algo/roles/strongswan/tasks/ipsec_configuration.yml

---

- name: Setup the config files from our templates
  template:
    src: "{{ item.src }}"
    dest: "{{ config_prefix|default('/') }}etc/{{ item.dest }}"
    owner: "{{ item.owner }}"
    group: "{{ item.group }}"
    mode: "{{ item.mode }}"
  with_items:
    - src: strongswan.conf.j2
      dest: "strongswan.conf"
      owner: root
      group: "{{ root_group|default('root') }}"
      mode: "0644"
    - src: ipsec.conf.j2
      dest: "ipsec.conf"
      owner: root
      group: "{{ root_group|default('root') }}"
      mode: "0644"
    - src: ipsec.secrets.j2
      dest: "ipsec.secrets"
      owner: strongswan
      group: "{{ root_group|default('root') }}"
      mode: "0600"
    - src: charon.conf.j2
      dest: "strongswan.d/charon.conf"
      owner: root
      group: "{{ root_group|default('root') }}"
      mode: "0644"
  notify:
    - restart strongswan

- name: Get loaded plugins
  shell: |
    set -o pipefail
    find {{ config_prefix|default('/') }}etc/strongswan.d/charon/ -type f -name '*.conf' -exec basename {} \; |
    cut -f1 -d.    
  changed_when: false
  args:
    executable: bash
  register: strongswan_plugins

- name: Disable unneeded plugins
  lineinfile:
    dest: "{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf"
    regexp: '.*load.*'
    line: 'load = no'
    state: present
  notify:
    - restart strongswan
  when: item not in strongswan_enabled_plugins and item not in strongswan_additional_plugins
  with_items: "{{ strongswan_plugins.stdout_lines }}"

- name: Ensure that required plugins are enabled
  lineinfile: dest="{{ config_prefix|default('/') }}etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = yes' state=present
  notify:
    - restart strongswan
  when: item in strongswan_enabled_plugins or item in strongswan_additional_plugins
  with_items: "{{ strongswan_plugins.stdout_lines }}"