writable by the user that runs "ansible-playbook"
-# command.
-wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}"
-wireguard_cert_owner: "root"
-wireguard_cert_group: "root"
-
 # Directory to store WireGuard configuration on the remote hosts
 wireguard_remote_directory: "/etc/wireguard"
 
@@ -19,3 +7,6 @@ wireguard_port: "51820"
 
 # The interface name that wireguard should use.
 wireguard_interface: "wg0"
+
+# Wireguard config file path
+wg_conf_path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
diff --git a/tasks/main.yml b/tasks/main.yml
index c99ded7..f530bc1 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -28,46 +28,35 @@
   tags:
     - wg-install
 
-- name: Create WireGuard certificates directory
-  file:
-    dest: "{{ wireguard_cert_directory }}"
-    state: directory
-    owner: "{{ wireguard_cert_owner }}"
-    group: "{{ wireguard_cert_group }}"
-    mode: 0700
-  run_once: true
-  delegate_to: localhost
-  tags:
-    wg-generate-keys
-
 - name: Set WireGuard IP (without mask)
   set_fact:
     wireguard_ip: "{{ wireguard_address.split('/')[0] }}"
 
-- name: Set path to private key file
-  set_fact:
-    private_key_file_path: "{{ wireguard_cert_directory }}/{{ inventory_hostname }}.private.key"
-  tags:
-    wg-generate-keys
-
-- name: Set path to public key file
-  set_fact:
-    public_key_file_path: "{{ wireguard_cert_directory }}/{{ inventory_hostname }}.public.key"
-  tags:
-    wg-generate-keys
-
-- name: Register if private key already exists
+# lookup ini plugin doesn't work on remote hosts...
+- name: Check if WireGuard file exists
   stat:
-    path: "{{ private_key_file_path }}"
-  register: private_key_file_stat
-  delegate_to: localhost
+    path: "{{ wg_conf_path }}"
+  register: wg_conf
+
+- name: Read WireGuard private key
+  shell: "cat {{ wg_conf_path }} | grep PrivateKey | cut -d= -f2- | tr -d [:space:]"
+  register: wg_private_key_result
+  changed_when: false
+  when: wg_conf.stat.exists
+  tags:
+    - wg-generate-keys
+
+- name: Set private key fact
+  set_fact:
+    wg_private_key: "{{ wg_private_key_result.stdout }}"
+  when: wg_conf.stat.exists
   tags:
     - wg-generate-keys
 
 - name: Generate WireGuard private key
   shell: "wg genkey"
   register: wg_private_key_result
-  when: not private_key_file_stat.stat.exists
+  when: not wg_conf.stat.exists
   changed_when: false
   tags:
     - wg-generate-keys
@@ -76,11 +65,11 @@
 - name: Set private key fact
   set_fact:
     wg_private_key: "{{ wg_private_key_result.stdout }}"
-  when: not private_key_file_stat.stat.exists
+  when: not wg_conf.stat.exists
   tags:
     - wg-generate-keys
 
-- name: Generate WireGuard public key
+- name: Derive WireGuard public key
   shell: "echo '{{ wg_private_key }}' | wg pubkey"
   register: wg_public_key_result
   when: not private_key_file_stat.stat.exists
@@ -91,46 +80,9 @@
 - name: Set public key fact
   set_fact:
     wg_public_key: "{{ wg_public_key_result.stdout }}"
-  when: not private_key_file_stat.stat.exists
   tags:
     - wg-generate-keys
 
-- name: Store hosts private key locally
-  template:
-    src: "wg-privatekey.j2"
-    dest: "{{ private_key_file_path }}"
-    owner: "{{ wireguard_cert_owner }}"
-    group: "{{ wireguard_cert_group }}"
-    mode: 0644
-  when: not private_key_file_stat.stat.exists
-  delegate_to: localhost
-  tags:
-    - wg-generate-keys
-
-- name: Store hosts public key locally
-  template:
-    src: "wg-publickey.j2"
-    dest: "{{ public_key_file_path }}"
-    owner: "{{ wireguard_cert_owner }}"
-    group: "{{ wireguard_cert_group }}"
-    mode: 0644
-  when: not private_key_file_stat.stat.exists
-  delegate_to: localhost
-  tags:
-    - wg-generate-keys
-
-- name: Read private key
-  set_fact:
-    private_key: "{{ lookup('file', private_key_file_path) }}"
-  tags:
-    wg-config
-
-- name: Read public key
-  set_fact:
-    public_key: "{{ lookup('file', public_key_file_path) }}"
-  tags:
-    wg-config
-
 - name: Create WireGuard configuration directory
   file:
     dest: "{{ wireguard_remote_directory }}"
@@ -142,7 +94,7 @@
 - name: Generate WireGuard configuration file
   template:
     src: wg.conf.j2
-    dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
+    dest: "{{ wg_conf_path }}"
     owner: root
     group: root
     mode: 0600
diff --git a/templates/wg-privatekey.j2 b/templates/wg-privatekey.j2
deleted file mode 100644
index 84b77fa..0000000
--- a/templates/wg-privatekey.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{hostvars[inventory_hostname]['wg_private_key']}}
diff --git a/templates/wg-publickey.j2 b/templates/wg-publickey.j2
deleted file mode 100644
index ca2953a..0000000
--- a/templates/wg-publickey.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{hostvars[inventory_hostname]['wg_public_key']}}
diff --git a/templates/wg.conf.j2 b/templates/wg.conf.j2
index 81e0d48..aa7ed59 100644
--- a/templates/wg.conf.j2
+++ b/templates/wg.conf.j2
@@ -1,7 +1,7 @@
 #jinja2: lstrip_blocks:"True",trim_blocks:"True"
 [Interface]
 Address = {{hostvars[inventory_hostname].wireguard_address}}
-PrivateKey = {{private_key}}
+PrivateKey = {{wg_private_key}}
 ListenPort = {{wireguard_port}}
 {% if hostvars[inventory_hostname].wireguard_dns is defined %}
 DNS = {{hostvars[inventory_hostname].wireguard_dns}}
@@ -19,7 +19,7 @@ SaveConfig = true
 {% for host in groups["vpn"] %}
   {% if host != inventory_hostname %}
     [Peer]
-    PublicKey = {{hostvars[host].public_key}}
+    PublicKey = {{hostvars[host].wg_public_key}}
     {% if hostvars[host].wireguard_allowed_ips is defined %}
     AllowedIPs = {{hostvars[host].wireguard_allowed_ips}}
     {% else %}