mirror of
https://github.com/trailofbits/algo
synced 2024-11-18 09:25:38 +00:00
4f1b9270be
* relax CA constraints for client (the client equivalent of PR #1675) * fixing incorrectly hard-coded output file path
77 lines
2.2 KiB
YAML
77 lines
2.2 KiB
YAML
- name: Gather Facts
|
|
setup:
|
|
|
|
- name: Include system based facts and tasks
|
|
import_tasks: systems/main.yml
|
|
|
|
- name: Install prerequisites
|
|
package: name="{{ item }}" state=present
|
|
with_items:
|
|
- "{{ prerequisites }}"
|
|
register: result
|
|
until: result is succeeded
|
|
retries: 10
|
|
delay: 3
|
|
|
|
- name: Install strongSwan
|
|
package: name=strongswan state=present
|
|
register: result
|
|
until: result is succeeded
|
|
retries: 10
|
|
delay: 3
|
|
|
|
- name: Setup the ipsec config
|
|
template:
|
|
src: "roles/strongswan/templates/client_ipsec.conf.j2"
|
|
dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.conf"
|
|
mode: '0644'
|
|
with_items:
|
|
- "{{ vpn_user }}"
|
|
notify:
|
|
- restart strongswan
|
|
|
|
- name: Setup the ipsec secrets
|
|
template:
|
|
src: "roles/strongswan/templates/client_ipsec.secrets.j2"
|
|
dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.secrets"
|
|
mode: '0600'
|
|
with_items:
|
|
- "{{ vpn_user }}"
|
|
notify:
|
|
- restart strongswan
|
|
|
|
- name: Include additional ipsec config
|
|
lineinfile:
|
|
dest: "{{ item.dest }}"
|
|
line: "{{ item.line }}"
|
|
create: yes
|
|
with_items:
|
|
- dest: "{{ configs_prefix }}/ipsec.conf"
|
|
line: "include ipsec.{{ IP_subject_alt_name }}.conf"
|
|
- dest: "{{ configs_prefix }}/ipsec.secrets"
|
|
line: "include ipsec.{{ IP_subject_alt_name }}.secrets"
|
|
notify:
|
|
- restart strongswan
|
|
|
|
- name: Configure libstrongswan to relax CA constraints
|
|
copy:
|
|
src: libstrongswan-relax-constraints.conf
|
|
dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf"
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
|
|
- name: Setup the certificates and keys
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
with_items:
|
|
- src: "configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt"
|
|
dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt"
|
|
- src: "configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem"
|
|
dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem"
|
|
- src: "configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key"
|
|
dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key"
|
|
notify:
|
|
- restart strongswan
|