fix(wg): improve generation of keypairs
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
037716df0c
commit
b49b5a3e91
3 changed files with 48 additions and 16 deletions
20
roles/wg/tasks/generate_keypair.yml
Normal file
20
roles/wg/tasks/generate_keypair.yml
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
- name: Generate private key
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: wg genkey
|
||||||
|
changed_when: false
|
||||||
|
check_mode: false
|
||||||
|
register: _generated_private_key
|
||||||
|
|
||||||
|
- name: Derive public key
|
||||||
|
ansible.builtin.command:
|
||||||
|
cmd: wg pubkey
|
||||||
|
stdin: "{{ _generated_private_key.stdout }}"
|
||||||
|
changed_when: false
|
||||||
|
check_mode: false
|
||||||
|
register: _derived_public_key
|
||||||
|
|
||||||
|
- name: Set key/pair facts
|
||||||
|
ansible.builtin.set_fact:
|
||||||
|
wg_private_key: _generated_private_key.stdout
|
||||||
|
wg_public_key: _derived_public_key.stdout
|
|
@ -3,25 +3,36 @@
|
||||||
ansible.builtin.include_tasks: install.yml
|
ansible.builtin.include_tasks: install.yml
|
||||||
tags: install
|
tags: install
|
||||||
|
|
||||||
- name: Generate private key
|
- name: Check for existence of private key
|
||||||
ansible.builtin.shell:
|
ansible.builtin.stat:
|
||||||
cmd: |
|
path: /etc/wireguard/private.key
|
||||||
set -e -o pipefail
|
register: _private_key_stat
|
||||||
umask 077
|
|
||||||
wg genkey | tee private.key | wg pubkey > public.key
|
|
||||||
|
|
||||||
chdir: /etc/wireguard
|
- name: Generate keypair
|
||||||
creates: /etc/wireguard/private.key
|
ansible.builtin.include_tasks: tasks/generate_keypair.yml
|
||||||
when: wg_generate_keypair
|
when: not _private_key_stat.exists
|
||||||
|
|
||||||
- name: Get public key
|
- name: Save private key
|
||||||
ansible.builtin.command: cat /etc/wireguard/public.key
|
ansible.builtin.template:
|
||||||
register: public_key
|
src: templates/keyfile.j2
|
||||||
changed_when: False
|
dest: /etc/wireguard/private.key
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0700
|
||||||
|
vars:
|
||||||
|
key: "{{ wg_private_key }}"
|
||||||
|
when: not _private_key_stat.exists
|
||||||
|
|
||||||
- name: Set public key fact
|
- name: Save public key
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.template:
|
||||||
public_key: "{{ public_key.stdout }}"
|
src: templates/keyfile.j2
|
||||||
|
dest: /etc/wireguard/public.key
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0700
|
||||||
|
vars:
|
||||||
|
key: "{{ wg_public_key }}"
|
||||||
|
when: not _private_key_stat.exists
|
||||||
|
|
||||||
- name: Set dns_command for co-openSUSE
|
- name: Set dns_command for co-openSUSE
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
|
|
1
roles/wg/templates/keyfile.j2
Normal file
1
roles/wg/templates/keyfile.j2
Normal file
|
@ -0,0 +1 @@
|
||||||
|
{{ key }}
|
Loading…
Reference in a new issue