algo/users.yml
2017-03-05 10:58:42 +03:00

209 lines
6.8 KiB
YAML

---
- hosts: localhost
gather_facts: False
vars_files:
- config.cfg
tasks:
- name: Add the server to the vpn-host group
add_host:
hostname: "{{ server_ip }}"
groupname: vpn-host
ansible_ssh_user: "{{ server_user }}"
ansible_python_interpreter: "/usr/bin/python2.7"
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
easyrsa_CA_password: "{{ easyrsa_CA_password }}"
IP_subject: "{{ IP_subject }}"
ansible_ssh_private_key_file: "{{ SSH_keys.private }}"
- name: Wait until SSH becomes ready...
local_action:
module: wait_for
port: 22
host: "{{ server_ip }}"
search_regex: "OpenSSH"
delay: 10
timeout: 320
state: present
become: false
- name: User management
hosts: vpn-host
gather_facts: true
become: true
vars_files:
- config.cfg
pre_tasks:
- set_fact:
IP_subject_alt_name: "{{ IP_subject }}"
easyrsa_p12_export_password: "{{ p12_export_password|default((ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0]) }}"
roles:
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
tasks:
- name: Gather Facts
setup:
- name: Cheking the signature algorithm
local_action: >
shell openssl x509 -text -in certs/{{ IP_subject_alt_name }}.crt | grep 'Signature Algorithm' | head -n1
become: no
register: sig_algo
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
- name: Change the algorithm to RSA
set_fact:
algo_params: "rsa:2048"
when: '"ecdsa" not in sig_algo.stdout'
- name: Build the client's pair
local_action: >
shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
touch certs/{{ item }}_crt_generated
become: no
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: certs/{{ item }}_crt_generated
environment:
subjectAltName: "DNS:{{ item }}"
with_items: "{{ users }}"
- name: Build the client's p12
local_action: >
shell openssl pkcs12 -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export -name {{ item }} -out private/{{ item }}.p12 -certfile cacert.pem -passout pass:"{{ easyrsa_p12_export_password }}"
become: no
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
with_items: "{{ users }}"
- name: Copy the p12 certificates
local_action:
module: copy
src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
mode: 0600
become: no
with_items:
- "{{ users }}"
- name: Get active users
local_action: >
shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
become: no
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
register: valid_certs
- name: Revoke non-existing users
local_action: >
shell openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt &&
openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt
touch crl/{{ item }}_revoked
become: no
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
creates: crl/{{ item }}_revoked
environment:
subjectAltName: "DNS:{{ item }}"
when: item not in users
with_items: "{{ valid_certs.stdout_lines }}"
- name: Copy the revoked certificates to the vpn server
copy:
src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt
dest: /etc/ipsec.d/crls/{{ item }}.crt
when: item not in users
with_items: "{{ valid_certs.stdout_lines }}"
notify:
- rereadcrls
- name: Register p12 PayloadContent
local_action: >
shell cat private/{{ item }}.p12 | base64
register: PayloadContent
become: no
args:
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
with_items: "{{ users }}"
- name: Set facts for mobileconfigs
set_fact:
proxy_enabled: false
PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
- name: Build the mobileconfigs
local_action:
module: template
src: roles/vpn/templates/mobileconfig.j2
dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig
mode: 0600
become: no
with_together:
- "{{ users }}"
- "{{ PayloadContent.results }}"
no_log: True
- name: Build the client ipsec config file
local_action:
module: template
src: roles/vpn/templates/client_ipsec.conf.j2
dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf
mode: 0600
become: no
with_items:
- "{{ users }}"
- name: Build the client ipsec secret file
local_action:
module: template
src: roles/vpn/templates/client_ipsec.secrets.j2
dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets
mode: 0600
become: no
with_items:
- "{{ users }}"
- name: Build the windows client powershell script
local_action:
module: template
src: roles/vpn/templates/client_windows.ps1.j2
dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1
mode: 0600
become: no
when: Win10_Enabled is defined and Win10_Enabled == "Y"
with_items: "{{ users }}"
# SSH
- name: SSH | Get active system users
shell: >
getent group algo | cut -f4 -d: | sed "s/,/\n/g"
register: valid_users
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
- name: SSH | Delete non-existing users
user:
name: "{{ item }}"
state: absent
remove: yes
force: yes
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
with_items: "{{ valid_users.stdout_lines | default('null') }}"
post_tasks:
- debug:
msg:
- "{{ congrats.common.split('\n') }}"
- " {{ congrats.p12_pass }}"
tags: always
handlers:
- name: rereadcrls
shell: ipsec rereadcrls