|
|
|
|
@ -2,6 +2,7 @@
|
|
|
|
|
|
|
|
|
|
- hosts: localhost
|
|
|
|
|
gather_facts: False
|
|
|
|
|
tags: always
|
|
|
|
|
vars_files:
|
|
|
|
|
- config.cfg
|
|
|
|
|
|
|
|
|
|
@ -40,12 +41,12 @@
|
|
|
|
|
become: true
|
|
|
|
|
vars_files:
|
|
|
|
|
- config.cfg
|
|
|
|
|
- roles/vpn/defaults/main.yml
|
|
|
|
|
|
|
|
|
|
pre_tasks:
|
|
|
|
|
- block:
|
|
|
|
|
- name: Common pre-tasks
|
|
|
|
|
include: playbooks/common.yml
|
|
|
|
|
tags: always
|
|
|
|
|
rescue:
|
|
|
|
|
- debug: var=fail_hint
|
|
|
|
|
tags: always
|
|
|
|
|
@ -53,165 +54,8 @@
|
|
|
|
|
tags: always
|
|
|
|
|
|
|
|
|
|
roles:
|
|
|
|
|
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
|
|
|
|
|
|
|
|
|
tasks:
|
|
|
|
|
- block:
|
|
|
|
|
- name: Gather Facts
|
|
|
|
|
setup:
|
|
|
|
|
|
|
|
|
|
- name: Checking the signature algorithm
|
|
|
|
|
local_action: >
|
|
|
|
|
shell openssl x509 -text -in certs/{{ IP_subject_alt_name }}.crt | grep 'Signature Algorithm' | head -n1
|
|
|
|
|
become: no
|
|
|
|
|
register: sig_algo
|
|
|
|
|
args:
|
|
|
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
|
|
|
|
|
|
|
|
- name: Change the algorithm to RSA
|
|
|
|
|
set_fact:
|
|
|
|
|
algo_params: "rsa:2048"
|
|
|
|
|
when: '"ecdsa" not in sig_algo.stdout'
|
|
|
|
|
|
|
|
|
|
- name: Build the client's pair
|
|
|
|
|
local_action: >
|
|
|
|
|
shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
|
|
|
|
|
openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
|
|
|
|
|
touch certs/{{ item }}_crt_generated
|
|
|
|
|
become: no
|
|
|
|
|
args:
|
|
|
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
|
|
|
creates: certs/{{ item }}_crt_generated
|
|
|
|
|
environment:
|
|
|
|
|
subjectAltName: "DNS:{{ item }}"
|
|
|
|
|
with_items: "{{ users }}"
|
|
|
|
|
|
|
|
|
|
- name: Build the client's p12
|
|
|
|
|
local_action: >
|
|
|
|
|
shell openssl pkcs12 -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export -name {{ item }} -out private/{{ item }}.p12 -certfile cacert.pem -passout pass:"{{ easyrsa_p12_export_password }}"
|
|
|
|
|
become: no
|
|
|
|
|
args:
|
|
|
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
|
|
|
with_items: "{{ users }}"
|
|
|
|
|
|
|
|
|
|
- name: Copy the p12 certificates
|
|
|
|
|
local_action:
|
|
|
|
|
module: copy
|
|
|
|
|
src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
|
|
|
|
|
dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
|
|
|
|
|
mode: 0600
|
|
|
|
|
become: no
|
|
|
|
|
with_items:
|
|
|
|
|
- "{{ users }}"
|
|
|
|
|
|
|
|
|
|
- name: Get active users
|
|
|
|
|
local_action: >
|
|
|
|
|
shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
|
|
|
|
|
become: no
|
|
|
|
|
args:
|
|
|
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
|
|
|
register: valid_certs
|
|
|
|
|
|
|
|
|
|
- name: Revoke non-existing users
|
|
|
|
|
local_action: >
|
|
|
|
|
shell openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt &&
|
|
|
|
|
openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt
|
|
|
|
|
touch crl/{{ item }}_revoked
|
|
|
|
|
become: no
|
|
|
|
|
args:
|
|
|
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
|
|
|
creates: crl/{{ item }}_revoked
|
|
|
|
|
environment:
|
|
|
|
|
subjectAltName: "DNS:{{ item }}"
|
|
|
|
|
when: item not in users
|
|
|
|
|
with_items: "{{ valid_certs.stdout_lines }}"
|
|
|
|
|
|
|
|
|
|
- name: Copy the revoked certificates to the vpn server
|
|
|
|
|
copy:
|
|
|
|
|
src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt
|
|
|
|
|
dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/{{ item }}.crt"
|
|
|
|
|
when: item not in users
|
|
|
|
|
with_items: "{{ valid_certs.stdout_lines }}"
|
|
|
|
|
notify:
|
|
|
|
|
- rereadcrls
|
|
|
|
|
|
|
|
|
|
- name: Register p12 PayloadContent
|
|
|
|
|
local_action: >
|
|
|
|
|
shell cat private/{{ item }}.p12 | base64
|
|
|
|
|
register: PayloadContent
|
|
|
|
|
become: no
|
|
|
|
|
args:
|
|
|
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
|
|
|
with_items: "{{ users }}"
|
|
|
|
|
|
|
|
|
|
- name: Set facts for mobileconfigs
|
|
|
|
|
set_fact:
|
|
|
|
|
proxy_enabled: false
|
|
|
|
|
PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
|
|
|
|
|
|
|
|
|
|
- name: Build the mobileconfigs
|
|
|
|
|
local_action:
|
|
|
|
|
module: template
|
|
|
|
|
src: roles/vpn/templates/mobileconfig.j2
|
|
|
|
|
dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig
|
|
|
|
|
mode: 0600
|
|
|
|
|
become: no
|
|
|
|
|
with_together:
|
|
|
|
|
- "{{ users }}"
|
|
|
|
|
- "{{ PayloadContent.results }}"
|
|
|
|
|
no_log: True
|
|
|
|
|
|
|
|
|
|
- name: Build the client ipsec config file
|
|
|
|
|
local_action:
|
|
|
|
|
module: template
|
|
|
|
|
src: roles/vpn/templates/client_ipsec.conf.j2
|
|
|
|
|
dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf
|
|
|
|
|
mode: 0600
|
|
|
|
|
become: no
|
|
|
|
|
with_items:
|
|
|
|
|
- "{{ users }}"
|
|
|
|
|
|
|
|
|
|
- name: Build the client ipsec secret file
|
|
|
|
|
local_action:
|
|
|
|
|
module: template
|
|
|
|
|
src: roles/vpn/templates/client_ipsec.secrets.j2
|
|
|
|
|
dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets
|
|
|
|
|
mode: 0600
|
|
|
|
|
become: no
|
|
|
|
|
with_items:
|
|
|
|
|
- "{{ users }}"
|
|
|
|
|
|
|
|
|
|
- name: Build the windows client powershell script
|
|
|
|
|
local_action:
|
|
|
|
|
module: template
|
|
|
|
|
src: roles/vpn/templates/client_windows.ps1.j2
|
|
|
|
|
dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1
|
|
|
|
|
mode: 0600
|
|
|
|
|
become: no
|
|
|
|
|
when: Win10_Enabled is defined and Win10_Enabled == "Y"
|
|
|
|
|
with_items: "{{ users }}"
|
|
|
|
|
|
|
|
|
|
# SSH
|
|
|
|
|
|
|
|
|
|
- name: SSH | Get active system users
|
|
|
|
|
shell: >
|
|
|
|
|
getent group algo | cut -f4 -d: | sed "s/,/\n/g"
|
|
|
|
|
register: valid_users
|
|
|
|
|
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
|
|
|
|
|
|
|
|
|
- name: SSH | Delete non-existing users
|
|
|
|
|
user:
|
|
|
|
|
name: "{{ item }}"
|
|
|
|
|
state: absent
|
|
|
|
|
remove: yes
|
|
|
|
|
force: yes
|
|
|
|
|
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
|
|
|
|
with_items: "{{ valid_users.stdout_lines | default('null') }}"
|
|
|
|
|
rescue:
|
|
|
|
|
- debug: var=fail_hint
|
|
|
|
|
tags: always
|
|
|
|
|
- fail:
|
|
|
|
|
tags: always
|
|
|
|
|
- { role: ssh_tunneling, tags: always, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
|
|
|
|
- { role: vpn }
|
|
|
|
|
|
|
|
|
|
post_tasks:
|
|
|
|
|
- block:
|
|
|
|
|
@ -225,7 +69,3 @@
|
|
|
|
|
tags: always
|
|
|
|
|
- fail:
|
|
|
|
|
tags: always
|
|
|
|
|
|
|
|
|
|
handlers:
|
|
|
|
|
- name: rereadcrls
|
|
|
|
|
shell: ipsec rereadcrls
|
|
|
|
|
|
Jack Ivanov
7 years ago
committed by
Dan Guido