algo/roles/strongswan/tasks/ipsec_configuration.yml

---

- name: Setup the config files from our templates
  template:
    src: "{{ item.src }}"
    dest: "{{ config_prefix|default('/') }}etc/{{ item.dest }}"
    owner: "{{ item.owner }}"
    group: "{{ item.group }}"
    mode: "{{ item.mode }}"
  with_items:
    - src: strongswan.conf.j2
      dest: "strongswan.conf"
      owner: root
      group: "{{ root_group|default('root') }}"
      mode: "0644"
    - src: ipsec.conf.j2
      dest: "ipsec.conf"
      owner: root
      group: "{{ root_group|default('root') }}"
      mode: "0644"
    - src: ipsec.secrets.j2
      dest: "ipsec.secrets"
      owner: strongswan
      group: "{{ root_group|default('root') }}"
      mode: "0600"
    - src: charon.conf.j2
      dest: "strongswan.d/charon.conf"
      owner: root
      group: "{{ root_group|default('root') }}"
      mode: "0644"
  notify:
    - restart strongswan

- name: Get loaded plugins
  shell: |
    set -o pipefail
    find {{ config_prefix|default('/') }}etc/strongswan.d/charon/ -type f -name '*.conf' -exec basename {} \; |
    cut -f1 -d.
  changed_when: false
  args:
    executable: bash
  register: strongswan_plugins

- name: Disable unneeded plugins
  lineinfile:
    dest: "{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf"
    regexp: '.*load.*'
    line: 'load = no'
    state: present
  notify:
    - restart strongswan
  when: item not in strongswan_enabled_plugins and item not in strongswan_additional_plugins
  with_items: "{{ strongswan_plugins.stdout_lines }}"

- name: Ensure that required plugins are enabled
  lineinfile: dest="{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = yes' state=present
  notify:
    - restart strongswan
  when: item in strongswan_enabled_plugins or item in strongswan_additional_plugins
  with_items: "{{ strongswan_plugins.stdout_lines }}"
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 2017-03-18 09:22:07 +00:00			`---`

			`- name: Setup the config files from our templates`
			`template:`
			`src: "{{ item.src }}"`
Refactoring (#1334) <!--- Provide a general summary of your changes in the Title above --> ## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ \|-- ipsec \| \|-- apple \| \| \|-- desktop.mobileconfig \| \| \|-- laptop.mobileconfig \| \| `-- phone.mobileconfig \| \|-- manual \| \| \|-- cacert.pem \| \| \|-- desktop.p12 \| \| \|-- desktop.ssh.pem \| \| \|-- ipsec_desktop.conf \| \| \|-- ipsec_desktop.secrets \| \| \|-- ipsec_laptop.conf \| \| \|-- ipsec_laptop.secrets \| \| \|-- ipsec_phone.conf \| \| \|-- ipsec_phone.secrets \| \| \|-- laptop.p12 \| \| \|-- laptop.ssh.pem \| \| \|-- phone.p12 \| \| `-- phone.ssh.pem \| `-- windows \| \|-- desktop.ps1 \| \|-- laptop.ps1 \| `-- phone.ps1 \|-- ssh-tunnel \| \|-- desktop.pem \| \|-- desktop.pub \| \|-- laptop.pem \| \|-- laptop.pub \| \|-- phone.pem \| \|-- phone.pub \| `-- ssh_config `-- wireguard \|-- desktop.conf \|-- desktop.png \|-- laptop.conf \|-- laptop.png \|-- phone.conf `-- phone.png ``` ![finder](https://i.imgur.com/FtOmKO0.png) </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Refactoring ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I have read the CONTRIBUTING document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed. 2019-03-10 17:16:34 +00:00			`dest: "{{ config_prefix\|default('/') }}etc/{{ item.dest }}"`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 2017-03-18 09:22:07 +00:00			`owner: "{{ item.owner }}"`
			`group: "{{ item.group }}"`
			`mode: "{{ item.mode }}"`
			`with_items:`
			`- src: strongswan.conf.j2`
Refactoring (#1334) <!--- Provide a general summary of your changes in the Title above --> ## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ \|-- ipsec \| \|-- apple \| \| \|-- desktop.mobileconfig \| \| \|-- laptop.mobileconfig \| \| `-- phone.mobileconfig \| \|-- manual \| \| \|-- cacert.pem \| \| \|-- desktop.p12 \| \| \|-- desktop.ssh.pem \| \| \|-- ipsec_desktop.conf \| \| \|-- ipsec_desktop.secrets \| \| \|-- ipsec_laptop.conf \| \| \|-- ipsec_laptop.secrets \| \| \|-- ipsec_phone.conf \| \| \|-- ipsec_phone.secrets \| \| \|-- laptop.p12 \| \| \|-- laptop.ssh.pem \| \| \|-- phone.p12 \| \| `-- phone.ssh.pem \| `-- windows \| \|-- desktop.ps1 \| \|-- laptop.ps1 \| `-- phone.ps1 \|-- ssh-tunnel \| \|-- desktop.pem \| \|-- desktop.pub \| \|-- laptop.pem \| \|-- laptop.pub \| \|-- phone.pem \| \|-- phone.pub \| `-- ssh_config `-- wireguard \|-- desktop.conf \|-- desktop.png \|-- laptop.conf \|-- laptop.png \|-- phone.conf `-- phone.png ``` ![finder](https://i.imgur.com/FtOmKO0.png) </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Refactoring ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I have read the CONTRIBUTING document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed. 2019-03-10 17:16:34 +00:00			`dest: "strongswan.conf"`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 2017-03-18 09:22:07 +00:00			`owner: root`
			`group: "{{ root_group\|default('root') }}"`
			`mode: "0644"`
			`- src: ipsec.conf.j2`
Refactoring (#1334) <!--- Provide a general summary of your changes in the Title above --> ## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ \|-- ipsec \| \|-- apple \| \| \|-- desktop.mobileconfig \| \| \|-- laptop.mobileconfig \| \| `-- phone.mobileconfig \| \|-- manual \| \| \|-- cacert.pem \| \| \|-- desktop.p12 \| \| \|-- desktop.ssh.pem \| \| \|-- ipsec_desktop.conf \| \| \|-- ipsec_desktop.secrets \| \| \|-- ipsec_laptop.conf \| \| \|-- ipsec_laptop.secrets \| \| \|-- ipsec_phone.conf \| \| \|-- ipsec_phone.secrets \| \| \|-- laptop.p12 \| \| \|-- laptop.ssh.pem \| \| \|-- phone.p12 \| \| `-- phone.ssh.pem \| `-- windows \| \|-- desktop.ps1 \| \|-- laptop.ps1 \| `-- phone.ps1 \|-- ssh-tunnel \| \|-- desktop.pem \| \|-- desktop.pub \| \|-- laptop.pem \| \|-- laptop.pub \| \|-- phone.pem \| \|-- phone.pub \| `-- ssh_config `-- wireguard \|-- desktop.conf \|-- desktop.png \|-- laptop.conf \|-- laptop.png \|-- phone.conf `-- phone.png ``` ![finder](https://i.imgur.com/FtOmKO0.png) </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Refactoring ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I have read the CONTRIBUTING document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed. 2019-03-10 17:16:34 +00:00			`dest: "ipsec.conf"`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 2017-03-18 09:22:07 +00:00			`owner: root`
			`group: "{{ root_group\|default('root') }}"`
			`mode: "0644"`
			`- src: ipsec.secrets.j2`
Refactoring (#1334) <!--- Provide a general summary of your changes in the Title above --> ## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ \|-- ipsec \| \|-- apple \| \| \|-- desktop.mobileconfig \| \| \|-- laptop.mobileconfig \| \| `-- phone.mobileconfig \| \|-- manual \| \| \|-- cacert.pem \| \| \|-- desktop.p12 \| \| \|-- desktop.ssh.pem \| \| \|-- ipsec_desktop.conf \| \| \|-- ipsec_desktop.secrets \| \| \|-- ipsec_laptop.conf \| \| \|-- ipsec_laptop.secrets \| \| \|-- ipsec_phone.conf \| \| \|-- ipsec_phone.secrets \| \| \|-- laptop.p12 \| \| \|-- laptop.ssh.pem \| \| \|-- phone.p12 \| \| `-- phone.ssh.pem \| `-- windows \| \|-- desktop.ps1 \| \|-- laptop.ps1 \| `-- phone.ps1 \|-- ssh-tunnel \| \|-- desktop.pem \| \|-- desktop.pub \| \|-- laptop.pem \| \|-- laptop.pub \| \|-- phone.pem \| \|-- phone.pub \| `-- ssh_config `-- wireguard \|-- desktop.conf \|-- desktop.png \|-- laptop.conf \|-- laptop.png \|-- phone.conf `-- phone.png ``` ![finder](https://i.imgur.com/FtOmKO0.png) </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Refactoring ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I have read the CONTRIBUTING document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed. 2019-03-10 17:16:34 +00:00			`dest: "ipsec.secrets"`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 2017-03-18 09:22:07 +00:00			`owner: strongswan`
			`group: "{{ root_group\|default('root') }}"`
			`mode: "0600"`
Fix 963 again (#1379) * Create charon.conf.j2 Create charon.conf template with mods * Update mobileconfig.j2 Increase client side lifetimes * Update ipsec.conf.j2 Add server-side lifetimes * Add charon.conf 2019-04-09 12:37:08 +00:00			`- src: charon.conf.j2`
			`dest: "strongswan.d/charon.conf"`
			`owner: root`
			`group: "{{ root_group\|default('root') }}"`
			`mode: "0644"`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 2017-03-18 09:22:07 +00:00			`notify:`
			`- restart strongswan`

			`- name: Get loaded plugins`
Refactoring, Linting and additional tests (#1397) * Refactoring, Linting and additional tests * Vultr: Undefined variable and deprecation notes fix * Travis-CI enable linters * Azure: Update python requirements * Update main.yml * Update install.sh * Add missing roles to ansible-lint * Linting for skipped roles * add .ansible-lint config 2019-04-26 15:48:28 +00:00			`shell: \|`
			`set -o pipefail`
			`find {{ config_prefix\|default('/') }}etc/strongswan.d/charon/ -type f -name '*.conf' -exec basename {} \; \|`
			`cut -f1 -d.`
			`changed_when: false`
			`args:`
			`executable: bash`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 2017-03-18 09:22:07 +00:00			`register: strongswan_plugins`

			`- name: Disable unneeded plugins`
improved readability with native yaml (#530) 2017-05-08 20:34:24 +00:00			`lineinfile:`
			`dest: "{{ config_prefix\|default('/') }}etc/strongswan.d/charon/{{ item }}.conf"`
			`regexp: '.load.'`
			`line: 'load = no'`
			`state: present`
FreeBSD / HardenedBSD (#262) * FreeBSD draft ifconfig fix Pre-tasks fixes fix hardcoded IP some refactoring disable system-based tags disable freebsd tags FreeBSD vpn role add defaults ssh role freebsd default fix dns_adblocking freebsd ubuntu dict fix * HardenedBSD update-users BSD * Rebuild the kernel docs changing 2017-03-18 09:22:07 +00:00			`notify:`
			`- restart strongswan`
			`when: item not in strongswan_enabled_plugins and item not in strongswan_additional_plugins`
			`with_items: "{{ strongswan_plugins.stdout_lines }}"`

			`- name: Ensure that required plugins are enabled`
			`lineinfile: dest="{{ config_prefix\|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.load.' line='load = yes' state=present`
			`notify:`
			`- restart strongswan`
			`when: item in strongswan_enabled_plugins or item in strongswan_additional_plugins`
			`with_items: "{{ strongswan_plugins.stdout_lines }}"`