algo/users.yml

---

- hosts: localhost
  gather_facts: False
  vars_files:
    - config.cfg
  vars_prompt:

    - name: "server_ip"
      prompt: "Enter IP address of your server: (use localhost for local installation)\n"
      default: localhost
      private: no

    - name: "server_user"
      prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n"
      default: "root"
      private: no

    - name: "ssh_tunneling_enabled"
      prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"
      default: "n"
      private: no

    - name: "IP_subject"
      prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"
      private: no

    - name: "easyrsa_CA_password"
      prompt: "Enter the password for the private CA key:\n"
      private: yes

  tasks:
    - name: Add the server to the vpn-host group
      add_host:
        hostname: "{{ server_ip }}"
        groupname: vpn-host
        ansible_ssh_user: "{{ server_user }}"
        ansible_python_interpreter: "/usr/bin/python2.7"
        ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
        easyrsa_CA_password: "{{ easyrsa_CA_password }}"
        IP_subject: "{{ IP_subject }}"

    - name: Wait until SSH becomes ready...
      local_action:
        module: wait_for
        port: 22
        host: "{{ server_ip }}"
        search_regex: "OpenSSH"
        delay: 10
        timeout: 320
        state: present
      become: false

- name: User management
  hosts: vpn-host
  gather_facts: false
  become: true
  vars_files:
    - config.cfg

  pre_tasks:
    - set_fact:
        IP_subject_alt_name: "{{ IP_subject }}"

  roles:
    - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }

  tasks:

    - name: Gather Facts
      setup:

    - set_fact:
        easyrsa_p12_export_password: "{{ (ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0] }}"

    - name: Build the client's pair
      shell: >
        ./easyrsa gen-req {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
        ./easyrsa --subject-alt-name='DNS:{{ item }}' sign-req client {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" &&
        touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
      args:
        chdir: '{{ easyrsa_dir }}/easyrsa3/'
        creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
      with_items: "{{ users }}"

    - name: Build the client's p12
      shell: >
        openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }}
      args:
        chdir: '{{ easyrsa_dir }}/easyrsa3/'
      with_items: "{{ users }}"

    - name: Get active users
      shell: >
        grep ^V pki/index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
      args:
        chdir: '{{ easyrsa_dir }}/easyrsa3/'
      register: valid_certs

    - name: Revoke non-existing users
      shell: >
        openssl ec -in pki/private/ca.key -out pki/private/ca.key -passin pass:"{{ easyrsa_CA_password }}" -passout pass:"" &&
        ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der &&
        ./easyrsa revoke {{ item }} &&
        openssl ec -aes256 -in pki/private/ca.key -out pki/private/ca.key -passin pass:"" -passout pass:"{{ easyrsa_CA_password }}" &&
        ipsec rereadcrls
      args:
        chdir: '{{ easyrsa_dir }}/easyrsa3/'
      when: item not in users
      with_items: "{{ valid_certs.stdout_lines }}"

    - name: Register p12 PayloadContent
      shell: >
        cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
      register:  PayloadContent
      with_items: "{{ users }}"

    - name: Register CA PayloadContent
      shell: >
        cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
      register:  PayloadContentCA

    - name: Build the mobileconfigs
      template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
      with_together:
        - "{{ users }}"
        - "{{ PayloadContent.results }}"
      no_log: True

    - name: Fetch users P12
      fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
      with_items: "{{ users }}"

    - name: Fetch users mobileconfig
      fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
      with_items: "{{ users }}"

    - name: Fetch server CA certificate
      fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes

    # SSH

    - name: SSH | Get active system users
      shell: >
        getent group algo | cut -f4 -d: | sed "s/,/\n/g"
      register: valid_users
      when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"

    - name: SSH | Delete non-existing users
      user:
        name: "{{ item }}"
        state: absent
        remove: yes
        force: yes
      when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
      with_items: "{{ valid_users.stdout_lines | default('null') }}"

    - name: SSH | Fetch users SSH private keys
      fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
      when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
      with_items: "{{ users }}"

  post_tasks:
    - debug: msg="{{ congrats.split('\n') }}"
      tags: always
User management 8 years ago			`---`

Modify user-management function 8 years ago			`- hosts: localhost`
			`gather_facts: False`
			`vars_files:`
linting 8 years ago			`- config.cfg`
Modify user-management function 8 years ago			`vars_prompt:`
linting 8 years ago
Modify user-management function 8 years ago			`- name: "server_ip"`
Update-users fixed #52 8 years ago			`prompt: "Enter IP address of your server: (use localhost for local installation)\n"`
			`default: localhost`
Modify user-management function 8 years ago			`private: no`
linting 8 years ago
Modify user-management function 8 years ago			`- name: "server_user"`
Update-users fixed #52 8 years ago			`prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n"`
Modify user-management function 8 years ago			`default: "root"`
linting 8 years ago			`private: no`

SSH user-management #77 8 years ago			`- name: "ssh_tunneling_enabled"`
			`prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n"`
Add the SSH role to the users-update playbook #92 fixed 8 years ago			`default: "n"`
linting 8 years ago			`private: no`

Update-users fixed #52 8 years ago			`- name: "IP_subject"`
			`prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n"`
			`private: no`
linting 8 years ago
the password for the CA private key #75 8 years ago			`- name: "easyrsa_CA_password"`
			`prompt: "Enter the password for the private CA key:\n"`
			`private: yes`

Modify user-management function 8 years ago			`tasks:`
			`- name: Add the server to the vpn-host group`
linting 8 years ago			`add_host:`
Modify user-management function 8 years ago			`hostname: "{{ server_ip }}"`
			`groupname: vpn-host`
			`ansible_ssh_user: "{{ server_user }}"`
			`ansible_python_interpreter: "/usr/bin/python2.7"`
SSH user-management #77 8 years ago			`ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"`
the password for the CA private key #75 8 years ago			`easyrsa_CA_password: "{{ easyrsa_CA_password }}"`
Update-users fixed #52 8 years ago			`IP_subject: "{{ IP_subject }}"`
Modify user-management function 8 years ago
reorganize the wait_for functions #159 8 years ago			`- name: Wait until SSH becomes ready...`
			`local_action:`
			`module: wait_for`
			`port: 22`
			`host: "{{ server_ip }}"`
			`search_regex: "OpenSSH"`
			`delay: 10`
			`timeout: 320`
			`state: present`
linting 8 years ago			`become: false`
Modify user-management function 8 years ago
miscelllaneous cleanups 8 years ago			`- name: User management`
Modify user-management function 8 years ago			`hosts: vpn-host`
User management 8 years ago			`gather_facts: false`
EC2 Support 8 years ago			`become: true`
User management 8 years ago			`vars_files:`
linting 8 years ago			`- config.cfg`
linting 8 years ago
Update-users fixed #52 8 years ago			`pre_tasks:`
			`- set_fact:`
			`IP_subject_alt_name: "{{ IP_subject }}"`
linting 8 years ago
Add the SSH role to the users-update playbook #92 fixed 8 years ago			`roles:`
			`- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }`

User management 8 years ago			`tasks:`
random password for the p12 certificates #135 8 years ago
			`- name: Gather Facts`
			`setup:`

			`- set_fact:`
			`easyrsa_p12_export_password: "{{ (ansible_date_time.iso8601_basic\|sha1\|to_uuid).split('-')[0] }}"`

Add the SSH role to the users-update playbook #92 fixed 8 years ago			`- name: Build the client's pair`
			`shell: >`
the password for the CA private key #75 8 years ago			`./easyrsa gen-req {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&`
			`./easyrsa --subject-alt-name='DNS:{{ item }}' sign-req client {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" &&`
Add the SSH role to the users-update playbook #92 fixed 8 years ago			`touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'`
			`args:`
			`chdir: '{{ easyrsa_dir }}/easyrsa3/'`
			`creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'`
			`with_items: "{{ users }}"`

			`- name: Build the client's p12`
			`shell: >`
random password for the p12 certificates #135 8 years ago			`openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }}`
Add the SSH role to the users-update playbook #92 fixed 8 years ago			`args:`
			`chdir: '{{ easyrsa_dir }}/easyrsa3/'`
			`with_items: "{{ users }}"`

			`- name: Get active users`
			`shell: >`
			`grep ^V pki/index.txt \| grep -v "{{ IP_subject_alt_name }}" \| awk '{print $5}' \| sed 's/\/CN=//g'`
			`args:`
			`chdir: '{{ easyrsa_dir }}/easyrsa3/'`
			`register: valid_certs`

			`- name: Revoke non-existing users`
			`shell: >`
the password for the CA private key #75 8 years ago			`openssl ec -in pki/private/ca.key -out pki/private/ca.key -passin pass:"{{ easyrsa_CA_password }}" -passout pass:"" &&`
Add the SSH role to the users-update playbook #92 fixed 8 years ago			`ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der &&`
			`./easyrsa revoke {{ item }} &&`
the password for the CA private key #75 8 years ago			`openssl ec -aes256 -in pki/private/ca.key -out pki/private/ca.key -passin pass:"" -passout pass:"{{ easyrsa_CA_password }}" &&`
Add the SSH role to the users-update playbook #92 fixed 8 years ago			`ipsec rereadcrls`
			`args:`
			`chdir: '{{ easyrsa_dir }}/easyrsa3/'`
			`when: item not in users`
			`with_items: "{{ valid_certs.stdout_lines }}"`

			`- name: Register p12 PayloadContent`
			`shell: >`
			`cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 \| base64`
			`register: PayloadContent`
			`with_items: "{{ users }}"`

			`- name: Register CA PayloadContent`
			`shell: >`
			`cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt \| base64`
			`register: PayloadContentCA`

			`- name: Build the mobileconfigs`
			`template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600`
			`with_together:`
			`- "{{ users }}"`
			`- "{{ PayloadContent.results }}"`
			`no_log: True`

			`- name: Fetch users P12`
			`fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes`
			`with_items: "{{ users }}"`

			`- name: Fetch users mobileconfig`
			`fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes`
			`with_items: "{{ users }}"`

			`- name: Fetch server CA certificate`
			`fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes`

			`# SSH`

			`- name: SSH \| Get active system users`
			`shell: >`
			`getent group algo \| cut -f4 -d: \| sed "s/,/\n/g"`
			`register: valid_users`
			`when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"`

			`- name: SSH \| Delete non-existing users`
			`user:`
			`name: "{{ item }}"`
			`state: absent`
			`remove: yes`
			`force: yes`
			`when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"`
Fixed. #137 8 years ago			`with_items: "{{ valid_users.stdout_lines \| default('null') }}"`
Add the SSH role to the users-update playbook #92 fixed 8 years ago
			`- name: SSH \| Fetch users SSH private keys`
			`fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes`
random password for the p12 certificates #135 8 years ago			`when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"`
Add the SSH role to the users-update playbook #92 fixed 8 years ago			`with_items: "{{ users }}"`
random password for the p12 certificates #135 8 years ago
			`post_tasks:`
			`- debug: msg="{{ congrats.split('\n') }}"`
			`tags: always`