From ee456757edfe77fc5004567b0e70ee88bcde612c Mon Sep 17 00:00:00 2001
From: Joonas Kuorilehto <joneskoo@derbian.fi>
Date: Tue, 15 Sep 2020 22:58:04 +0300
Subject: [PATCH] Add support for unmanaged WireGuard peers (#63)

* Add support for unmanaged WireGuard peers

Add variable wireguard_extra_peer_config that is raw WireGuard
configuration appended to the peers section. Value is a string
containing arbitrary wg-quick syntax.

This closes #41, and closes #45.

* update CHANGELOG (#63)

* Change unmanaged peers to dictionary instead of string

Based on review comment by @j8r in #63.

* README: update preshared_key example

Update wireguard_unmanaged_peers example for preshared_key.
Make it a comment to highlight it is optional and should probably be handled
like other secrets.

* Clean up jinja2 syntax

Based on review comments.

* Remove unneeded if of required public_key

The public_key is required for a wireguard peer so remove the if from
wireguard_unmanaged_peers public_key. The effect is that it is a syntax
error from Ansible rather than failing config validation when the config
has already been written and fails to load.
---
 CHANGELOG.md         |  6 +++++-
 README.md            |  7 +++++++
 templates/wg.conf.j2 | 23 ++++++++++++++++++++++-
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 07484dd..01d8ee6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,14 @@
 Changelog
 ---------
 
+**7.1.0**
+
+- Add support for unmanaged peers with `wireguard_unmanaged_peers` (contribution by @joneskoo)
+
 **7.0.0**
 
 - Switched to install from ELRepo KMOD package for CentOS (see https://www.wireguard.com/install/). This change may break installation for systems with custom kernels. The role previously supported custom kernel implicitly because it was using DKMS package (contribution by @elcomtik)
-  
+
   Role removes DKMS wireguard package, however it doesn't remove jdoss-wireguard-epel-7 repository. If you don't need this repository, do cleanup by:
     * remove `/etc/yum.repos.d/wireguard.repo`
 
diff --git a/README.md b/README.md
index 1c4297d..a1c4fc1 100644
--- a/README.md
+++ b/README.md
@@ -95,6 +95,13 @@ wireguard_postup:
 wireguard_postdown:
   - ...
 wireguard_save_config: "true"
+wireguard_unmanaged_peers:
+  client.example.com:
+    public_key: 5zsSBeZZ8P9pQaaJvY9RbELQulcwC5VBXaZ93egzOlI=
+    # preshared_key: ... e.g. from ansible-vault?
+    allowed_ips: 10.0.0.3/32
+    endpoint: client.example.com:51820
+    persistent_keepalive: 0
 ```
 
 `wireguard_(preup|predown|postup|postdown)` are specified as lists. Here are two examples:
diff --git a/templates/wg.conf.j2 b/templates/wg.conf.j2
index 0ab144b..7fd8229 100644
--- a/templates/wg.conf.j2
+++ b/templates/wg.conf.j2
@@ -41,7 +41,7 @@ SaveConfig = true
 {% endif %}
 {% for host in ansible_play_hosts %}
   {% if host != inventory_hostname %}
-  
+
     [Peer]
     # {{ host }}
     PublicKey = {{hostvars[host].public_key}}
@@ -68,3 +68,24 @@ SaveConfig = true
     {% endif %}
   {% endif %}
 {% endfor %}
+{% if wireguard_unmanaged_peers is defined %}
+
+    # Peers not managed by ansible from wireguard_unmanaged_peers
+    {% for peer in wireguard_unmanaged_peers.keys() %}
+    [Peer]
+    # {{ peer }}
+    PublicKey = {{ wireguard_unmanaged_peers[peer].public_key }}
+    {% if wireguard_unmanaged_peers[peer].preshared_key is defined %}
+    PresharedKey = {{ wireguard_unmanaged_peers[peer].preshared_key }}
+    {% endif %}
+    {% if wireguard_unmanaged_peers[peer].allowed_ips is defined %}
+    AllowedIPs = {{ wireguard_unmanaged_peers[peer].allowed_ips }}
+    {% endif %}
+    {% if wireguard_unmanaged_peers[peer].endpoint is defined %}
+    Endpoint = {{ wireguard_unmanaged_peers[peer].endpoint }}
+    {% endif %}
+    {% if wireguard_unmanaged_peers[peer].persistent_keepalive is defined %}
+    PersistentKeepalive = {{ wireguard_unmanaged_peers[peer].persistent_keepalive }}
+    {% endif %}
+    {% endfor %}
+{% endif %}