Support to wg reload with private key in file

Cleanup Ansible handlers: * `systemctl start` is redundant because that is already ensured by the main tasks. * `wg syncconf` is done by the systemd unit file. No need for us to duplicate this. * Drop support for WireGuard before v1.0.20191226 so that we can drop the workaround where `wg syncconf` is not present.
githubixx · Sep 27, 2020 · eb472df · eb472df
1 parent f821bee
commit eb472df
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 40 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,11 @@
 Changelog
 ---------
 
+**7.4.0**
+
+- Put private key into separate file instead of main config. This is done for two reasons: Avoid shoulder surfing and to avoid the need for regex configuration parsing in the role. (contribution by @ypid)
+- Remove workaround for missing `wg syncconf` subcommand. It was introduced with v1.0.20191226 which very relevant distro has caught up to by now. Upgrade your wireguard packages before updating to this release of the role. (contribution by @ypid)
+
 **7.3.0**
 
 - Fix spelling and typos in docs. (contribution by @ypid)
@@ -85,7 +90,7 @@ Changelog
 
 **6.0.0**
 
-- Newer versions of WireGuard (around November 2019) introduced `wg syncconf` subcommand. This has the advantage that changes to the WireGuard configuration can be applied without disturbing existing connections. With this change this role tries to use `wg syncconf` subcommand when available. This even works if you have hosts with older and newer WireGuard versions.
+- v1.0.20191226 WireGuard introduced the `wg syncconf` subcommand. This has the advantage that changes to the WireGuard configuration can be applied without disturbing existing connections. With this change this role tries to use `wg syncconf` subcommand when available. This even works if you have hosts with older and newer WireGuard versions.
 
 **5.0.0**
 

diff --git a/files/etc/systemd/system/[email protected]/local.conf b/files/etc/systemd/system/[email protected]/local.conf
@@ -0,0 +1,7 @@
+# Copyright (C) 2020 Robin Schneider <[email protected]>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+[Service]
+ExecReload=
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(/usr/bin/wg-quick strip %i | /usr/bin/crudini --set - Interface PrivateKey $(/usr/bin/cat /etc/wireguard/%i.privkey))'
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,27 +1,7 @@
 ---
-- name: restart wireguard
+
+- name: "Reload WireGuard interface"
   service:
     name: "wg-quick@{{ wireguard_interface }}"
-    state: "{{ item }}"
-  loop:
-  - stopped
-  - started
-  when: >
-    not wg_syncconf and
-    not ansible_os_family == 'Darwin'
-  listen: "reconfigure wireguard"
-
-- name: syncconf wireguard
-  shell: |
-      set -o errexit
-      set -o pipefail
-      set -o nounset
-      systemctl is-active wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
-      wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
-      exit 0
-  args:
-    executable: "/bin/bash"
-  when: >
-    wg_syncconf and
-    not ansible_os_family == 'Darwin'
-  listen: "reconfigure wireguard"
+    state: "reloaded"
+  when: (ansible_os_family != 'Darwin')
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -40,19 +40,6 @@
     - wg-generate-keys
     - wg-config
 
-- name: Get wg subcommands
-  command: "wg --help"
-  register: wireguard__register_subcommands
-  changed_when: false
-
-- name: Check if wg syncconf subcommand is available
-  set_fact:
-    wg_syncconf: "{{ 'syncconf:' in wireguard__register_subcommands.stdout }}"
-
-- name: Show syncconf subcommand status
-  debug:
-    var: wg_syncconf
-
 - block:
   - name: Generate WireGuard private key
     command: "wg genkey"
@@ -126,7 +113,7 @@
   tags:
     - wg-config
   notify:
-    - reconfigure wireguard
+    - Reload WireGuard interface
 
 - name: Generate WireGuard configuration file
   template:
@@ -138,7 +125,7 @@
   tags:
     - wg-config
   notify:
-    - reconfigure wireguard
+    - Reload WireGuard interface
 
 - name: Ensure legacy reload-module-on-update is absent
   file:
@@ -147,8 +134,17 @@
   tags:
     - wg-config
 
+- name: Create systemd drop-in file for [email protected]
+  copy:
+    src: "etc/systemd/system/[email protected]"
+    dest: "/etc/systemd/system"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+
 - name: Start and enable WireGuard service
   service:
+    daemon_reload: True
     name: "wg-quick@{{ wireguard_interface }}"
     state: started
     enabled: yes

diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml
@@ -22,6 +22,7 @@
   apt:
     name:
       - "wireguard"
+      - "crudini"
     state: present
   tags:
     - wg-install