diff --git a/wireguard/tasks/main.yml b/wireguard/tasks/main.yml index 62da7ca2dfdab949669056bbb492cf81c9a17033..9f5ccc62bb4a53c49a10d3dbd932c69c16db109f 100644 --- a/wireguard/tasks/main.yml +++ b/wireguard/tasks/main.yml @@ -5,7 +5,7 @@ - name: ensure we have a private key shell: - cmd: "wg genkey | tee {{ item.key }}.key | wg pubkey > {{ item.key }}.pub" + cmd: "umask 077 && wg genkey | tee {{ item.key }}.key | wg pubkey > {{ item.key }}.pub" chdir: /etc/wireguard creates: "/etc/wireguard/{{ item.key }}.key" with_dict: "{{ wireguard_interfaces }}" @@ -13,6 +13,14 @@ - restart wireguard no_log: true +- name: ensure the key is not accessible to users + file: + path: "/etc/wireguard/{{ item.key }}.key" + owner: root + group: root + mode: '0600' + with_dict: "{{ wireguard_interfaces }}" + - name: get the pubkey slurp: src: "/etc/wireguard/{{ item.key }}.pub"