Updated wireguard role

progmaticltd · Apr 27, 2024 · 1b75281 · 1b75281
1 parent b61df3a
commit 1b75281
Show file tree

Hide file tree

Showing 9 changed files with 22 additions and 13 deletions.
diff --git a/playbooks/install-version.yml b/playbooks/install-version.yml
@@ -4,7 +4,6 @@
   hosts: homebox
   vars:
     debug: '{{ debug | default(system.debug) }}'
-    hide_secrets: '{{ hide_secrets | default(not system.devel) }}'
     backup_directory: '{{ playbook_dir }}/../backup/{{ network.domain }}/'
   vars_files:
     - '{{ playbook_dir }}/../config/defaults/common-security.yml'

diff --git a/playbooks/install.yml b/playbooks/install.yml
@@ -17,7 +17,7 @@
   hosts: homebox
   vars:
     debug: '{{ debug | default(system.debug) }}'
-    hide_secrets: '{{ hide_secrets | default(not system.devel) }}'
+    hide_secrets: true
     backup_directory: '{{ playbook_dir }}/../backup/{{ network.domain }}/'
   vars_files:
     - '{{ playbook_dir }}/../config/defaults/common-security.yml'

diff --git a/playbooks/uninstall.yml b/playbooks/uninstall.yml
@@ -13,7 +13,7 @@
       set_fact:
         roles_list: '{{ lookup("env", "ROLE").split(",") }}'
 
-- name: Run the install tasks for each role
+- name: Run the uninstall tasks for each role
   hosts: homebox
   vars:
     debug: '{{ system.debug }}'

diff --git a/roles/vpn-wireguard/tasks/install/facts.yml b/roles/vpn-wireguard/tasks/install/facts.yml
@@ -17,6 +17,12 @@
       {{ first_user_id_cmd.stdout | int - 1 | int }}
   tags: facts
 
+- name: Display wireguard configuration
+  debug:
+    var: wireguard
+    verbosity: 2
+  tags: facts
+
 # Basic implementation of RFC 4193 (https://en.wikipedia.org/wiki/Unique_local_address)
 - name: Get the date
   ansible.builtin.set_fact:

diff --git a/roles/vpn-wireguard/tasks/install/main.yml b/roles/vpn-wireguard/tasks/install/main.yml
@@ -1,9 +1,5 @@
 ---
 
-- name: Load the server’s keys
-  ansible.builtin.include_tasks: restore/main.yml
-  tags: restore
-
 - name: Set the facts
   ansible.builtin.include_tasks: install/facts.yml
   tags: facts

diff --git a/roles/vpn-wireguard/tasks/install/server-keys.yml b/roles/vpn-wireguard/tasks/install/server-keys.yml
@@ -11,23 +11,25 @@
   register: genkey_cmd
   ansible.builtin.shell: >-
     set -o pipefail;
+    umask 077;
     wg genkey | tee private-key
     | wg pubkey >public-key
   args:
-    creates: /etc/wireguard/public-key
+    creates: private-key
     chdir: /etc/wireguard
     executable: /bin/bash
   tags: keys
 
 - name: Load the private key previously generated
-  no_log: '{{ hide_secrets }}'
   tags: keys
   block:
     - name: Dump private key
+      no_log: '{{ hide_secrets }}'
       register: slurp_private_key
       ansible.builtin.slurp:
         src: /etc/wireguard/private-key
     - name: Remember the private key
+      no_log: '{{ hide_secrets }}'
       ansible.builtin.set_fact:
         server_private_key: '{{ slurp_private_key["content"] | b64decode | trim }}'
 

diff --git a/roles/vpn-wireguard/tasks/install/users-keys.yml b/roles/vpn-wireguard/tasks/install/users-keys.yml
@@ -49,6 +49,7 @@
   no_log: '{{ hide_secrets }}'
   ansible.builtin.shell: >-
     set -o pipefail;
+    umask 077;
     wg genkey | tee private-key
     | wg pubkey > public-key
   args:
@@ -72,10 +73,12 @@
   tags: users, keys
   block:
     - name: Dump the user’s private key
+      no_log: '{{ hide_secrets }}'
       register: slurp_private_key
       ansible.builtin.slurp:
         src: /home/archives/{{ user.uid }}/files/vpn/{{ config.name }}/private-key
     - name: Remember the user’s private key
+      no_log: '{{ hide_secrets }}'
       ansible.builtin.set_fact:
         private_key: '{{ slurp_private_key["content"] | b64decode | trim }}'
 
@@ -89,7 +92,9 @@
 
 - name: Create a pre-shared key
   no_log: '{{ hide_secrets }}'
-  ansible.builtin.shell: wg genpsk >pre-shared-key
+  ansible.builtin.shell: >-
+    umask 077;
+    wg genpsk >pre-shared-key
   args:
     chdir: /home/archives/{{ user.uid }}/files/vpn/{{ config.name }}/
     creates: pre-shared-key
@@ -104,14 +109,15 @@
   tags: users, keys
 
 - name: Load the pre-shared key previously generated
-  no_log: '{{ hide_secrets }}'
   tags: users, keys
   block:
     - name: Dump the user pre-shared key
+      no_log: '{{ hide_secrets }}'
       register: slurp_pre_shared_key
       ansible.builtin.slurp:
         src: /home/archives/{{ user.uid }}/files/vpn/{{ config.name }}/pre-shared-key
     - name: Remember the user pre-shared key
+      no_log: '{{ hide_secrets }}'
       ansible.builtin.set_fact:
         user_pre_shared_key: '{{ slurp_pre_shared_key["content"] | b64decode | trim }}'
 

diff --git a/roles/vpn-wireguard/templates/users/basic.conf b/roles/vpn-wireguard/templates/users/basic.conf
@@ -14,4 +14,4 @@ PublicKey = {{ server_public_key }}
 PresharedKey = {{ user_pre_shared_key }}
 AllowedIPs = {{ wireguard.network.ipv4_address }}, {{ wireguard.network.ipv6_address }}
 Endpoint = vpn.{{ network.domain }}:{{ wireguard.network.port }}
-PersistentKeepalive = {{ wireguard.network.keep_live }}
+PersistentKeepalive = {{ wireguard.network.keep_alive }}
diff --git a/roles/vpn-wireguard/templates/users/enforce.conf b/roles/vpn-wireguard/templates/users/enforce.conf
@@ -11,4 +11,4 @@ PublicKey = {{ server_public_key }}
 PresharedKey = {{ user_pre_shared_key }}
 AllowedIPs = 0.0.0.0/0, ::/0
 Endpoint = vpn.{{ network.domain }}:{{ wireguard.network.port }}
-PersistentKeepalive = 15
+PersistentKeepalive = {{ wireguard.network.keep_alive }}