Put private key into separate file instead of main config

githubixx · Sep 27, 2020 · f821bee · f821bee
1 parent fbf47d2
commit f821bee
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 13 deletions.
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -24,14 +24,22 @@
         - wg-install
   when: not ansible_os_family == 'Darwin'
 
-- name: Register if config/private key already exists on target host
+- name: Register if config already exists on target host
   stat:
     path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
   register: wireguard__register_config_file
   tags:
     - wg-generate-keys
     - wg-config
 
+- name: Register if private key file already exists on target host
+  stat:
+    path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.privkey"
+  register: wireguard__register_private_key_file
+  tags:
+    - wg-generate-keys
+    - wg-config
+
 - name: Get wg subcommands
   command: "wg --help"
   register: wireguard__register_subcommands
@@ -50,30 +58,39 @@
     command: "wg genkey"
     register: wireguard__register_private_key
     changed_when: false
-    tags:
-      - wg-generate-keys
 
   - name: Set private key fact
     set_fact:
       wireguard__fact_private_key: "{{ wireguard__register_private_key.stdout }}"
-    tags:
-      - wg-generate-keys
-  when: not wireguard__register_config_file.stat.exists
+  when: not wireguard__register_config_file.stat.exists and not wireguard__register_private_key_file.stat.exists
+  tags:
+    - wg-generate-keys
 
 - block:
   - name: Read WireGuard config file
     slurp:
       src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
     register: wireguard__register_config
-    tags:
-      - wg-config
 
-  - name: Set private key fact
+  - name: Set private key fact from config file
     set_fact:
       wireguard__fact_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
-    tags:
-      - wg-config
-  when: wireguard__register_config_file.stat.exists
+  when: wireguard__register_config_file.stat.exists and not wireguard__register_private_key_file.stat.exists
+  tags:
+    - wg-config
+
+- block:
+  - name: Read WireGuard private key file
+    slurp:
+      src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.privkey"
+    register: wireguard__register_config
+
+  - name: Set private key fact from file
+    set_fact:
+      wireguard__fact_private_key: "{{ wireguard__register_config['content'] | b64decode }}"
+  when: wireguard__register_private_key_file.stat.exists
+  tags:
+    - wg-config
 
 - name: Derive WireGuard public key
   command: "wg pubkey"
@@ -98,6 +115,19 @@
   tags:
     - wg-config
 
+- name: Save WireGuard private key as separate file
+  copy:
+    content: |
+      {{ wireguard__fact_private_key }}
+    dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.privkey"
+    owner: "{{ wireguard_conf_owner }}"
+    group: "{{ wireguard_conf_group }}"
+    mode: "{{ wireguard_conf_mode }}"
+  tags:
+    - wg-config
+  notify:
+    - reconfigure wireguard
+
 - name: Generate WireGuard configuration file
   template:
     src: etc/wireguard/wg.conf.j2

diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2
@@ -4,7 +4,7 @@
 [Interface]
 # {{ inventory_hostname }}
 Address = {{ wireguard_address }}
-PrivateKey = {{ wireguard__fact_private_key }}
+PostUp = wg set %i private-key /etc/wireguard/%i.privkey
 ListenPort = {{ wireguard_port }}
 {% if wireguard_dns is defined %}
 DNS = {{ wireguard_dns }}