fix(wg): improve generation of keypairs

Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2024-11-20 18:13:02 +01:00
parent 037716df0c
commit b49b5a3e91
Signed by: mfocko
SSH key fingerprint: SHA256:icm0fIOSJUpy5+1x23sfr+hLtF9UhY8VpMC7H4WFJP8
3 changed files with 48 additions and 16 deletions

View file

@ -0,0 +1,20 @@
---
- name: Generate private key
ansible.builtin.command:
cmd: wg genkey
changed_when: false
check_mode: false
register: _generated_private_key
- name: Derive public key
ansible.builtin.command:
cmd: wg pubkey
stdin: "{{ _generated_private_key.stdout }}"
changed_when: false
check_mode: false
register: _derived_public_key
- name: Set key/pair facts
ansible.builtin.set_fact:
wg_private_key: _generated_private_key.stdout
wg_public_key: _derived_public_key.stdout

View file

@ -3,25 +3,36 @@
ansible.builtin.include_tasks: install.yml
tags: install
- name: Generate private key
ansible.builtin.shell:
cmd: |
set -e -o pipefail
umask 077
wg genkey | tee private.key | wg pubkey > public.key
- name: Check for existence of private key
ansible.builtin.stat:
path: /etc/wireguard/private.key
register: _private_key_stat
chdir: /etc/wireguard
creates: /etc/wireguard/private.key
when: wg_generate_keypair
- name: Generate keypair
ansible.builtin.include_tasks: tasks/generate_keypair.yml
when: not _private_key_stat.exists
- name: Get public key
ansible.builtin.command: cat /etc/wireguard/public.key
register: public_key
changed_when: False
- name: Save private key
ansible.builtin.template:
src: templates/keyfile.j2
dest: /etc/wireguard/private.key
owner: root
group: root
mode: 0700
vars:
key: "{{ wg_private_key }}"
when: not _private_key_stat.exists
- name: Set public key fact
ansible.builtin.set_fact:
public_key: "{{ public_key.stdout }}"
- name: Save public key
ansible.builtin.template:
src: templates/keyfile.j2
dest: /etc/wireguard/public.key
owner: root
group: root
mode: 0700
vars:
key: "{{ wg_public_key }}"
when: not _private_key_stat.exists
- name: Set dns_command for co-openSUSE
ansible.builtin.set_fact:

View file

@ -0,0 +1 @@
{{ key }}