--- - hosts: localhost gather_facts: False vars_files: - config.cfg vars_prompt: - name: "server_ip" prompt: "Enter IP address of your server: (use localhost for local installation)\n" default: localhost private: no - name: "server_user" prompt: "What user should we use to login on the server? (ignore if you're deploying to localhost):\n" default: "root" private: no - name: "ssh_tunneling_enabled" prompt: "Do you want each user to have their own account for SSH tunneling? (y/n):\n" default: "n" private: no - name: "easyrsa_p12_export_password" prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" default: "vpnpw" private: yes - name: "IP_subject" prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n" private: no tasks: - name: Add the server to the vpn-host group add_host: hostname: "{{ server_ip }}" groupname: vpn-host ansible_ssh_user: "{{ server_user }}" ansible_python_interpreter: "/usr/bin/python2.7" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" IP_subject: "{{ IP_subject }}" - name: Wait for SSH to become available local_action: "wait_for port=22 host={{ server_ip }} timeout=320" become: false - name: User management hosts: vpn-host gather_facts: false become: true vars_files: - config.cfg pre_tasks: - set_fact: IP_subject_alt_name: "{{ IP_subject }}" roles: - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } tasks: - name: Build the client's pair shell: > ./easyrsa build-client-full {{ item }} nopass && touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized' args: chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized' with_items: "{{ users }}" - name: Build the client's p12 shell: > openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} && touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' args: chdir: '{{ easyrsa_dir }}/easyrsa3/' creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' with_items: "{{ users }}" - name: Get active users shell: > grep ^V pki/index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g' args: chdir: '{{ easyrsa_dir }}/easyrsa3/' register: valid_certs - name: Revoke non-existing users shell: > ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der && ./easyrsa revoke {{ item }} && ipsec rereadcrls args: chdir: '{{ easyrsa_dir }}/easyrsa3/' when: item not in users with_items: "{{ valid_certs.stdout_lines }}" - name: Register p12 PayloadContent shell: > cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64 register: PayloadContent with_items: "{{ users }}" - name: Register CA PayloadContent shell: > cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64 register: PayloadContentCA - name: Build the mobileconfigs template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 with_together: - "{{ users }}" - "{{ PayloadContent.results }}" no_log: True - name: Fetch users P12 fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes with_items: "{{ users }}" - name: Fetch users mobileconfig fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes with_items: "{{ users }}" - name: Fetch server CA certificate fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes # SSH - name: SSH | Get active system users shell: > getent group algo | cut -f4 -d: | sed "s/,/\n/g" register: valid_users when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" - name: SSH | Delete non-existing users user: name: "{{ item }}" state: absent remove: yes force: yes when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" with_items: "{{ valid_users.stdout_lines }}" - name: SSH | Fetch users SSH private keys fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes with_items: "{{ users }}"