Readd support to inline private key and PSKs into config

ypid · Oct 4, 2020 · de412dd · de412dd
1 parent 13792c8
commit de412dd
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 2 deletions.
diff --git a/files/usr/local/bin/wg-quick b/files/usr/local/bin/wg-quick
@@ -91,10 +91,10 @@ parse_options() {
 			SaveConfig) read_bool SAVE_CONFIG "$value"; continue ;;
 			esac
 		fi
+		WG_CONFIG+="$line"$'\n'
 		if [[ $interface_section -eq 0 && $key == 'PublicKey' && -n "${peer_pubkey_to_psk[$value]}" ]]; then
 			WG_CONFIG+="PresharedKey = ${peer_pubkey_to_psk[$value]}"$'\n'
 		fi
-		WG_CONFIG+="$line"$'\n'
 	done < "$CONFIG_FILE"
 	shopt -u nocasematch
 }

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -168,6 +168,7 @@
     wireguard__combos: '{{ groups[wireguard_inventory_group]|d([]) | difference([inventory_hostname]) | product([inventory_hostname]) | map("sort") | map("join", ",") | list }}'
   tags:
     - wg-config
+    - test
 
 - debug:
     msg: '{{ wireguard__combos }}'
@@ -183,6 +184,29 @@
   tags:
     - wg-config
 
+- block:
+  - name: Read WireGuard PSK files from Ansible controller
+    slurp:
+      src: '{{ wireguard__secret_directory + "/" + item + ".psk" }}'
+    delegate_to: "localhost"
+    loop: '{{ wireguard__combos }}'
+    register: wireguard__register_private_key
+
+  - name:
+    set_fact:
+      wireguard__fact_psks: |-
+        {% set fact = {} %}
+        {% for result in wireguard__register_private_key.results %}
+        {%   set _ = fact.update({
+            (result['item'].split(",") | difference([inventory_hostname]) | first): (result['content'] | b64decode).strip(),
+        }) %}
+        {% endfor %}
+        {{ fact }}
+  - debug:
+      var: wireguard__fact_psks
+  when: wireguard__secret_authority == "ansible_controller"
+  tags: test
+
 - name: Download PSKs
   copy:
     src: '{{ wireguard__secret_directory + "/" + item + ".psk" }}'

diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2
@@ -60,6 +60,9 @@ SaveConfig = true
 [Peer]
 # {{ host }}
 PublicKey = {{ hostvars[host].wireguard__fact_public_key }}
+{%     if wireguard__key_templating == 'inline' and host in wireguard__fact_psks %}
+PresharedKey = {{ wireguard__fact_psks[host] }}
+{%     endif %}
 {%     if hostvars[host].wireguard_allowed_ips|d() %}
 AllowedIPs = {{ hostvars[host].wireguard_allowed_ips }}
 {%     else %}
@@ -93,7 +96,7 @@ Endpoint = {{ host }}:{{ wireguard_port }}
 {% if wireguard_unmanaged_peers is defined %}
 
 # Peers not managed by Ansible from "wireguard_unmanaged_peers" variable
-{% for peer in wireguard_unmanaged_peers.keys() %}
+{%   for peer in wireguard_unmanaged_peers.keys() %}
 [Peer]
 # {{ peer }}
 PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}