diff --git a/files/usr/local/bin/wg-quick b/files/usr/local/bin/wg-quick index 0a6186f..89f9ef9 100755 --- a/files/usr/local/bin/wg-quick +++ b/files/usr/local/bin/wg-quick @@ -91,10 +91,10 @@ parse_options() { SaveConfig) read_bool SAVE_CONFIG "$value"; continue ;; esac fi + WG_CONFIG+="$line"$'\n' if [[ $interface_section -eq 0 && $key == 'PublicKey' && -n "${peer_pubkey_to_psk[$value]}" ]]; then WG_CONFIG+="PresharedKey = ${peer_pubkey_to_psk[$value]}"$'\n' fi - WG_CONFIG+="$line"$'\n' done < "$CONFIG_FILE" shopt -u nocasematch } diff --git a/tasks/main.yml b/tasks/main.yml index 0ecfe1e..4775220 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -168,6 +168,7 @@ wireguard__combos: '{{ groups[wireguard_inventory_group]|d([]) | difference([inventory_hostname]) | product([inventory_hostname]) | map("sort") | map("join", ",") | list }}' tags: - wg-config + - test - debug: msg: '{{ wireguard__combos }}' @@ -183,6 +184,29 @@ tags: - wg-config +- block: + - name: Read WireGuard PSK files from Ansible controller + slurp: + src: '{{ wireguard__secret_directory + "/" + item + ".psk" }}' + delegate_to: "localhost" + loop: '{{ wireguard__combos }}' + register: wireguard__register_private_key + + - name: + set_fact: + wireguard__fact_psks: |- + {% set fact = {} %} + {% for result in wireguard__register_private_key.results %} + {% set _ = fact.update({ + (result['item'].split(",") | difference([inventory_hostname]) | first): (result['content'] | b64decode).strip(), + }) %} + {% endfor %} + {{ fact }} + - debug: + var: wireguard__fact_psks + when: wireguard__secret_authority == "ansible_controller" + tags: test + - name: Download PSKs copy: src: '{{ wireguard__secret_directory + "/" + item + ".psk" }}' diff --git a/templates/etc/wireguard/wg.conf.j2 b/templates/etc/wireguard/wg.conf.j2 index e53b70b..4bfda49 100644 --- a/templates/etc/wireguard/wg.conf.j2 +++ b/templates/etc/wireguard/wg.conf.j2 @@ -60,6 +60,9 @@ SaveConfig = true [Peer] # {{ host }} PublicKey = {{ hostvars[host].wireguard__fact_public_key }} +{% if wireguard__key_templating == 'inline' and host in wireguard__fact_psks %} +PresharedKey = {{ wireguard__fact_psks[host] }} +{% endif %} {% if hostvars[host].wireguard_allowed_ips|d() %} AllowedIPs = {{ hostvars[host].wireguard_allowed_ips }} {% else %} @@ -93,7 +96,7 @@ Endpoint = {{ host }}:{{ wireguard_port }} {% if wireguard_unmanaged_peers is defined %} # Peers not managed by Ansible from "wireguard_unmanaged_peers" variable -{% for peer in wireguard_unmanaged_peers.keys() %} +{% for peer in wireguard_unmanaged_peers.keys() %} [Peer] # {{ peer }} PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}