mobileconfig implemented

8 years ago · 371b20a2ce
parent 6a20e11b2e
commit 371b20a2ce
9 changed files with 180 additions and 14 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,4 @@
 *.retry
+users/*.mobileconfig
+users/*.p12
+users/*.crt
--- a/common.yml
+++ b/common.yml
@ -23,6 +23,8 @@
      - git
      - screen
      - apparmor-utils
+      - uuid-runtime
+      - coreutils

  - name: Enable packet forwarding for IPv4
    sysctl: name=net.ipv4.ip_forward value=1
--- a/config.cfg
+++ b/config.cfg
@ -8,6 +8,7 @@ easyrsa_dir: /opt/easy-rsa-ipsec
 easyrsa_curve: secp384r1
 easyrsa_ca_expire: 3650
 easyrsa_cert_expire: 3650
+easyrsa_p12_export_password: vpn

 # if True re-init all existing certificates. Boolean
 easyrsa_reinit_existent: True
--- a/templates/mobileconfig.j2
+++ b/templates/mobileconfig.j2
@ -0,0 +1,140 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>PayloadContent</key>
+    <array>
+        <dict>
+            <key>IKEv2</key>
+            <dict>
+                <key>AuthenticationMethod</key>
+                <string>Certificate</string>
+                <key>ChildSecurityAssociationParameters</key>
+                <dict>
+                    <key>DiffieHellmanGroup</key>
+                    <integer>19</integer>
+                    <key>EncryptionAlgorithm</key>
+                    <string>AES-128-GCM</string>
+                    <key>IntegrityAlgorithm</key>
+                    <string>SHA2-256</string>
+                    <key>LifeTimeInMinutes</key>
+                    <integer>1440</integer>
+                </dict>
+                <key>DeadPeerDetectionRate</key>
+                <string>Medium</string>
+                <key>DisableMOBIKE</key>
+                <integer>0</integer>
+                <key>DisableRedirect</key>
+                <integer>0</integer>
+                <key>EnableCertificateRevocationCheck</key>
+                <integer>0</integer>
+                <key>EnablePFS</key>
+                <true/>
+                <key>IKESecurityAssociationParameters</key>
+                <dict>
+                    <key>DiffieHellmanGroup</key>
+                    <integer>19</integer>
+                    <key>EncryptionAlgorithm</key>
+                    <string>AES-128-GCM</string>
+                    <key>IntegrityAlgorithm</key>
+                    <string>SHA2-256</string>
+                    <key>LifeTimeInMinutes</key>
+                    <integer>1440</integer>
+                </dict>
+                <key>LocalIdentifier</key>
+                <string>{{ item.0 }}</string>
+                <key>PayloadCertificateUUID</key>
+                <string>1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
+                <key>RemoteAddress</key>
+                <string>{{ server_name }}</string>
+                <key>RemoteIdentifier</key>
+                <string>{{ server_name }}</string>
+                <key>UseConfigurationAttributeInternalIPSubnet</key>
+                <integer>0</integer>
+            </dict>
+            <key>IPv4</key>
+            <dict>
+                <key>OverridePrimary</key>
+                <integer>1</integer>
+            </dict>
+            <key>PayloadDescription</key>
+            <string>Configures VPN settings</string>
+            <key>PayloadDisplayName</key>
+            <string>VPN</string>
+            <key>PayloadIdentifier</key>
+            <string>com.apple.vpn.managed.D247A30B-6023-4C8E-B3E3-FF1910A65E53</string>
+            <key>PayloadType</key>
+            <string>com.apple.vpn.managed</string>
+            <key>PayloadUUID</key>
+            <string>D247A30B-6023-4C8E-B3E3-FF1910A65E53</string>
+            <key>PayloadVersion</key>
+            <real>1</real>
+            <key>Proxies</key>
+            <dict>
+                <key>HTTPEnable</key>
+                <integer>0</integer>
+                <key>HTTPSEnable</key>
+                <integer>0</integer>
+            </dict>
+            <key>UserDefinedName</key>
+            <string>{{ server_name }} IKEv2</string>
+            <key>VPNType</key>
+            <string>IKEv2</string>
+        </dict>
+        <dict>
+            <key>Password</key>
+            <string>{{ easyrsa_p12_export_password }}</string>
+            <key>PayloadCertificateFileName</key>
+            <string>{{ item.0 }}.p12</string>
+            <key>PayloadContent</key>
+            <data>
+            {{ item.1.stdout }}
+            </data>
+            <key>PayloadDescription</key>
+            <string>Adds a PKCS#12-formatted certificate</string>
+            <key>PayloadDisplayName</key>
+            <string>{{ item.0 }}.p12</string>
+            <key>PayloadIdentifier</key>
+            <string>com.apple.security.pkcs12.1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
+            <key>PayloadType</key>
+            <string>com.apple.security.pkcs12</string>
+            <key>PayloadUUID</key>
+            <string>1FB2907D-14D3-4BAB-A472-B304F4B7F7D9</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+        </dict>
+        <dict>
+            <key>PayloadCertificateFileName</key>
+            <string>ca.crt</string>
+            <key>PayloadContent</key>
+            <data>
+            {{ PayloadContentCA.stdout }}
+            </data>
+            <key>PayloadDescription</key>
+            <string>Adds a CA root certificate</string>
+            <key>PayloadDisplayName</key>
+            <string>{{ server_name }}</string>
+            <key>PayloadIdentifier</key>
+            <string>com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38</string>
+            <key>PayloadType</key>
+            <string>com.apple.security.root</string>
+            <key>PayloadUUID</key>
+            <string>32EA3AAA-D19E-43EF-B357-608218745A38</string>
+            <key>PayloadVersion</key>
+            <integer>1</integer>
+        </dict>
+    </array>
+    <key>PayloadDisplayName</key>
+    <string>{{ server_name }} IKEv2</string>
+    <key>PayloadIdentifier</key>
+    <string>donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE</string>
+    <key>PayloadRemovalDisallowed</key>
+    <false/>
+    <key>PayloadType</key>
+    <string>Configuration</string>
+    <key>PayloadUUID</key>
+    <string>743B04A8-5725-45A2-B1BB-836F8C16DB0A</string>
+    <key>PayloadVersion</key>
+    <integer>1</integer>
+</dict>
+</plist>
--- a/users/.gitinit
+++ b/users/.gitinit
--- a/users/mr.smith
+++ b/users/mr.smith
@ -0,0 +1 @@
+qwe11
--- a/users/mrs.smith
+++ b/users/mrs.smith
@ -0,0 +1 @@
+qwe
--- a/users/qwe
+++ b/users/qwe
--- a/vpn.yml
+++ b/vpn.yml
@ -67,7 +67,7 @@
    notify:
    - restart strongswan  
    
-  - name: Build the server pair
+  - name: Build the server pair # TODO: IP and DNS for sertificate
    shell: |
      ./easyrsa build-server-full {{ server_name }} nopass
      touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
@ -88,13 +88,13 @@

  - name: Build the client's p12 
    shell: |
-      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:vpn
+      openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }}
      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
    args:
      chdir: '{{ easyrsa_dir }}/easyrsa3/'
      creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
    with_items: "{{ users }}"
-  
+    
  - name: Copy the CA cert to the strongswan directory
    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=root group=root mode=0600
    notify:
@ -109,20 +109,38 @@
    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ server_name }}.key' dest=/etc/ipsec.d/private/{{ server_name }}.key owner=root group=root mode=0600
    notify:
    - restart strongswan    
+ 
+  - name: Register p12 PayloadContent
+    shell: >
+     cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
+    register:  PayloadContent
+    with_items: "{{ users }}"
+
+  - name: Register CA PayloadContent
+    shell: >
+     cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
+    register:  PayloadContentCA
+   
+  - name: Build the mobileconfigs
+    template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
+    with_together:
+      - "{{ users }}"
+      - "{{ PayloadContent.results }}"
+      
+  - name: Fetch users P12
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=users/{{ server_name }}_{{ item }}.p12 flat=yes
+    with_items: "{{ users }}"
+
+  - name: Fetch users mobileconfig
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=users/{{ server_name }}_{{ item }}.mobileconfig flat=yes
+    with_items: "{{ users }}"
+    
+  - name: Fetch server CA certificate
+    fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=users/{{ server_name }}_ca.crt flat=yes
    
  handlers:
    - name: restart strongswan
      service: name=strongswan state=restarted

    - name: restart apparmor
-      service: name=apparmor state=restarted      
-      
-      
-      
-      
-    
-    
-    
-    
-    
-    
+      service: name=apparmor state=restarted