From 603718458db96a53f64ad554bfb1eb727c8278dd Mon Sep 17 00:00:00 2001
From: sonny <sonnyba871@gmail.com>
Date: Tue, 28 Dec 2021 12:28:55 +0100
Subject: [PATCH] Use seperate preshared keys for each peer

---
 files/wireguard/preshared-desktop.key              |  7 +++++++
 .../{preshared.key => preshared-laptop.key}        |  0
 tasks/network.yml                                  | 14 ++++++++++----
 templates/network/wg0.netdev.j2                    |  2 +-
 vars/vpn.yml                                       |  5 ++++-
 5 files changed, 22 insertions(+), 6 deletions(-)
 create mode 100644 files/wireguard/preshared-desktop.key
 rename files/wireguard/{preshared.key => preshared-laptop.key} (100%)

diff --git a/files/wireguard/preshared-desktop.key b/files/wireguard/preshared-desktop.key
new file mode 100644
index 0000000..c65bc49
--- /dev/null
+++ b/files/wireguard/preshared-desktop.key
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+31633763303266383136656238396431613933313235333363323665643630373330623038646561
+6634626539313834393432383836306664393431336636640a303231643335396233333766333336
+65623531306232643661346465373334316364373138633239393432346636646332613166396364
+3262656238336265660a383138646333643034366262623139363466626439356233353063343461
+65393564663935633932326365393232303336626435643365353832616333646365316330326362
+3938346634383630323439323530386561343562363334313333
diff --git a/files/wireguard/preshared.key b/files/wireguard/preshared-laptop.key
similarity index 100%
rename from files/wireguard/preshared.key
rename to files/wireguard/preshared-laptop.key
diff --git a/tasks/network.yml b/tasks/network.yml
index 66e80ae..29d2741 100644
--- a/tasks/network.yml
+++ b/tasks/network.yml
@@ -55,10 +55,16 @@
         src: 'files/wireguard/server.key',
         dest: '{{ vpn_server_key_path }}',
       }
-    - {
-        src: 'files/wireguard/preshared.key',
-        dest: '{{ vpn_preshared_path }}',
-      }
+
+- name: copy wireguard preshared keys
+  become: true
+  copy:
+    src: '{{ item.preshared_key_source_path }}'
+    dest: '{{ item.preshared_key_path }}'
+    owner: root
+    group: systemd-network
+    mode: '0640'
+  loop: '{{ vpn_peers }}'
 
 - name: restart systemd-networkd
   become: true
diff --git a/templates/network/wg0.netdev.j2 b/templates/network/wg0.netdev.j2
index 2f357b5..9a831cd 100644
--- a/templates/network/wg0.netdev.j2
+++ b/templates/network/wg0.netdev.j2
@@ -12,7 +12,7 @@ PrivateKeyFile={{ vpn_server_key_path }}
 {% for peer in vpn_peers %}
 [WireGuardPeer]
 PublicKey={{ peer.public_key }}
-PresharedKeyFile={{ vpn_preshared_path }}
+PresharedKeyFile={{ peer.preshared_key_path }}
 AllowedIPs={{ peer.ip }}/32
 {% if not loop.last %}
 
diff --git a/vars/vpn.yml b/vars/vpn.yml
index 9faed18..b3b0f3d 100644
--- a/vars/vpn.yml
+++ b/vars/vpn.yml
@@ -8,16 +8,19 @@ vpn_destination_range: '10.0.0.1/32'
 
 vpn_server_public_key_path: '/etc/wireguard/keys/public/server.pub'
 vpn_server_key_path: '/etc/wireguard/keys/private/server.key'
-vpn_preshared_path: '/etc/wireguard/keys/private/preshared.key'
 
 vpn_peers:
   - {
       name: 'desktop',
       ip: '10.0.0.3',
       public_key: 'izHzmRwh2yzICps6pFI2Bg3TnmTD66/8uH4loJpkuD4=',
+      preshared_key_path: '/etc/wireguard/keys/private/preshared-desktop.key',
+      preshared_key_source_path: 'files/wireguard/preshared-desktop.key',
     }
   - {
       name: 'laptop',
       ip: '10.0.0.2',
       public_key: 'EbWLf2+7x/RymeeiVuX72nZOBqPvdhu2V9pYhszpQEw=',
+      preshared_key_path: '/etc/wireguard/keys/private/preshared-laptop.key',
+      preshared_key_source_path: 'files/wireguard/preshared-laptop.key',
     }