From 3bf830713f95c89caf736fa144f90ba7b6b8147a Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Sat, 23 May 2020 17:16:25 +0200 Subject: don't retrieve wireguard privkeys in ansible --- ansible/roles/network/tasks/main.yml | 4 ---- ansible/roles/network/templates/wireguard.conf.j2 | 2 +- ansible/roles/network/templates/wireguard_external.conf.j2 | 3 ++- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/ansible/roles/network/tasks/main.yml b/ansible/roles/network/tasks/main.yml index 59f1d71..28104d0 100644 --- a/ansible/roles/network/tasks/main.yml +++ b/ansible/roles/network/tasks/main.yml @@ -43,10 +43,6 @@ - name: "Secure wireguard private key" file: path=/etc/wireguard/privkey mode=0600 -- name: "Retrieve wireguard private key" - shell: cat /etc/wireguard/privkey - register: wireguard_privkey - - name: "Retrieve wireguard public key" shell: wg pubkey < /etc/wireguard/privkey register: wireguard_pubkey diff --git a/ansible/roles/network/templates/wireguard.conf.j2 b/ansible/roles/network/templates/wireguard.conf.j2 index 9f70eb9..b4a530c 100644 --- a/ansible/roles/network/templates/wireguard.conf.j2 +++ b/ansible/roles/network/templates/wireguard.conf.j2 @@ -1,6 +1,6 @@ [Interface] Address = {{ vpn_ip }} -PrivateKey = {{ wireguard_privkey.stdout }} +PostUp = wg set %i private-key <(cat /etc/wireguard/privkey) ListenPort = 51820 {% for selected_host in groups['cluster_nodes']|difference([inventory_hostname]) %} diff --git a/ansible/roles/network/templates/wireguard_external.conf.j2 b/ansible/roles/network/templates/wireguard_external.conf.j2 index f130ffd..f941446 100644 --- a/ansible/roles/network/templates/wireguard_external.conf.j2 +++ b/ansible/roles/network/templates/wireguard_external.conf.j2 @@ -1,9 +1,10 @@ # Template configuration file for VPN nodes that are non in the cluster +# The private key should be stored as /etc/wireguard/privkey # External nodes should be registered in network/vars/main.yml [Interface] Address = -PrivateKey = +PostUp = wg set %i private-key <(cat /etc/wireguard/privkey) ListenPort = 51820 # Cluster nodes -- cgit v1.2.3