Adding preshared key support (#1465)

* adding preshared key generation * adding preshared folder * Update client.conf.j2 adding preshared key options * adding preshared keys to server template * making sure private preshared is right * making sure preshared keygen working for main.yml * changing private to preshared for name * changing to preshared dir instead of public
2025-06-05 22:54:01 +02:00 · 2019-06-05 02:31:16 -04:00 · 2019-06-05 02:31:16 -04:00 · 146cbc71ce
commit 146cbc71ce
parent ac6b543134
4 changed files with 42 additions and 0 deletions
--- a/roles/wireguard/tasks/keys.yml
+++ b/roles/wireguard/tasks/keys.yml
@ -38,6 +38,45 @@
      - "{{ IP_subject_alt_name }}"
  when: wg_genkey.changed

+- name: Delete the preshared lock files
+  file:
+    dest: "{{ config_prefix|default('/') }}etc/wireguard/preshared_{{ item }}.lock"
+    state: absent
+  when: keys_clean_all|bool
+  with_items:
+    - "{{ users }}"
+    - "{{ IP_subject_alt_name }}"
+
+- name: Generate preshared keys
+  command: wg genpsk
+  register: wg_genpsk
+  args:
+    creates: "{{ config_prefix|default('/') }}etc/wireguard/preshared_{{ item }}.lock"
+  with_items:
+    - "{{ users }}"
+    - "{{ IP_subject_alt_name }}"
+
+- block:
+  - name: Save preshared keys
+    copy:
+      dest: "{{ wireguard_pki_path }}/preshared/{{ item['item'] }}"
+      content: "{{ item['stdout'] }}"
+      mode: "0600"
+    no_log: true
+    when: item.changed
+    with_items: "{{ wg_genpsk['results'] }}"
+    delegate_to: localhost
+    become: false
+
+  - name: Touch the preshared lock file
+    file:
+      dest: "{{ config_prefix|default('/') }}etc/wireguard/preshared_{{ item }}.lock"
+      state: touch
+    with_items:
+      - "{{ users }}"
+      - "{{ IP_subject_alt_name }}"
+  when: wg_genpsk.changed
+
 - name: Generate public keys
  shell: |
    set -o pipefail
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@ -7,6 +7,7 @@
  with_items:
    - private
    - public
+    - preshared
  delegate_to: localhost
  become: false

--- a/roles/wireguard/templates/client.conf.j2
+++ b/roles/wireguard/templates/client.conf.j2
@ -7,6 +7,7 @@ DNS = {{ wireguard_dns_servers }}

 [Peer]
 PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + IP_subject_alt_name) }}
+PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + item.1) }}
 AllowedIPs = 0.0.0.0/0{{ ', ::/0'  if ipv6_support else '' }}
 Endpoint = {{ IP_subject_alt_name }}:{{ wireguard_port }}
 {{ 'PersistentKeepalive = ' + wireguard_PersistentKeepalive|string if wireguard_PersistentKeepalive > 0 else '' }}
--- a/roles/wireguard/templates/server.conf.j2
+++ b/roles/wireguard/templates/server.conf.j2
@ -11,6 +11,7 @@ SaveConfig = false
 [Peer]
 # {{ u }}
 PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + u) }}
+PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + u) }}
 AllowedIPs = {{ wireguard_network_ipv4 | ipaddr(index|int+1) | ipv4('address') }}/32{{ ',' + wireguard_network_ipv6 | ipaddr(index|int+1) | ipv6('address') + '/128' if ipv6_support else '' }}
 {% endif %}
 {% endfor %}