richm · December 15, 2020 22:46
diff --git a/gistfile1.txt b/gistfile1.txt
 I used the following inventory:

 all:
  hosts:
    host1.local:
    host2.local:
    host3.local:
    host4.local:
  vars:
    vpn_connections:
      - auth_method: psk
        hosts:
          host1.local:
          host2.local:
          host3.local:
      - auth_method: psk
        hosts:
          host2.local:
          host3.local:
          host4.local:


 with the following playbook

 - hosts: all
  gather_facts: false
  tasks:
    - name: generate psks on first host
      when: inventory_hostname == hostvars.keys() | first
      set_fact:
        vpnpsks: |
          {% set vpnpsks = {} %}
          {% for tunnel in vpn_connections | d([]) %}
          {%   set vpnidx = loop.index0 %}
          {%   if tunnel.auth_method == 'psk' %}
          {%     set _ = vpnpsks.__setitem__(vpnidx, {}) %}
          {%     for host1, host2 in tunnel.hosts.keys() | combinations(2) %}
          {%       if not host1 in vpnpsks[vpnidx] %}
          {%         set _ = vpnpsks[vpnidx].__setitem__(host1, {}) %}
          {%       endif %}
          {%       if not host2 in vpnpsks[vpnidx] %}
          {%         set _ = vpnpsks[vpnidx].__setitem__(host2, {}) %}
          {%       endif %}
          {%       set psk = lookup('lines', 'openssl rand -base64 48') %}
          {%       set val = {'pre_shared_key':psk} %}
          {%       set _ = vpnpsks[vpnidx][host1].__setitem__(host2, val) %}
          {%       set _ = vpnpsks[vpnidx][host2].__setitem__(host1, val) %}
          {%     endfor %}
          {%   endif %}
          {% endfor %}
          {{ vpnpsks }}

    - name: set psks for all hosts
      set_fact:
        vpnpsks: "{{ hostvars[hostvars.keys() | first]['vpnpsks'] }}"
      when: inventory_hostname != hostvars.keys() | first

    - name: show it
      debug:
        msg: vpnpsks {{ vpnpsks | to_nice_json }}

    - name: use psks
      debug:
        msg: |
          {% for tunnel in vpn_connections | d([]) %}
          {%   set vpnidx = loop.index0 %}
          {%   if tunnel.hosts and tunnel.auth_method == 'psk' %}
          tunnel {{ vpnidx }}
          {%     for host, val in tunnel.hosts.items() %}
          {%       if host == inventory_hostname %}
          {%         for otherhost, otherval in vpnpsks[vpnidx][host].items() %}
            {{ host }} to {{ otherhost }} : PSK {{ otherval['pre_shared_key'] }}
          {%         endfor %}
          {%       endif %}
          {%     endfor %}
          {%   endif %}
          {% endfor %}


 I get the following output:

 TASK [use psks] ****************************************************************
 task path: /home/rmeggins/linux-system-roles/vpn/tests/psk-generate.yml:113
 ok: [host1.local] => {}

 MSG:

 tunnel 0
  host1.local to host2.local : PSK ++/Pcf15UNG2wQAvwjZ6qxhpnxJWsJRPhiouk9W2sfoejGD3NRPtmY47EzcYJWaX
  host1.local to host3.local : PSK Kea4GrIH5FcZxCTy2J7QwbRLKIuiv8NIm0X/hvtEbE64xdiHXBfATN1A/ANnVZof
 tunnel 1

 ok: [host4.local] => {}

 MSG:

 tunnel 0
 tunnel 1
  host4.local to host2.local : PSK omf6JGnGyjlexXUfMsXfOxfJgYw4Vr8PxBay4c8ywK42cEVDwv3VxGdx4pVW0Tt9
  host4.local to host3.local : PSK 4m7wdvGrwPYVDDP97beOPBKO4YvranvKwPCJsdqyjnJtrK2wvEqyQ6r1bpEWo+Do

 ok: [host3.local] => {}

 MSG:

 tunnel 0
  host3.local to host1.local : PSK Kea4GrIH5FcZxCTy2J7QwbRLKIuiv8NIm0X/hvtEbE64xdiHXBfATN1A/ANnVZof
  host3.local to host2.local : PSK 9DurooXu8u4p4SknUW6ncNFznsGzrxe9kN5mRrUK3oRjgh7nXCh9Bbl55sIOre32
 tunnel 1
  host3.local to host2.local : PSK WLtfs8kIlGl3VZxL8csR3KUYwOC80Cxb8DJfk0EQuR0/oq2vWU396TYrJe4bFMW9
  host3.local to host4.local : PSK 4m7wdvGrwPYVDDP97beOPBKO4YvranvKwPCJsdqyjnJtrK2wvEqyQ6r1bpEWo+Do

 ok: [host2.local] => {}

 MSG:

 tunnel 0
  host2.local to host1.local : PSK ++/Pcf15UNG2wQAvwjZ6qxhpnxJWsJRPhiouk9W2sfoejGD3NRPtmY47EzcYJWaX
  host2.local to host3.local : PSK 9DurooXu8u4p4SknUW6ncNFznsGzrxe9kN5mRrUK3oRjgh7nXCh9Bbl55sIOre32
 tunnel 1
  host2.local to host3.local : PSK WLtfs8kIlGl3VZxL8csR3KUYwOC80Cxb8DJfk0EQuR0/oq2vWU396TYrJe4bFMW9
  host2.local to host4.local : PSK omf6JGnGyjlexXUfMsXfOxfJgYw4Vr8PxBay4c8ywK42cEVDwv3VxGdx4pVW0Tt9
	I used the following inventory:

	all:
	hosts:
	host1.local:
	host2.local:
	host3.local:
	host4.local:
	vars:
	vpn_connections:
	- auth_method: psk
	hosts:
	host1.local:
	host2.local:
	host3.local:
	- auth_method: psk
	hosts:
	host2.local:
	host3.local:
	host4.local:


	with the following playbook

	- hosts: all
	gather_facts: false
	tasks:
	- name: generate psks on first host
	when: inventory_hostname == hostvars.keys() \| first
	set_fact:
	vpnpsks: \|
	{% set vpnpsks = {} %}
	{% for tunnel in vpn_connections \| d([]) %}
	{% set vpnidx = loop.index0 %}
	{% if tunnel.auth_method == 'psk' %}
	{% set _ = vpnpsks.__setitem__(vpnidx, {}) %}
	{% for host1, host2 in tunnel.hosts.keys() \| combinations(2) %}
	{% if not host1 in vpnpsks[vpnidx] %}
	{% set _ = vpnpsks[vpnidx].__setitem__(host1, {}) %}
	{% endif %}
	{% if not host2 in vpnpsks[vpnidx] %}
	{% set _ = vpnpsks[vpnidx].__setitem__(host2, {}) %}
	{% endif %}
	{% set psk = lookup('lines', 'openssl rand -base64 48') %}
	{% set val = {'pre_shared_key':psk} %}
	{% set _ = vpnpsks[vpnidx][host1].__setitem__(host2, val) %}
	{% set _ = vpnpsks[vpnidx][host2].__setitem__(host1, val) %}
	{% endfor %}
	{% endif %}
	{% endfor %}
	{{ vpnpsks }}

	- name: set psks for all hosts
	set_fact:
	vpnpsks: "{{ hostvars[hostvars.keys() \| first]['vpnpsks'] }}"
	when: inventory_hostname != hostvars.keys() \| first

	- name: show it
	debug:
	msg: vpnpsks {{ vpnpsks \| to_nice_json }}

	- name: use psks
	debug:
	msg: \|
	{% for tunnel in vpn_connections \| d([]) %}
	{% set vpnidx = loop.index0 %}
	{% if tunnel.hosts and tunnel.auth_method == 'psk' %}
	tunnel {{ vpnidx }}
	{% for host, val in tunnel.hosts.items() %}
	{% if host == inventory_hostname %}
	{% for otherhost, otherval in vpnpsks[vpnidx][host].items() %}
	{{ host }} to {{ otherhost }} : PSK {{ otherval['pre_shared_key'] }}
	{% endfor %}
	{% endif %}
	{% endfor %}
	{% endif %}
	{% endfor %}


	I get the following output:

	TASK [use psks] ****************************************************************
	task path: /home/rmeggins/linux-system-roles/vpn/tests/psk-generate.yml:113
	ok: [host1.local] => {}

	MSG:

	tunnel 0
	host1.local to host2.local : PSK ++/Pcf15UNG2wQAvwjZ6qxhpnxJWsJRPhiouk9W2sfoejGD3NRPtmY47EzcYJWaX
	host1.local to host3.local : PSK Kea4GrIH5FcZxCTy2J7QwbRLKIuiv8NIm0X/hvtEbE64xdiHXBfATN1A/ANnVZof
	tunnel 1

	ok: [host4.local] => {}

	MSG:

	tunnel 0
	tunnel 1
	host4.local to host2.local : PSK omf6JGnGyjlexXUfMsXfOxfJgYw4Vr8PxBay4c8ywK42cEVDwv3VxGdx4pVW0Tt9
	host4.local to host3.local : PSK 4m7wdvGrwPYVDDP97beOPBKO4YvranvKwPCJsdqyjnJtrK2wvEqyQ6r1bpEWo+Do

	ok: [host3.local] => {}

	MSG:

	tunnel 0
	host3.local to host1.local : PSK Kea4GrIH5FcZxCTy2J7QwbRLKIuiv8NIm0X/hvtEbE64xdiHXBfATN1A/ANnVZof
	host3.local to host2.local : PSK 9DurooXu8u4p4SknUW6ncNFznsGzrxe9kN5mRrUK3oRjgh7nXCh9Bbl55sIOre32
	tunnel 1
	host3.local to host2.local : PSK WLtfs8kIlGl3VZxL8csR3KUYwOC80Cxb8DJfk0EQuR0/oq2vWU396TYrJe4bFMW9
	host3.local to host4.local : PSK 4m7wdvGrwPYVDDP97beOPBKO4YvranvKwPCJsdqyjnJtrK2wvEqyQ6r1bpEWo+Do

	ok: [host2.local] => {}

	MSG:

	tunnel 0
	host2.local to host1.local : PSK ++/Pcf15UNG2wQAvwjZ6qxhpnxJWsJRPhiouk9W2sfoejGD3NRPtmY47EzcYJWaX
	host2.local to host3.local : PSK 9DurooXu8u4p4SknUW6ncNFznsGzrxe9kN5mRrUK3oRjgh7nXCh9Bbl55sIOre32
	tunnel 1
	host2.local to host3.local : PSK WLtfs8kIlGl3VZxL8csR3KUYwOC80Cxb8DJfk0EQuR0/oq2vWU396TYrJe4bFMW9
	host2.local to host4.local : PSK omf6JGnGyjlexXUfMsXfOxfJgYw4Vr8PxBay4c8ywK42cEVDwv3VxGdx4pVW0Tt9