From e3f03edf3f68842912819d372e76707401f4a74f Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Sun, 13 Oct 2024 22:27:27 -0400
Subject: [PATCH] Use file-based preshared keys for WireGuard

- Include proxy role in standard Docker playbook
---
 playbooks/docker.yml              |  1 +
 roles/base/tasks/wireguard.yml    | 22 ++++++++++++++++++++++
 roles/base/templates/wireguard.j2 | 19 ++++++++++++++++++-
 3 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/playbooks/docker.yml b/playbooks/docker.yml
index 08f8ec1..3ca5a56 100644
--- a/playbooks/docker.yml
+++ b/playbooks/docker.yml
@@ -4,4 +4,5 @@
   roles:
     - base
     - jenkins
+    - proxy
     - docker
diff --git a/roles/base/tasks/wireguard.yml b/roles/base/tasks/wireguard.yml
index 6f58d08..f31fbfc 100644
--- a/roles/base/tasks/wireguard.yml
+++ b/roles/base/tasks/wireguard.yml
@@ -18,6 +18,28 @@
     src: /etc/wireguard/privatekey
   register: wgkey
 
+- name: Check if WireGuard preshared key file exists
+  ansible.builtin.stat:
+    path: /etc/wireguard/presharedkey-{{ item.name }}
+  loop: "{{ wireguard.peers }}"
+  loop_control:
+    label: "{{ item.name }}"
+  register: presharedkey_files
+
+- name: Grab WireGuard preshared key for configuration
+  ansible.builtin.slurp:
+    src: /etc/wireguard/presharedkey-{{ item.item.name }}
+  register: wgshared
+  loop: "{{ presharedkey_files.results }}"
+  loop_control:
+    label: "{{ item.item.name }}"
+  when: item.stat.exists
+
+- name: Grab WireGuard private key for configuration
+  ansible.builtin.slurp:
+    src: /etc/wireguard/privatekey
+  register: wgkey
+
 - name: Install WireGuard configuration
   ansible.builtin.template:
     src: wireguard.j2
diff --git a/roles/base/templates/wireguard.j2 b/roles/base/templates/wireguard.j2
index 5f866aa..70bccf8 100644
--- a/roles/base/templates/wireguard.j2
+++ b/roles/base/templates/wireguard.j2
@@ -1,4 +1,6 @@
-[Interface]
+# {{ ansible_managed }}
+
+[Interface] # {{ ansible_hostname }}
 PrivateKey = {{ wgkey['content'] | b64decode | trim }}
 Address = {{ wireguard.address }}
 {% if wireguard.listenport is defined %}
@@ -6,10 +8,25 @@ ListenPort = {{ wireguard.listenport }}
 {% endif %}
 
 {% for peer in wireguard.peers %}
+{% if peer.name is defined %}
+[Peer] # {{ peer.name }}
+{% else %}
 [Peer]
+{% endif %}
 PublicKey = {{ peer.publickey }}
 {% if peer.presharedkey is defined %}
 PresharedKey = {{ peer.presharedkey }}
+{% else %}
+{% set preshared_key = (
+    wgshared.results
+    | selectattr('item.item.name', 'equalto', peer.name)
+    | first
+  ).content
+  | default(none)
+%}
+{% if preshared_key is not none %}
+PresharedKey = {{ preshared_key | b64decode | trim }}
+{% endif %}
 {% endif %}
 {% if peer.endpoint is defined %}
 Endpoint = {{ peer.endpoint }}