fix(wg): improve generation of keypairs

Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2024-11-20 18:13:02 +01:00
parent 037716df0c
commit b49b5a3e91
Signed by: mfocko
SSH key fingerprint: SHA256:icm0fIOSJUpy5+1x23sfr+hLtF9UhY8VpMC7H4WFJP8
3 changed files with 48 additions and 16 deletions

View file

@ -0,0 +1,20 @@
---
- name: Generate private key
ansible.builtin.command:
cmd: wg genkey
changed_when: false
check_mode: false
register: _generated_private_key
- name: Derive public key
ansible.builtin.command:
cmd: wg pubkey
stdin: "{{ _generated_private_key.stdout }}"
changed_when: false
check_mode: false
register: _derived_public_key
- name: Set key/pair facts
ansible.builtin.set_fact:
wg_private_key: _generated_private_key.stdout
wg_public_key: _derived_public_key.stdout

View file

@ -3,25 +3,36 @@
ansible.builtin.include_tasks: install.yml ansible.builtin.include_tasks: install.yml
tags: install tags: install
- name: Generate private key - name: Check for existence of private key
ansible.builtin.shell: ansible.builtin.stat:
cmd: | path: /etc/wireguard/private.key
set -e -o pipefail register: _private_key_stat
umask 077
wg genkey | tee private.key | wg pubkey > public.key
chdir: /etc/wireguard - name: Generate keypair
creates: /etc/wireguard/private.key ansible.builtin.include_tasks: tasks/generate_keypair.yml
when: wg_generate_keypair when: not _private_key_stat.exists
- name: Get public key - name: Save private key
ansible.builtin.command: cat /etc/wireguard/public.key ansible.builtin.template:
register: public_key src: templates/keyfile.j2
changed_when: False dest: /etc/wireguard/private.key
owner: root
group: root
mode: 0700
vars:
key: "{{ wg_private_key }}"
when: not _private_key_stat.exists
- name: Set public key fact - name: Save public key
ansible.builtin.set_fact: ansible.builtin.template:
public_key: "{{ public_key.stdout }}" src: templates/keyfile.j2
dest: /etc/wireguard/public.key
owner: root
group: root
mode: 0700
vars:
key: "{{ wg_public_key }}"
when: not _private_key_stat.exists
- name: Set dns_command for co-openSUSE - name: Set dns_command for co-openSUSE
ansible.builtin.set_fact: ansible.builtin.set_fact:

View file

@ -0,0 +1 @@
{{ key }}