From 13f11514b75b772c75337eb6153eba43266dd34d Mon Sep 17 00:00:00 2001
From: Evgeniy Ivanov <eivanov@sardinasystems.com>
Date: Thu, 28 Jul 2016 00:27:11 +0300
Subject: [PATCH] User management

---
 Install         |  0
 StrongSwan      |  0
 common.yml      |  4 +++
 inventory_users |  2 ++
 name:           |  0
 users.yml       | 74 +++++++++++++++++++++++++++++++++++++++++++++++++
 vpn.yml         | 23 ++++++++-------
 7 files changed, 93 insertions(+), 10 deletions(-)
 create mode 100644 Install
 create mode 100644 StrongSwan
 create mode 100644 inventory_users
 create mode 100644 name:
 create mode 100644 users.yml

diff --git a/Install b/Install
new file mode 100644
index 0000000..e69de29
diff --git a/StrongSwan b/StrongSwan
new file mode 100644
index 0000000..e69de29
diff --git a/common.yml b/common.yml
index 8ab0568..27db0eb 100644
--- a/common.yml
+++ b/common.yml
@@ -27,6 +27,7 @@
       - auditd
       - rsyslog
       - sendmail
+      - libpam-google-authenticator
 
   - name: Enable packet forwarding for IPv4
     sysctl: name=net.ipv4.ip_forward value=1
@@ -37,6 +38,9 @@
   - name: Do not send ICMP redirects (we are not a router)
     sysctl: name=net.ipv4.conf.all.send_redirects value=0
     
+    
+  # auditd
+  
   - name: Collect Use of Privileged Commands
     shell: > 
       /usr/bin/find {/usr/local/sbin,/usr/local/bin,/sbin,/bin,/usr/sbin,/usr/bin} -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged" }'
diff --git a/inventory_users b/inventory_users
new file mode 100644
index 0000000..4b3531e
--- /dev/null
+++ b/inventory_users
@@ -0,0 +1,2 @@
+[users-management]
+45.55.244.205
diff --git a/name: b/name:
new file mode 100644
index 0000000..e69de29
diff --git a/users.yml b/users.yml
new file mode 100644
index 0000000..48c5ff2
--- /dev/null
+++ b/users.yml
@@ -0,0 +1,74 @@
+---
+
+- name: Users management
+  hosts: users-management
+  gather_facts: false
+  remote_user: root
+  vars_files:
+    - config.cfg    
+  
+  tasks:
+  - name: Build the client's pair
+    shell: >
+      ./easyrsa build-client-full {{ item }} nopass &&
+      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+      creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
+    with_items: "{{ users }}"
+
+  - name: Build the client's p12 
+    shell: >
+      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
+      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+      creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
+    with_items: "{{ users }}"
+    
+  - name: Get active users
+    shell: >
+      grep ^V pki/index.txt | grep -v "www.ivlis.me" | awk '{print $5}' | sed 's/\/CN=//g'
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+    register: valid_certs
+      
+  - name: Revoke non-existing users
+    shell: >
+      ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der &&    
+      ./easyrsa revoke {{ item }} &&
+      ipsec rereadcrls
+    args:
+      chdir: '{{ easyrsa_dir }}/easyrsa3/'
+    when: item not in users
+    with_items: "{{ valid_certs.stdout_lines }}"
+    
+  - name: Register p12 PayloadContent
+    shell: >
+     cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
+    register:  PayloadContent
+    with_items: "{{ users }}"
+
+  - name: Register CA PayloadContent
+    shell: >
+     cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
+    register:  PayloadContentCA
+   
+  - name: Build the mobileconfigs
+    template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
+    with_together:
+      - "{{ users }}"
+      - "{{ PayloadContent.results }}"
+    no_log: True  
+      
+  - name: Fetch users P12
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ server_name }}_{{ item }}.p12 flat=yes
+    with_items: "{{ users }}"
+
+  - name: Fetch users mobileconfig
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ server_name }}_{{ item }}.mobileconfig flat=yes
+    with_items: "{{ users }}"
+    
+  - name: Fetch server CA certificate
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ server_name }}_ca.crt flat=yes
+    
\ No newline at end of file
diff --git a/vpn.yml b/vpn.yml
index c3ce851..6abd9f1 100644
--- a/vpn.yml
+++ b/vpn.yml
@@ -50,16 +50,16 @@
     when: easyrsa_reinit_existent == True
     
   - name: Build the pki enviroments
-    shell: |
-      ./easyrsa init-pki
+    shell: >
+      ./easyrsa init-pki &&
       touch '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'    
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
       creates: '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'
 
   - name: Build the CA pair 
-    shell: |
-      ./easyrsa build-ca nopass
+    shell: >
+      ./easyrsa build-ca nopass &&
       touch {{ easyrsa_dir }}/easyrsa3/pki/ca_initialized
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -68,8 +68,8 @@
     - restart strongswan  
     
   - name: Build the server pair # TODO: IP and DNS for certificate
-    shell: |
-      ./easyrsa build-server-full {{ server_name }} nopass
+    shell: >
+      ./easyrsa build-server-full {{ server_name }} nopass &&
       touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -78,8 +78,8 @@
     - restart strongswan        
 
   - name: Build the client's pair
-    shell: |
-      ./easyrsa build-client-full {{ item }} nopass
+    shell: >
+      ./easyrsa build-client-full {{ item }} nopass &&
       touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -87,8 +87,8 @@
     with_items: "{{ users }}"
 
   - name: Build the client's p12 
-    shell: |
-      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }}
+    shell: >
+      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
       touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
     args:
       chdir: '{{ easyrsa_dir }}/easyrsa3/'
@@ -139,6 +139,9 @@
   - name: Fetch server CA certificate
     fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ server_name }}_ca.crt flat=yes
     
+  - name: Add server to the inventory file
+    local_action: lineinfile dest=inventory_users line="{{ inventory_hostname }}" insertafter='\[users-management\]\n' state=present
+    
   handlers:
     - name: restart strongswan
       service: name=strongswan state=restarted