- name: Gather Facts setup: - name: Install StrongSwan apt: name=strongswan state=latest update_cache=yes - name: Enforcing ipsec with apparmor shell: aa-enforce "{{ item }}" with_items: - /usr/lib/ipsec/charon - /usr/lib/ipsec/lookip - /usr/lib/ipsec/stroke notify: - restart apparmor - name: Enable services service: name={{ item }} enabled=yes with_items: - apparmor - strongswan - netfilter-persistent - name: Configure iptables so IPSec traffic can traverse the tunnel iptables: table=nat chain=POSTROUTING source="{{ vpn_network }}" jump=MASQUERADE when: (security_enabled is not defined) or (security_enabled is defined and security_enabled != "y") notify: - save iptables - name: Configure ip6tables so IPSec traffic can traverse the tunnel iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE when: (security_enabled is not defined) or (security_enabled is defined and security_enabled != "y") notify: - save iptables - name: Ensure that the strongswan group exist group: name=strongswan state=present - name: Ensure that the strongswan user exist user: name=strongswan group=strongswan state=present - name: Ensure that the strongswan service directory exist file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755 owner=root group=root - name: Setup the cgroup limitations for the ipsec daemon template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf notify: - daemon-reload - restart strongswan - meta: flush_handlers - name: Setup the strongswan.conf file from our template template: src=strongswan.conf.j2 dest=/etc/strongswan.conf owner=root group=root mode=0644 notify: - restart strongswan - name: Setup the ipsec.conf file from our template template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644 notify: - restart strongswan - name: Setup the ipsec.secrets file template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=strongswan group=root mode=0600 notify: - restart strongswan - name: Get loaded plugins shell: > find /etc/strongswan.d/charon/ -type f -name '*.conf' -printf '%f\n' | cut -f1 -d. register: strongswan_plugins - name: Disable unneeded plugins lineinfile: dest="/etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = no' state=present notify: - restart strongswan when: item not in strongswan_enabled_plugins with_items: "{{ strongswan_plugins.stdout_lines }}" - name: Ensure that required plugins are enabled lineinfile: dest="/etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = yes' state=present notify: - restart strongswan when: item in strongswan_enabled_plugins with_items: "{{ strongswan_plugins.stdout_lines }}" - name: Fetch easy-rsa-ipsec from git git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git version=ed4de10d7ce0726357fb1bb4729f8eb440c06e2b dest="{{ easyrsa_dir }}" - name: Setup the vars file from our template template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars - name: Ensure the pki directory is not exist file: dest={{ easyrsa_dir }}/easyrsa3/pki state=absent when: easyrsa_reinit_existent == True - name: Build the pki enviroments shell: > ./easyrsa init-pki && touch '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized' args: chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized' - name: Build the CA pair shell: > ./easyrsa build-ca nopass && touch {{ easyrsa_dir }}/easyrsa3/pki/ca_initialized args: chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/ca_initialized' notify: - restart strongswan - name: Build the server pair shell: > ./easyrsa --subject-alt-name='DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}' build-server-full {{ IP_subject_alt_name }} nopass && touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized' args: chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized' notify: - restart strongswan - name: Build the client's pair shell: > ./easyrsa build-client-full {{ item }} nopass && touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized' args: chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized' with_items: "{{ users }}" - name: Build the client's p12 shell: > openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} && touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' args: chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' with_items: "{{ users }}" - name: Copy the CA cert to the strongswan directory copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=strongswan group=root mode=0600 notify: - restart strongswan - name: Copy the server cert to the strongswan directory copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=strongswan group=root mode=0600 notify: - restart strongswan - name: Copy the server key to the strongswan directory copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=strongswan group=root mode=0600 notify: - restart strongswan - name: Register p12 PayloadContent shell: > cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64 register: PayloadContent with_items: "{{ users }}" - name: Register CA PayloadContent shell: > cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64 register: PayloadContentCA - name: Set facts for mobileconfigs set_fact: proxy_enabled: false - name: Build the mobileconfigs template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 with_together: - "{{ users }}" - "{{ PayloadContent.results }}" no_log: True - name: Build the client ipsec config file template: src=client_ipsec.conf.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf mode=0600 with_items: - "{{ users }}" - name: Build the client ipsec secret file template: src=client_ipsec.secrets.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets mode=0600 with_items: - "{{ users }}" - name: Fetch users P12 fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes with_items: "{{ users }}" - name: Fetch users mobileconfig fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes with_items: "{{ users }}" - name: Fetch users certificates fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt dest=configs/{{ IP_subject_alt_name }}_{{ item }}.crt flat=yes with_items: "{{ users }}" - name: Fetch users keys fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key dest=configs/{{ IP_subject_alt_name }}_{{ item }}.key flat=yes with_items: "{{ users }}" - name: Fetch users ipsec configs fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.conf flat=yes with_items: "{{ users }}" - name: Fetch users ipsec secrets fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes with_items: "{{ users }}" - name: Restrict permissions file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root with_items: - /etc/ipsec.d/private - name: Fetch server CA certificate fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes notify: - congrats - include: iptables.yml tags: iptables