From ffb5a1f737d1a77db43697bf10067c284eee4b3a Mon Sep 17 00:00:00 2001
From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com>
Date: Fri, 1 Jun 2018 17:06:03 +0300
Subject: [PATCH] WireGuard: disable SaveConfig, update-users fix (#985)

- Disables SaveConfig. SaveConfig totally breaks the idea of configuration management and it breaks update-users
- WireGuard update-users fix. Mentioned in https://github.com/trailofbits/algo/issues/980#issuecomment-393720561
---
 roles/wireguard/templates/server.conf.j2 | 2 +-
 users.yml                                | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/roles/wireguard/templates/server.conf.j2 b/roles/wireguard/templates/server.conf.j2
index 3f9f45d..17b388f 100644
--- a/roles/wireguard/templates/server.conf.j2
+++ b/roles/wireguard/templates/server.conf.j2
@@ -4,7 +4,7 @@ Address = {{ wireguard_network_ipv4['subnet'] }}/{{ wireguard_network_ipv4['pref
 
 ListenPort = {{ wireguard_port }}
 PrivateKey = {{ lookup('file', wireguard_config_path + '/private/' + IP_subject_alt_name) }}
-SaveConfig = true
+SaveConfig = false
 Table = off
 
 {% for u in users %}
diff --git a/users.yml b/users.yml
index 46a2d79..f60cbb3 100644
--- a/users.yml
+++ b/users.yml
@@ -55,6 +55,7 @@
 
   roles:
     - { role: ssh_tunneling, tags: always, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
+    - { role: wireguard, tags: [ 'vpn', 'wireguard' ], when: wireguard_enabled }
     - { role: vpn }
 
   post_tasks: