From 481fdcb32c6d855ccfa946fb6481e24955e7de3d Mon Sep 17 00:00:00 2001
From: Adrien Reslinger <adrien@reslinger.net>
Date: Fri, 16 Sep 2022 18:44:22 +0200
Subject: [PATCH] Add conf for other host not in play

---
 handlers/main.yml                         | 16 ++++++++++++++++
 tasks/main.yml                            |  1 +
 templates/etc/wireguard/wireguard.conf.j2 | 20 +++++++++++---------
 3 files changed, 28 insertions(+), 9 deletions(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index 4b27f01..d740c59 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,3 +1,19 @@
 ---
 - name: Restart WireGuard
   service: name=wg-quick@{{ wireguard_interface }} state=restarted
+
+- name: syncconf wireguard
+  ansible.builtin.shell: |
+    set -o errexit
+    set -o pipefail
+    set -o nounset
+    systemctl is-active wg-quick@{{ wireguard_interface|quote }} || systemctl start wg-quick@{{ wireguard_interface|quote }}
+    wg syncconf {{ wireguard_interface|quote }} <(wg-quick strip /etc/wireguard/{{ wireguard_interface|quote }}.conf)
+    exit 0
+  args:
+    executable: "/bin/bash"
+#  when:
+#    - not wireguard__restart_interface
+#    - not ansible_os_family == 'Darwin'
+#    - wireguard_service_enabled == "yes"
+  listen: "reconfigure wireguard"
diff --git a/tasks/main.yml b/tasks/main.yml
index fd8d3ba..7a4cb53 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -73,6 +73,7 @@
         owner: root
         group: root
         mode: 0644
+      notify: "reconfigure wireguard"
 
     - name: Enable Wireguard service
       service:
diff --git a/templates/etc/wireguard/wireguard.conf.j2 b/templates/etc/wireguard/wireguard.conf.j2
index 620626d..ac42acf 100644
--- a/templates/etc/wireguard/wireguard.conf.j2
+++ b/templates/etc/wireguard/wireguard.conf.j2
@@ -41,28 +41,30 @@ PostDown   = firewall-cmd --remove-port {{ wireguard_port }}/udp && firewall-cmd
 {% if wireguard_save_config is defined %}
 SaveConfig = {{ wireguard_save_config }}
 {% endif %}
-{% for host in ansible_play_hosts %}
-{%   if host != inventory_hostname %}
+{% for host in groups['Vpn'] | difference([inventory_hostname]) %}
+{%   if hostvars[host].wireguard_public_key is defined %}
 
 [Peer]
 # {{ host }}
 PublicKey = {{ hostvars[host].wireguard_public_key }}
+{%     if false %}
 #AllowedIPs = 0.0.0.0/0,::/0
+{%     endif %}
 {%     if hostvars[host].wireguard_allowed_ips is defined %}
 AllowedIPs = {{ hostvars[host].wireguard_address.split('/')[0] }}/32, {% for wireguard_allowed_ip in hostvars[host].wireguard_allowed_ips %}{{ wireguard_allowed_ip }}{% if not loop.last %}, {% endif %}{% endfor %}
 
 {%     else %}
 AllowedIPs = {{ hostvars[host].wireguard_address.split('/')[0] }}/32
 {%     endif %}
-{% if hostvars[host].wireguard_endpoint_ip is defined and hostvars[host].wireguard_endpoint_port is defined %}
+{%     if hostvars[host].wireguard_endpoint_ip is defined and hostvars[host].wireguard_endpoint_port is defined %}
 Endpoint = {{ hostvars[host].wireguard_endpoint_ip }}:{{ hostvars[host].wireguard_endpoint_port }}
-{% elif hostvars[host].wireguard_endpoint_ip is defined %}
+{%     elif hostvars[host].wireguard_endpoint_ip is defined %}
 Endpoint = {{ hostvars[host].wireguard_endpoint_ip }}:{{ hostvars[host].wireguard_port }}
-{% else %}
+{%     else %}
 Endpoint = {{ hostvars[host].ansible_default_ipv4.address }}:{{ wireguard_port }}
-{% endif %}
-{%     if hostvars[host].wireguard_persistent_keepalive is defined %}
-PersistentKeepalive = {{hostvars[host].wireguard_persistent_keepalive}}
 {%     endif %}
-{% endif %}
+{%     if hostvars[host].wireguard_persistent_keepalive is defined %}
+PersistentKeepalive = {{ hostvars[host].wireguard_persistent_keepalive }}
+{%     endif %}
+{%   endif %}
 {% endfor %}