From e8ed2586c90c327b23c8225ee17808f3807f2659 Mon Sep 17 00:00:00 2001
From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Thu, 20 Nov 2025 16:03:39 -0700
Subject: [PATCH] Introduce private/{front,gate}-wg0-empty.conf.

These files, like private/members-empty.yml, are used if
private/{front,gate}-wg0.conf have not be written yet, e.g. by an
./inst client... command.
---
 README.org                   | 272 +++++++++++++++++++++--------------
 private/front-wg0-empty.conf |   6 +
 private/gate-wg0-empty.conf  |   4 +
 roles_t/front/tasks/main.yml |   7 +-
 roles_t/gate/tasks/main.yml  |   7 +-
 5 files changed, 183 insertions(+), 113 deletions(-)
 create mode 100644 private/front-wg0-empty.conf
 create mode 100644 private/gate-wg0-empty.conf

diff --git a/README.org b/README.org
index 59f487c..8dc1403 100644
--- a/README.org
+++ b/README.org
@@ -2097,14 +2097,92 @@ Front uses WireGuardâ¢ to provide a public (Internet accessible) VPN
 service.  Core has an interface on this VPN and is expected to forward
 packets between it and the institute's other private networks.
 
+The following tasks install WireGuardâ¢, configure it with
+[[=private/front-wg0.conf=][=private/front-wg0.conf=]] (or [[file:private/front-wg0-empty.conf][=private/front-wg0-empty.conf=]] if it does
+not exist), and enable the service.
+
+#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
+
+- name: Enable IP forwarding.
+  become: yes
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    state: present
+
+- name: Install WireGuardâ¢.
+  become: yes
+  apt: pkg=wireguard
+
+- name: Configure WireGuardâ¢.
+  become: yes
+  vars:
+    srcs:
+      - ../private/front-wg0.conf
+      - ../private/front-wg0-empty.conf
+  copy:
+    src: "{{ lookup('first_found', srcs) }}"
+    dest: /etc/wireguard/wg0.conf
+    mode: u=r,g=,o=
+    owner: root
+    group: root
+  notify: Restart WireGuardâ¢.
+  tags: accounts
+
+- name: Start WireGuardâ¢.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    state: started
+  tags: actualizer
+
+- name: Enable WireGuardâ¢.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    enabled: yes
+#+END_SRC
+
+#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml
+
+- name: Restart WireGuardâ¢.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    state: restarted
+  tags: actualizer
+#+END_SRC
+
+The "empty" WireGuardâ¢ configuration file (below) is used until the
+~./inst client~ command adds the first client, and generates an actual
+[[=private/front-wg0.conf=][=private/front-wg0.conf=]].
+
+#+NAME: =private/front-wg0-empty.conf=
+#+CAPTION: [[file:private/front-wg0-empty.conf][=private/front-wg0-empty.conf=]]
+#+BEGIN_SRC conf :tangle private/front-wg0-empty.conf :tangle-mode u=rw,g=,o=
+[Interface]
+Address = 10.177.87.1/24
+ListenPort = 39608
+PostUp = wg set %i private-key /etc/wireguard/private-key
+PostUp = resolvectl dns %i 192.168.56.1
+PostUp = resolvectl domain %i small.private
+#+END_SRC
+
+*** Example =private/front-wg0.conf=
+
 The example [[=private/front-wg0.conf=][=private/front-wg0.conf=]] below recognizes Core by its
 public key and routes the institute's private networks to it.  It also
 recognizes Dick's notebook and his (replacement) phone, assigning them
 host numbers 4 and 6 on the VPN.
 
+This is just an example.  The actual file is edited by the ~./inst
+client~ command and so is not tangled from the following block.
+
 #+NAME: =private/front-wg0.conf=
-#+CAPTION: [[file:private/front-wg0.conf][=private/front-wg0.conf=]]
-#+BEGIN_SRC conf :tangle private/front-wg0.conf :tangle-mode u=rw,g=,o=
+#+CAPTION: =private/front-wg0.conf=
+#+BEGIN_SRC conf
 [Interface]
 Address = 10.177.87.1/24
 ListenPort = 39608
@@ -2152,58 +2230,6 @@ AllowedIPs = 10.177.87.0/24
 AllowedIPs = 10.84.139.0/24
 #+END_SRC
 
-The following tasks install WireGuardâ¢, configure it with
-[[=private/front-wg0.conf=][=private/front-wg0.conf=]], and enable the service.
-
-#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
-
-- name: Enable IP forwarding.
-  become: yes
-  sysctl:
-    name: net.ipv4.ip_forward
-    value: "1"
-    state: present
-
-- name: Install WireGuardâ¢.
-  become: yes
-  apt: pkg=wireguard
-
-- name: Configure WireGuardâ¢.
-  become: yes
-  copy:
-    src: ../private/front-wg0.conf
-    dest: /etc/wireguard/wg0.conf
-    mode: u=r,g=,o=
-    owner: root
-    group: root
-  notify: Restart WireGuardâ¢.
-
-- name: Start WireGuardâ¢.
-  become: yes
-  systemd:
-    service: wg-quick@wg0
-    state: started
-  tags: actualizer
-
-- name: Enable WireGuardâ¢.
-  become: yes
-  systemd:
-    service: wg-quick@wg0
-    enabled: yes
-#+END_SRC
-
-#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml
-
-- name: Restart WireGuardâ¢.
-  become: yes
-  systemd:
-    service: wg-quick@wg0
-    state: restarted
-  tags: actualizer
-#+END_SRC
-
 ** Configure Kamailio
 
 Front uses Kamailio to provide a SIP service on the public VPN so that
@@ -5066,13 +5092,89 @@ institute's private networks: the private Ethernet and the public VPN.
 additional route Gate needs is to the public VPN via Core.  The rest
 (private Ethernet and campus VPN) are directly connected.
 
-The following example [[=private/gate-wg0.conf=][=private/gate-wg0.conf=]] configuration recognizes
-a wired IoT appliance, Dick's notebook and his replacement phone,
-assigning them the host numbers 3, 4 and 6 respectively.
+The following tasks install WireGuardâ¢, configure it with
+[[=private/gate-wg0.conf=][=private/gate-wg0.conf=]] (or =private/gate-wg0-empty.conf= if it does
+not exist), and enable the service.
+
+#+CAPTION: [[file:roles_t/gate/tasks/main.yml][=roles_t/gate/tasks/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml
+
+- name: Enable IP forwarding.
+  become: yes
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "1"
+    state: present
+
+- name: Install WireGuardâ¢.
+  become: yes
+  apt: pkg=wireguard
+
+- name: Configure WireGuardâ¢.
+  become: yes
+  vars:
+    srcs:
+      - ../private/gate-wg0.conf
+      - ../private/gate-wg0-empty.conf
+  copy:
+    src: "{{ lookup('first_found', srcs) }}"
+    dest: /etc/wireguard/wg0.conf
+    mode: u=r,g=,o=
+    owner: root
+    group: root
+  notify: Restart WireGuardâ¢.
+  tags: accounts
+
+- name: Start WireGuardâ¢.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    state: started
+  tags: actualizer
+
+- name: Enable WireGuardâ¢.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    enabled: yes
+#+END_SRC
+
+#+CAPTION: [[file:roles_t/gate/handlers/main.yml][=roles_t/gate/handlers/main.yml=]]
+#+BEGIN_SRC conf :tangle roles_t/gate/handlers/main.yml
+
+- name: Restart WireGuardâ¢.
+  become: yes
+  systemd:
+    service: wg-quick@wg0
+    state: restarted
+  tags: actualizer
+#+END_SRC
+
+The "empty" WireGuardâ¢ configuration file (below) is used until the
+~./inst client~ command adds the first client, and generates an actual
+[[=private/gate-wg0.conf=][=private/gate-wg0.conf=]].
+
+#+NAME: =private/gate-wg0-empty.conf=
+#+CAPTION: [[file:private/gate-wg0.empty.conf][=private/gate-wg0.empty.conf=]]
+#+BEGIN_SRC conf :tangle private/gate-wg0-empty.conf :tangle-mode u=rw,g=,o=
+[Interface]
+Address = 10.84.139.1/24
+ListenPort = 51820
+PostUp = wg set %i private-key /etc/wireguard/private-key
+#+END_SRC
+
+*** Example =private/gate-wg0.conf=
+
+The example [[=private/gate-wg0.conf=][=private/gate-wg0.conf=]] below recognizes a wired IoT
+appliance, Dick's notebook and his replacement phone, assigning them
+the host numbers 3, 4 and 6 respectively.
+
+This is just an example.  The actual file is edited by the ~./inst
+client~ command and so should not be tangled from the following block.
 
 #+NAME: =private/gate-wg0.conf=
-#+CAPTION: [[file:private/gate-wg0.conf][=private/gate-wg0.conf=]]
-#+BEGIN_SRC conf :tangle private/gate-wg0.conf :tangle-mode u=rw,g=,o=
+#+CAPTION: =private/gate-wg0.conf=
+#+BEGIN_SRC conf
 [Interface]
 Address = 10.84.139.1/24
 ListenPort = 51820
@@ -5136,58 +5238,6 @@ AllowedIPs = 10.177.87.0/24
 AllowedIPs = 10.84.139.0/24
 #+END_SRC
 
-The following tasks install WireGuardâ¢, configure it with
-[[=private/gate-wg0.conf=][=private/gate-wg0.conf=]], and enable the service.
-
-#+CAPTION: [[file:roles_t/gate/tasks/main.yml][=roles_t/gate/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/gate/tasks/main.yml
-
-- name: Enable IP forwarding.
-  become: yes
-  sysctl:
-    name: net.ipv4.ip_forward
-    value: "1"
-    state: present
-
-- name: Install WireGuardâ¢.
-  become: yes
-  apt: pkg=wireguard
-
-- name: Configure WireGuardâ¢.
-  become: yes
-  copy:
-    src: ../private/gate-wg0.conf
-    dest: /etc/wireguard/wg0.conf
-    mode: u=r,g=,o=
-    owner: root
-    group: root
-  notify: Restart WireGuardâ¢.
-
-- name: Start WireGuardâ¢.
-  become: yes
-  systemd:
-    service: wg-quick@wg0
-    state: started
-  tags: actualizer
-
-- name: Enable WireGuardâ¢.
-  become: yes
-  systemd:
-    service: wg-quick@wg0
-    enabled: yes
-#+END_SRC
-
-#+CAPTION: [[file:roles_t/gate/handlers/main.yml][=roles_t/gate/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/gate/handlers/main.yml
-
-- name: Restart WireGuardâ¢.
-  become: yes
-  systemd:
-    service: wg-quick@wg0
-    state: restarted
-  tags: actualizer
-#+END_SRC
-
 
 * The Campus Role
 
diff --git a/private/front-wg0-empty.conf b/private/front-wg0-empty.conf
new file mode 100644
index 0000000..d69b853
--- /dev/null
+++ b/private/front-wg0-empty.conf
@@ -0,0 +1,6 @@
+[Interface]
+Address = 10.177.87.1/24
+ListenPort = 39608
+PostUp = wg set %i private-key /etc/wireguard/private-key
+PostUp = resolvectl dns %i 192.168.56.1
+PostUp = resolvectl domain %i small.private
diff --git a/private/gate-wg0-empty.conf b/private/gate-wg0-empty.conf
new file mode 100644
index 0000000..e8a29db
--- /dev/null
+++ b/private/gate-wg0-empty.conf
@@ -0,0 +1,4 @@
+[Interface]
+Address = 10.84.139.1/24
+ListenPort = 51820
+PostUp = wg set %i private-key /etc/wireguard/private-key
diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml
index a4dc4cf..26ce4a7 100644
--- a/roles_t/front/tasks/main.yml
+++ b/roles_t/front/tasks/main.yml
@@ -389,13 +389,18 @@
 
 - name: Configure WireGuardâ¢.
   become: yes
+  vars:
+    srcs:
+      - ../private/front-wg0.conf
+      - ../private/front-wg0-empty.conf
   copy:
-    src: ../private/front-wg0.conf
+    src: "{{ lookup('first_found', srcs) }}"
     dest: /etc/wireguard/wg0.conf
     mode: u=r,g=,o=
     owner: root
     group: root
   notify: Restart WireGuardâ¢.
+  tags: accounts
 
 - name: Start WireGuardâ¢.
   become: yes
diff --git a/roles_t/gate/tasks/main.yml b/roles_t/gate/tasks/main.yml
index ce1b4dd..4e76910 100644
--- a/roles_t/gate/tasks/main.yml
+++ b/roles_t/gate/tasks/main.yml
@@ -135,13 +135,18 @@
 
 - name: Configure WireGuardâ¢.
   become: yes
+  vars:
+    srcs:
+      - ../private/gate-wg0.conf
+      - ../private/gate-wg0-empty.conf
   copy:
-    src: ../private/gate-wg0.conf
+    src: "{{ lookup('first_found', srcs) }}"
     dest: /etc/wireguard/wg0.conf
     mode: u=r,g=,o=
     owner: root
     group: root
   notify: Restart WireGuardâ¢.
+  tags: accounts
 
 - name: Start WireGuardâ¢.
   become: yes
-- 
2.25.1