diff --git a/playbooks/install-version.yml b/playbooks/install-version.yml index 8dbecb36..1a663087 100644 --- a/playbooks/install-version.yml +++ b/playbooks/install-version.yml @@ -4,7 +4,6 @@ hosts: homebox vars: debug: '{{ debug | default(system.debug) }}' - hide_secrets: '{{ hide_secrets | default(not system.devel) }}' backup_directory: '{{ playbook_dir }}/../backup/{{ network.domain }}/' vars_files: - '{{ playbook_dir }}/../config/defaults/common-security.yml' diff --git a/playbooks/install.yml b/playbooks/install.yml index b65d258e..c2d6f2a0 100644 --- a/playbooks/install.yml +++ b/playbooks/install.yml @@ -17,7 +17,7 @@ hosts: homebox vars: debug: '{{ debug | default(system.debug) }}' - hide_secrets: '{{ hide_secrets | default(not system.devel) }}' + hide_secrets: true backup_directory: '{{ playbook_dir }}/../backup/{{ network.domain }}/' vars_files: - '{{ playbook_dir }}/../config/defaults/common-security.yml' diff --git a/playbooks/uninstall.yml b/playbooks/uninstall.yml index 87eb6d96..38be0d00 100644 --- a/playbooks/uninstall.yml +++ b/playbooks/uninstall.yml @@ -13,7 +13,7 @@ set_fact: roles_list: '{{ lookup("env", "ROLE").split(",") }}' -- name: Run the install tasks for each role +- name: Run the uninstall tasks for each role hosts: homebox vars: debug: '{{ system.debug }}' diff --git a/roles/vpn-wireguard/tasks/install/facts.yml b/roles/vpn-wireguard/tasks/install/facts.yml index 414c7582..6ee5f21d 100644 --- a/roles/vpn-wireguard/tasks/install/facts.yml +++ b/roles/vpn-wireguard/tasks/install/facts.yml @@ -17,6 +17,12 @@ {{ first_user_id_cmd.stdout | int - 1 | int }} tags: facts +- name: Display wireguard configuration + debug: + var: wireguard + verbosity: 2 + tags: facts + # Basic implementation of RFC 4193 (https://en.wikipedia.org/wiki/Unique_local_address) - name: Get the date ansible.builtin.set_fact: diff --git a/roles/vpn-wireguard/tasks/install/main.yml b/roles/vpn-wireguard/tasks/install/main.yml index ede07bc8..4d969f4c 100644 --- a/roles/vpn-wireguard/tasks/install/main.yml +++ b/roles/vpn-wireguard/tasks/install/main.yml @@ -1,9 +1,5 @@ --- -- name: Load the server’s keys - ansible.builtin.include_tasks: restore/main.yml - tags: restore - - name: Set the facts ansible.builtin.include_tasks: install/facts.yml tags: facts diff --git a/roles/vpn-wireguard/tasks/install/server-keys.yml b/roles/vpn-wireguard/tasks/install/server-keys.yml index 4e81907d..dd18aa11 100644 --- a/roles/vpn-wireguard/tasks/install/server-keys.yml +++ b/roles/vpn-wireguard/tasks/install/server-keys.yml @@ -11,23 +11,25 @@ register: genkey_cmd ansible.builtin.shell: >- set -o pipefail; + umask 077; wg genkey | tee private-key | wg pubkey >public-key args: - creates: /etc/wireguard/public-key + creates: private-key chdir: /etc/wireguard executable: /bin/bash tags: keys - name: Load the private key previously generated - no_log: '{{ hide_secrets }}' tags: keys block: - name: Dump private key + no_log: '{{ hide_secrets }}' register: slurp_private_key ansible.builtin.slurp: src: /etc/wireguard/private-key - name: Remember the private key + no_log: '{{ hide_secrets }}' ansible.builtin.set_fact: server_private_key: '{{ slurp_private_key["content"] | b64decode | trim }}' diff --git a/roles/vpn-wireguard/tasks/install/users-keys.yml b/roles/vpn-wireguard/tasks/install/users-keys.yml index 657d8375..19fe1d3a 100644 --- a/roles/vpn-wireguard/tasks/install/users-keys.yml +++ b/roles/vpn-wireguard/tasks/install/users-keys.yml @@ -49,6 +49,7 @@ no_log: '{{ hide_secrets }}' ansible.builtin.shell: >- set -o pipefail; + umask 077; wg genkey | tee private-key | wg pubkey > public-key args: @@ -72,10 +73,12 @@ tags: users, keys block: - name: Dump the user’s private key + no_log: '{{ hide_secrets }}' register: slurp_private_key ansible.builtin.slurp: src: /home/archives/{{ user.uid }}/files/vpn/{{ config.name }}/private-key - name: Remember the user’s private key + no_log: '{{ hide_secrets }}' ansible.builtin.set_fact: private_key: '{{ slurp_private_key["content"] | b64decode | trim }}' @@ -89,7 +92,9 @@ - name: Create a pre-shared key no_log: '{{ hide_secrets }}' - ansible.builtin.shell: wg genpsk >pre-shared-key + ansible.builtin.shell: >- + umask 077; + wg genpsk >pre-shared-key args: chdir: /home/archives/{{ user.uid }}/files/vpn/{{ config.name }}/ creates: pre-shared-key @@ -104,14 +109,15 @@ tags: users, keys - name: Load the pre-shared key previously generated - no_log: '{{ hide_secrets }}' tags: users, keys block: - name: Dump the user pre-shared key + no_log: '{{ hide_secrets }}' register: slurp_pre_shared_key ansible.builtin.slurp: src: /home/archives/{{ user.uid }}/files/vpn/{{ config.name }}/pre-shared-key - name: Remember the user pre-shared key + no_log: '{{ hide_secrets }}' ansible.builtin.set_fact: user_pre_shared_key: '{{ slurp_pre_shared_key["content"] | b64decode | trim }}' diff --git a/roles/vpn-wireguard/templates/users/basic.conf b/roles/vpn-wireguard/templates/users/basic.conf index 77953567..f2a4e393 100644 --- a/roles/vpn-wireguard/templates/users/basic.conf +++ b/roles/vpn-wireguard/templates/users/basic.conf @@ -14,4 +14,4 @@ PublicKey = {{ server_public_key }} PresharedKey = {{ user_pre_shared_key }} AllowedIPs = {{ wireguard.network.ipv4_address }}, {{ wireguard.network.ipv6_address }} Endpoint = vpn.{{ network.domain }}:{{ wireguard.network.port }} -PersistentKeepalive = {{ wireguard.network.keep_live }} +PersistentKeepalive = {{ wireguard.network.keep_alive }} diff --git a/roles/vpn-wireguard/templates/users/enforce.conf b/roles/vpn-wireguard/templates/users/enforce.conf index 2584bd92..f076fc8c 100644 --- a/roles/vpn-wireguard/templates/users/enforce.conf +++ b/roles/vpn-wireguard/templates/users/enforce.conf @@ -11,4 +11,4 @@ PublicKey = {{ server_public_key }} PresharedKey = {{ user_pre_shared_key }} AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = vpn.{{ network.domain }}:{{ wireguard.network.port }} -PersistentKeepalive = 15 \ No newline at end of file +PersistentKeepalive = {{ wireguard.network.keep_alive }}