run charon as non-root user #66

roles/security/templates/rules.v6.j2

@@ -6,7 +6,7 @@ COMMIT
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
-:OUTPUT DROP [0:0]
+:OUTPUT ACCEPT [0:0]
 :ICMPV6-CHECK - [0:0]
 :ICMPV6-CHECK-LOG - [0:0]
 -A INPUT -i lo -j ACCEPT

roles/vpn/tasks/main.yml

@@ -19,6 +19,17 @@
     - apparmor
     - strongswan
     - netfilter-persistent
+ 
+- name: Ensure that the strongswan group exist
+  group: name=strongswan state=present
+  
+- name: Ensure that the strongswan user exist
+  user: name=strongswan group=strongswan state=present
+  
+- name: Setup the strongswan.conf file from our template
+  template: src=strongswan.conf.j2 dest=/etc/strongswan.conf owner=root group=root mode=0644
+  notify:
+  - restart strongswan  
 
 - name: Setup the ipsec.conf file from our template
   template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644
@@ -26,7 +37,7 @@
   - restart strongswan
 
 - name: Setup the ipsec.secrets file
-  template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=0600
+  template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=strongswan group=root mode=0600
   notify:
   - restart strongswan
 
@@ -87,17 +98,17 @@
   with_items: "{{ users }}"
 
 - name: Copy the CA cert to the strongswan directory
-  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=root group=root mode=0600
+  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=strongswan group=root mode=0600
   notify:
   - restart strongswan
 
 - name: Copy the server cert to the strongswan directory
-  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=root group=root mode=0600
+  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=strongswan group=root mode=0600
   notify:
   - restart strongswan
 
 - name: Copy the server key to the strongswan directory
-  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=root group=root mode=0600
+  copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=strongswan group=root mode=0600
   notify:
   - restart strongswan
 
@@ -126,6 +137,11 @@
 - name: Fetch users mobileconfig
   fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
   with_items: "{{ users }}"
+    
+- name: Restrict permissions
+  file: path="{{ item }}" state=directory mode=0700  owner=strongswan group=root
+  with_items:
+    - /etc/ipsec.d/private  
 
 - name: Fetch server CA certificate
   fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes

roles/vpn/templates/strongswan.conf.j2

@@ -0,0 +1,16 @@
+# strongswan.conf - strongSwan configuration file
+#
+# Refer to the strongswan.conf(5) manpage for details
+#
+# Configuration changes should be made in the included files
+
+charon {
+	load_modular = yes
+	plugins {
+		include strongswan.d/charon/*.conf
+	}
+	user = strongswan
+	group = strongswan
+}
+
+include strongswan.d/*.conf