wireguard/wireguard_client_add.yml at main · dryaf/wireguard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
---
- hosts: servers
  become: yes
  gather_facts: yes
  vars:
    wireguard_port: 51820
    wireguard_mtu: 1280
    client_name: "{{ lookup('env', 'CLIENT_NAME') }}"
  tasks:
    - name: Validate client_name variable
      assert:
        that:
          - client_name is defined
          - client_name != ''
        fail_msg: "The 'client_name' variable must be set. Usage: make vpn-client-add"

    # --- 1. Network & Config Discovery ---
    - name: Get WireGuard interface config
      command: wg show wg0
      register: wg_show
      changed_when: false
      failed_when: false

    - name: Fail if WireGuard is not running
      fail:
        msg: "WireGuard (wg0) is not running. Please run 'make vpn-server-setup' first."
      when: wg_show.rc != 0

    - name: Get WireGuard IP from interface
      shell: ip -4 addr show wg0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'
      register: wg_ip_result
      changed_when: false

    - name: Set WireGuard Gateway IP
      set_fact:
        wireguard_gateway_ip: "{{ wg_ip_result.stdout }}"

    - name: Check if client configuration already exists
      stat:
        path: "/etc/wireguard/{{ client_name }}.conf"
      register: client_conf

    - name: Fail if client configuration already exists
      fail:
        msg: "Client configuration for {{ client_name }} already exists!"
      when: client_conf.stat.exists

    # --- 2. IP Allocation Strategy ---
    - name: Get list of used IPs from wg0.conf
      # Improved grep to specifically look for peer AllowedIPs
      shell: |
        grep 'AllowedIPs' /etc/wireguard/wg0.conf | grep -v '/24' | awk -F '[=/]' '{print $2}' | sort -V | tail -n1
      register: last_used_ip
      changed_when: false
      ignore_errors: true

    - name: Calculate next IP (First Client)
      set_fact:
        client_address: "{{ wireguard_gateway_ip | ansible.utils.ipmath(1) }}/32"
      when: last_used_ip.stdout | length == 0

    - name: Calculate next IP (Subsequent Clients)
      set_fact:
        client_address: "{{ (last_used_ip.stdout | trim | regex_replace('/32', '')) | ansible.utils.ipmath(1) }}/32"
      when: last_used_ip.stdout | length > 0

    - name: Display assigned IP
      debug:
        msg: "Assigning IP {{ client_address }} to {{ client_name }}"

    # --- 3. Key Generation ---
    - name: Generate client private key
      command: wg genkey
      register: client_private_key
      changed_when: false
      no_log: true

    - name: Derive client public key
      shell: echo "{{ client_private_key.stdout }}" | wg pubkey
      register: client_public_key
      changed_when: false
      no_log: true

    - name: Derive server public key from file
      shell: wg pubkey < /etc/wireguard/privatekey
      register: server_public_key
      changed_when: false
      no_log: true

    # --- 4. Server Configuration Update ---
    - name: Check if client peer exists in wg0.conf
      shell: grep -q '{{ client_public_key.stdout }}' /etc/wireguard/wg0.conf
      register: client_in_config
      ignore_errors: true
      changed_when: false

    - name: Add client peer to WireGuard server config
      blockinfile:
        path: /etc/wireguard/wg0.conf
        marker: "# {mark} ANSIBLE MANAGED BLOCK FOR {{ client_name }}"
        block: |
          [Peer]
          # {{ client_name }}
          PublicKey = {{ client_public_key.stdout }}
          AllowedIPs = {{ client_address }}
      register: server_config_updated
      when: client_in_config.rc != 0

    # --- 5. Client Configuration Generation ---
    - name: Generate client configuration file
      template:
        src: templates/client.conf.j2
        dest: "/etc/wireguard/{{ client_name }}.conf"
        owner: root
        group: root
        mode: '0600'

    # --- 6. Packaging & Delivery ---
    - name: Zip the client configuration
      command:
        cmd: zip {{ client_name }}.zip {{ client_name }}.conf
        chdir: /etc/wireguard
      changed_when: false

    - name: Fetch the zipped client configuration
      fetch:
        src: "/etc/wireguard/{{ client_name }}.zip"
        dest: "./"
        flat: yes

    - name: Ensure qrencode is installed
      package:
        name: qrencode
        state: present

    - name: Generate QR code
      shell: qrencode -t ansiutf8 < /etc/wireguard/{{ client_name }}.conf
      register: qr_code
      changed_when: false

    - name: Display QR code
      debug:
        msg: "{{ qr_code.stdout_lines }}"
      run_once: true

    # --- 7. Service Reload (Robust Block/Rescue) ---
    - name: Reload WireGuard Configuration
      block:
        - name: Attempt hot reload (syncconf)
          shell: wg syncconf wg0 <(wg-quick strip wg0)
          args:
            executable: /bin/bash
          when: server_config_updated is changed

      rescue:
        - name: Fallback to hard restart
          systemd:
            name: wg-quick@wg0
            state: restarted