diff --git a/ansible/roles/wireguard/tasks/main.yaml b/ansible/roles/wireguard/tasks/main.yaml index f9d05dd..985742b 100644 --- a/ansible/roles/wireguard/tasks/main.yaml +++ b/ansible/roles/wireguard/tasks/main.yaml @@ -84,6 +84,33 @@ register: phone_public_key changed_when: false +# --- Mac keypair --- +- name: Check if mac private key exists + stat: + path: /etc/wireguard/mac.key + register: mac_key_stat + +- name: Generate mac private key + shell: wg genkey > /etc/wireguard/mac.key + when: not mac_key_stat.stat.exists + +- name: Set permissions on mac private key + file: + path: /etc/wireguard/mac.key + mode: "0600" + owner: root + group: root + +- name: Read mac private key + slurp: + src: /etc/wireguard/mac.key + register: mac_private_key + +- name: Derive mac public key + shell: wg pubkey < /etc/wireguard/mac.key + register: mac_public_key + changed_when: false + # --- Server config --- - name: Write wg0.conf template: @@ -120,6 +147,34 @@ AllowedIPs = 192.168.7.0/24, 10.10.0.0/24 PersistentKeepalive = 25 +# --- Mac client config --- +- name: Write mac client config + copy: + dest: /etc/wireguard/mac-client.conf + mode: "0600" + owner: root + group: root + content: | + [Interface] + PrivateKey = {{ mac_private_key.content | b64decode | trim }} + Address = 10.10.0.3/32 + DNS = 192.168.7.77 + + [Peer] + PublicKey = {{ server_public_key.stdout }} + Endpoint = {{ wireguard_endpoint }}:51820 + AllowedIPs = 192.168.7.0/24, 10.10.0.0/24 + PersistentKeepalive = 25 + +- name: Display mac client config + shell: cat /etc/wireguard/mac-client.conf + register: mac_conf + changed_when: false + +- name: Show mac client config + debug: + msg: "{{ mac_conf.stdout_lines }}" + - name: Generate QR code for phone shell: qrencode -t ansiutf8 < /etc/wireguard/phone-client.conf register: phone_qr diff --git a/ansible/roles/wireguard/templates/wg0.conf.j2 b/ansible/roles/wireguard/templates/wg0.conf.j2 index dd05a0e..f47d083 100644 --- a/ansible/roles/wireguard/templates/wg0.conf.j2 +++ b/ansible/roles/wireguard/templates/wg0.conf.j2 @@ -8,4 +8,9 @@ PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j A [Peer] # Phone PublicKey = {{ phone_public_key.stdout }} -AllowedIPs = 10.10.0.2/32 \ No newline at end of file +AllowedIPs = 10.10.0.2/32 + +[Peer] +# Mac +PublicKey = {{ mac_public_key.stdout }} +AllowedIPs = 10.10.0.3/32 \ No newline at end of file