mirror of
https://github.com/trailofbits/algo
synced 2024-11-10 01:11:07 +00:00
35faf4bca7
* Draft works with ECDSA RSA support for Windows * update-users with local_openssl_tasks * move prompts to the algo script * additional directory for SSH keys * move easyrsa_p12_export_password to pre_tasks * update-users testing * Fix hardcoded vars * Delete the CA key * Hardcoded IP. Fixes #219 * Some fixes
211 lines
6.9 KiB
YAML
211 lines
6.9 KiB
YAML
---
|
|
|
|
- hosts: localhost
|
|
gather_facts: False
|
|
vars_files:
|
|
- config.cfg
|
|
|
|
tasks:
|
|
- name: Add the server to the vpn-host group
|
|
add_host:
|
|
hostname: "{{ server_ip }}"
|
|
groupname: vpn-host
|
|
ansible_ssh_user: "{{ server_user }}"
|
|
ansible_python_interpreter: "/usr/bin/python2.7"
|
|
ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
|
|
easyrsa_CA_password: "{{ easyrsa_CA_password }}"
|
|
IP_subject: "{{ IP_subject }}"
|
|
ansible_ssh_private_key_file: "{{ SSH_keys.private }}"
|
|
|
|
- name: Wait until SSH becomes ready...
|
|
local_action:
|
|
module: wait_for
|
|
port: 22
|
|
host: "{{ server_ip }}"
|
|
search_regex: "OpenSSH"
|
|
delay: 10
|
|
timeout: 320
|
|
state: present
|
|
become: false
|
|
|
|
- name: User management
|
|
hosts: vpn-host
|
|
gather_facts: true
|
|
become: true
|
|
vars_files:
|
|
- config.cfg
|
|
|
|
pre_tasks:
|
|
- set_fact:
|
|
IP_subject_alt_name: "{{ IP_subject }}"
|
|
easyrsa_p12_export_password: "{{ (ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0] }}"
|
|
|
|
roles:
|
|
- { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
|
|
|
|
tasks:
|
|
|
|
- name: Gather Facts
|
|
setup:
|
|
|
|
- name: Cheking the signature algorithm
|
|
local_action: >
|
|
shell openssl x509 -text -in certs/{{ IP_subject_alt_name }}.crt | grep 'Signature Algorithm' | head -n1
|
|
become: no
|
|
register: sig_algo
|
|
args:
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
|
|
- name: Change the algorithm to RSA
|
|
set_fact:
|
|
algo_params: "rsa:2048"
|
|
when: '"ecdsa" not in sig_algo.stdout'
|
|
|
|
- name: Build the client's pair
|
|
local_action: >
|
|
shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
|
|
openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
|
|
touch certs/{{ item }}_crt_generated
|
|
become: no
|
|
args:
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
creates: certs/{{ item }}_crt_generated
|
|
environment:
|
|
subjectAltName: "DNS:{{ item }}"
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Build the client's p12
|
|
local_action: >
|
|
shell openssl pkcs12 -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export -name {{ item }} -out private/{{ item }}.p12 -certfile cacert.pem -passout pass:"{{ easyrsa_p12_export_password }}"
|
|
become: no
|
|
args:
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Copy the p12 certificates
|
|
local_action:
|
|
module: copy
|
|
src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
|
|
dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
|
|
mode: 0600
|
|
become: no
|
|
with_items:
|
|
- "{{ users }}"
|
|
|
|
- name: Get active users
|
|
local_action: >
|
|
shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
|
|
become: no
|
|
args:
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
register: valid_certs
|
|
|
|
- name: Revoke non-existing users
|
|
local_action: >
|
|
shell openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt &&
|
|
openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt
|
|
touch crl/{{ item }}_revoked
|
|
become: no
|
|
args:
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
creates: crl/{{ item }}_revoked
|
|
environment:
|
|
subjectAltName: "DNS:{{ item }}"
|
|
when: item not in users
|
|
with_items: "{{ valid_certs.stdout_lines }}"
|
|
|
|
- name: Copy the revoked certificates to the vpn server
|
|
copy:
|
|
src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt
|
|
dest: /etc/ipsec.d/crls/{{ item }}.crt
|
|
when: item not in users
|
|
with_items: "{{ valid_certs.stdout_lines }}"
|
|
notify:
|
|
- rereadcrls
|
|
|
|
- name: Register p12 PayloadContent
|
|
local_action: >
|
|
shell cat private/{{ item }}.p12 | base64
|
|
register: PayloadContent
|
|
become: no
|
|
args:
|
|
chdir: "configs/{{ IP_subject_alt_name }}/pki/"
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Set facts for mobileconfigs
|
|
set_fact:
|
|
proxy_enabled: false
|
|
PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
|
|
|
|
- name: Build the mobileconfigs
|
|
local_action:
|
|
module: template
|
|
src: roles/vpn/templates/mobileconfig.j2
|
|
dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig
|
|
mode: 0600
|
|
become: no
|
|
with_together:
|
|
- "{{ users }}"
|
|
- "{{ PayloadContent.results }}"
|
|
no_log: True
|
|
|
|
- name: Build the client ipsec config file
|
|
local_action:
|
|
module: template
|
|
src: roles/vpn/templates/client_ipsec.conf.j2
|
|
dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf
|
|
mode: 0600
|
|
become: no
|
|
with_items:
|
|
- "{{ users }}"
|
|
|
|
- name: Build the client ipsec secret file
|
|
local_action:
|
|
module: template
|
|
src: roles/vpn/templates/client_ipsec.secrets.j2
|
|
dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets
|
|
mode: 0600
|
|
become: no
|
|
with_items:
|
|
- "{{ users }}"
|
|
|
|
- name: Build the windows client powershell script
|
|
local_action:
|
|
module: template
|
|
src: roles/vpn/templates/client_windows.ps1.j2
|
|
dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1
|
|
mode: 0600
|
|
become: no
|
|
when: Win10_Enabled is defined and Win10_Enabled == "Y"
|
|
with_items: "{{ users }}"
|
|
|
|
# SSH
|
|
|
|
- name: SSH | Get active system users
|
|
shell: >
|
|
getent group algo | cut -f4 -d: | sed "s/,/\n/g"
|
|
register: valid_users
|
|
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
|
|
|
- name: SSH | Delete non-existing users
|
|
user:
|
|
name: "{{ item }}"
|
|
state: absent
|
|
remove: yes
|
|
force: yes
|
|
when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
|
with_items: "{{ valid_users.stdout_lines | default('null') }}"
|
|
|
|
- name: SSH | Fetch users SSH private keys
|
|
fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes
|
|
when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
|
|
with_items: "{{ users }}"
|
|
|
|
post_tasks:
|
|
- debug: msg="{{ congrats.split('\n') }}"
|
|
tags: always
|
|
|
|
handlers:
|
|
- name: rereadcrls
|
|
shell: ipsec rereadcrls
|