Adding preshared key support (#1465)

* adding preshared key generation

* adding preshared folder

* Update client.conf.j2

adding preshared key options

* adding preshared keys to server template

* making sure private preshared is right

* making sure preshared keygen working for main.yml

* changing private to preshared for name

* changing to preshared dir instead of public

roles/wireguard/tasks/keys.yml

@@ -38,6 +38,45 @@
       - "{{ IP_subject_alt_name }}"
   when: wg_genkey.changed
 
+- name: Delete the preshared lock files
+  file:
+    dest: "{{ config_prefix|default('/') }}etc/wireguard/preshared_{{ item }}.lock"
+    state: absent
+  when: keys_clean_all|bool
+  with_items:
+    - "{{ users }}"
+    - "{{ IP_subject_alt_name }}"
+
+- name: Generate preshared keys
+  command: wg genpsk
+  register: wg_genpsk
+  args:
+    creates: "{{ config_prefix|default('/') }}etc/wireguard/preshared_{{ item }}.lock"
+  with_items:
+    - "{{ users }}"
+    - "{{ IP_subject_alt_name }}"
+
+- block:
+  - name: Save preshared keys
+    copy:
+      dest: "{{ wireguard_pki_path }}/preshared/{{ item['item'] }}"
+      content: "{{ item['stdout'] }}"
+      mode: "0600"
+    no_log: true
+    when: item.changed
+    with_items: "{{ wg_genpsk['results'] }}"
+    delegate_to: localhost
+    become: false
+
+  - name: Touch the preshared lock file
+    file:
+      dest: "{{ config_prefix|default('/') }}etc/wireguard/preshared_{{ item }}.lock"
+      state: touch
+    with_items:
+      - "{{ users }}"
+      - "{{ IP_subject_alt_name }}"
+  when: wg_genpsk.changed
+
 - name: Generate public keys
   shell: |
     set -o pipefail

roles/wireguard/tasks/main.yml

@@ -7,6 +7,7 @@
   with_items:
     - private
     - public
+    - preshared
   delegate_to: localhost
   become: false
 

roles/wireguard/templates/client.conf.j2

@@ -7,6 +7,7 @@ DNS = {{ wireguard_dns_servers }}
 
 [Peer]
 PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + IP_subject_alt_name) }}
+PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + item.1) }}
 AllowedIPs = 0.0.0.0/0{{ ', ::/0'  if ipv6_support else '' }}
 Endpoint = {{ IP_subject_alt_name }}:{{ wireguard_port }}
 {{ 'PersistentKeepalive = ' + wireguard_PersistentKeepalive|string if wireguard_PersistentKeepalive > 0 else '' }}

roles/wireguard/templates/server.conf.j2

@@ -11,6 +11,7 @@ SaveConfig = false
 [Peer]
 # {{ u }}
 PublicKey = {{ lookup('file', wireguard_pki_path + '/public/' + u) }}
+PresharedKey = {{ lookup('file', wireguard_pki_path + '/preshared/' + u) }}
 AllowedIPs = {{ wireguard_network_ipv4 | ipaddr(index|int+1) | ipv4('address') }}/32{{ ',' + wireguard_network_ipv6 | ipaddr(index|int+1) | ipv6('address') + '/128' if ipv6_support else '' }}
 {% endif %}
 {% endfor %}