From de39d1e5b2049c1a7927f0dbb8dd41409cce27f7 Mon Sep 17 00:00:00 2001
From: Robin Sonnabend <robin@fsmpi.rwth-aachen.de>
Date: Tue, 1 Sep 2020 18:09:16 +0200
Subject: [PATCH] Fix key permissions

---
 wireguard/tasks/main.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/wireguard/tasks/main.yml b/wireguard/tasks/main.yml
index 62da7ca..9f5ccc6 100644
--- a/wireguard/tasks/main.yml
+++ b/wireguard/tasks/main.yml
@@ -5,7 +5,7 @@
 
 - name: ensure we have a private key
   shell:
-    cmd: "wg genkey | tee {{ item.key }}.key | wg pubkey > {{ item.key }}.pub"
+    cmd: "umask 077 && wg genkey | tee {{ item.key }}.key | wg pubkey > {{ item.key }}.pub"
     chdir: /etc/wireguard
     creates: "/etc/wireguard/{{ item.key }}.key"
   with_dict: "{{ wireguard_interfaces }}"
@@ -13,6 +13,14 @@
     - restart wireguard
   no_log: true
 
+- name: ensure the key is not accessible to users
+  file:
+    path: "/etc/wireguard/{{ item.key }}.key"
+    owner: root
+    group: root
+    mode: '0600'
+  with_dict: "{{ wireguard_interfaces }}"
+
 - name: get the pubkey
   slurp:
     src: "/etc/wireguard/{{ item.key }}.pub"
-- 
GitLab