User management

2024-11-04 06:00:21 +00:00 · 2016-07-28 00:27:11 +03:00 · 2016-07-28 00:27:11 +03:00 · 13f11514b7
commit 13f11514b7
parent 4bd2cd2eea
7 changed files with 93 additions and 10 deletions
--- a/0
+++ b/0
--- a/0
+++ b/0
--- a/common.yml
+++ b/common.yml
@ -27,6 +27,7 @@
      - auditd
      - rsyslog
      - sendmail
+      - libpam-google-authenticator

  - name: Enable packet forwarding for IPv4
    sysctl: name=net.ipv4.ip_forward value=1
@ -37,6 +38,9 @@
  - name: Do not send ICMP redirects (we are not a router)
    sysctl: name=net.ipv4.conf.all.send_redirects value=0
    
+    
+  # auditd
+  
  - name: Collect Use of Privileged Commands
    shell: > 
      /usr/bin/find {/usr/local/sbin,/usr/local/bin,/sbin,/bin,/usr/sbin,/usr/bin} -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }'
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+[users-management]
+45.55.244.205
--- a/0
+++ b/0
--- a/users.yml
+++ b/users.yml
@ -0,0 +1,74 @@
+---
+
+- name: Users management
+  hosts: users-management
+  gather_facts: false
+  remote_user: root
+  vars_files:
+    - config.cfg    
+  
+  tasks:
+  - name: Build the client's pair
+    shell: >
+      ./easyrsa build-client-full {{ item }} nopass &&
+      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+      creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
+    with_items: "{{ users }}"
+
+  - name: Build the client's p12 
+    shell: >
+      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
+      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+      creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
+    with_items: "{{ users }}"
+    
+  - name: Get active users
+    shell: >
+      grep ^V pki/index.txt | grep -v "www.ivlis.me" | awk '{print $5}' | sed 's/\/CN=//g'
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+    register: valid_certs
+      
+  - name: Revoke non-existing users
+    shell: >
+      ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der &&    
+      ./easyrsa revoke {{ item }} &&
+      ipsec rereadcrls
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+    when: item not in users
+    with_items: "{{ valid_certs.stdout_lines }}"
+    
+  - name: Register p12 PayloadContent
+    shell: >
+     cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
+    register:  PayloadContent
+    with_items: "{{ users }}"
+
+  - name: Register CA PayloadContent
+    shell: >
+     cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
+    register:  PayloadContentCA
+   
+  - name: Build the mobileconfigs
+    template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
+    with_together:
+      - "{{ users }}"
+      - "{{ PayloadContent.results }}"
+    no_log: True  
+      
+  - name: Fetch users P12
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ server_name }}_{{ item }}.p12 flat=yes
+    with_items: "{{ users }}"
+
+  - name: Fetch users mobileconfig
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ server_name }}_{{ item }}.mobileconfig flat=yes
+    with_items: "{{ users }}"
+    
+  - name: Fetch server CA certificate
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ server_name }}_ca.crt flat=yes
+    
--- a/vpn.yml
+++ b/vpn.yml
@ -50,16 +50,16 @@
    when: easyrsa_reinit_existent == True
    
  - name: Build the pki enviroments
-    shell: |
-      ./easyrsa init-pki
+    shell: >
+      ./easyrsa init-pki &&
      touch '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'    
    args:
      chdir: '{{ easyrsa_dir }}/easyrsa3/'
      creates: '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'

  - name: Build the CA pair 
-    shell: |
-      ./easyrsa build-ca nopass
+    shell: >
+      ./easyrsa build-ca nopass &&
      touch {{ easyrsa_dir }}/easyrsa3/pki/ca_initialized
    args:
      chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -68,8 +68,8 @@
    - restart strongswan  
    
  - name: Build the server pair # TODO: IP and DNS for certificate
-    shell: |
-      ./easyrsa build-server-full {{ server_name }} nopass
+    shell: >
+      ./easyrsa build-server-full {{ server_name }} nopass &&
      touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
    args:
      chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -78,8 +78,8 @@
    - restart strongswan        

  - name: Build the client's pair
-    shell: |
-      ./easyrsa build-client-full {{ item }} nopass
+    shell: >
+      ./easyrsa build-client-full {{ item }} nopass &&
      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
    args:
      chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -87,8 +87,8 @@
    with_items: "{{ users }}"

  - name: Build the client's p12 
-    shell: |
-      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }}
+    shell: >
+      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
    args:
      chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -139,6 +139,9 @@
  - name: Fetch server CA certificate
    fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ server_name }}_ca.crt flat=yes
    
+  - name: Add server to the inventory file
+    local_action: lineinfile dest=inventory_users line="{{ inventory_hostname }}" insertafter='\[users-management\]\n' state=present
+    
  handlers:
    - name: restart strongswan
      service: name=strongswan state=restarted