mirror of https://github.com/trailofbits/algo
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
228 lines
8.3 KiB
YAML
228 lines
8.3 KiB
YAML
- name: Gather Facts
|
|
setup:
|
|
|
|
- name: Install StrongSwan
|
|
apt: name=strongswan state=latest update_cache=yes
|
|
|
|
- name: Enforcing ipsec with apparmor
|
|
shell: aa-enforce "{{ item }}"
|
|
with_items:
|
|
- /usr/lib/ipsec/charon
|
|
- /usr/lib/ipsec/lookip
|
|
- /usr/lib/ipsec/stroke
|
|
notify:
|
|
- restart apparmor
|
|
|
|
- name: Enable services
|
|
service: name={{ item }} enabled=yes
|
|
with_items:
|
|
- apparmor
|
|
- strongswan
|
|
- netfilter-persistent
|
|
|
|
- name: Configure iptables so IPSec traffic can traverse the tunnel
|
|
iptables: table=nat chain=POSTROUTING source="{{ vpn_network }}" jump=MASQUERADE
|
|
when: (security_enabled is not defined) or
|
|
(security_enabled is defined and security_enabled != "y")
|
|
notify:
|
|
- save iptables
|
|
|
|
- name: Configure ip6tables so IPSec traffic can traverse the tunnel
|
|
iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE
|
|
when: (security_enabled is not defined) or
|
|
(security_enabled is defined and security_enabled != "y")
|
|
notify:
|
|
- save iptables
|
|
|
|
- name: Ensure that the strongswan group exist
|
|
group: name=strongswan state=present
|
|
|
|
- name: Ensure that the strongswan user exist
|
|
user: name=strongswan group=strongswan state=present
|
|
|
|
- name: Ensure that the strongswan service directory exist
|
|
file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755 owner=root group=root
|
|
|
|
- name: Setup the cgroup limitations for the ipsec daemon
|
|
template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf
|
|
notify:
|
|
- daemon-reload
|
|
- restart strongswan
|
|
|
|
- meta: flush_handlers
|
|
|
|
- name: Setup the strongswan.conf file from our template
|
|
template: src=strongswan.conf.j2 dest=/etc/strongswan.conf owner=root group=root mode=0644
|
|
notify:
|
|
- restart strongswan
|
|
|
|
- name: Setup the ipsec.conf file from our template
|
|
template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644
|
|
notify:
|
|
- restart strongswan
|
|
|
|
- name: Setup the ipsec.secrets file
|
|
template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=strongswan group=root mode=0600
|
|
notify:
|
|
- restart strongswan
|
|
|
|
- name: Get loaded plugins
|
|
shell: >
|
|
find /etc/strongswan.d/charon/ -type f -name '*.conf' -printf '%f\n' | cut -f1 -d.
|
|
register: strongswan_plugins
|
|
|
|
- name: Disable unneeded plugins
|
|
lineinfile: dest="/etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = no' state=present
|
|
notify:
|
|
- restart strongswan
|
|
when: item not in strongswan_enabled_plugins
|
|
with_items: "{{ strongswan_plugins.stdout_lines }}"
|
|
|
|
- name: Ensure that required plugins are enabled
|
|
lineinfile: dest="/etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = yes' state=present
|
|
notify:
|
|
- restart strongswan
|
|
when: item in strongswan_enabled_plugins
|
|
with_items: "{{ strongswan_plugins.stdout_lines }}"
|
|
|
|
- name: Fetch easy-rsa-ipsec from git
|
|
git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git version=ed4de10d7ce0726357fb1bb4729f8eb440c06e2b dest="{{ easyrsa_dir }}"
|
|
|
|
- name: Setup the vars file from our template
|
|
template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars
|
|
|
|
- name: Ensure the pki directory is not exist
|
|
file: dest={{ easyrsa_dir }}/easyrsa3/pki state=absent
|
|
when: easyrsa_reinit_existent == True
|
|
|
|
- name: Build the pki enviroments
|
|
shell: >
|
|
./easyrsa init-pki &&
|
|
touch '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'
|
|
args:
|
|
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
|
creates: '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'
|
|
|
|
- name: Build the CA pair
|
|
shell: >
|
|
./easyrsa build-ca nopass &&
|
|
touch {{ easyrsa_dir }}/easyrsa3/pki/ca_initialized
|
|
args:
|
|
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
|
creates: '{{ easyrsa_dir }}/easyrsa3/pki/ca_initialized'
|
|
notify:
|
|
- restart strongswan
|
|
|
|
- name: Build the server pair
|
|
shell: >
|
|
./easyrsa --subject-alt-name='DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}' build-server-full {{ IP_subject_alt_name }} nopass &&
|
|
touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
|
|
args:
|
|
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
|
creates: '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
|
|
notify:
|
|
- restart strongswan
|
|
|
|
- name: Build the client's pair
|
|
shell: >
|
|
./easyrsa build-client-full {{ item }} nopass &&
|
|
touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
|
|
args:
|
|
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
|
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Build the client's p12
|
|
shell: >
|
|
openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
|
|
touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
|
|
args:
|
|
chdir: '{{ easyrsa_dir }}/easyrsa3/'
|
|
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Copy the CA cert to the strongswan directory
|
|
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=strongswan group=root mode=0600
|
|
notify:
|
|
- restart strongswan
|
|
|
|
- name: Copy the server cert to the strongswan directory
|
|
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=strongswan group=root mode=0600
|
|
notify:
|
|
- restart strongswan
|
|
|
|
- name: Copy the server key to the strongswan directory
|
|
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=strongswan group=root mode=0600
|
|
notify:
|
|
- restart strongswan
|
|
|
|
- name: Register p12 PayloadContent
|
|
shell: >
|
|
cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
|
|
register: PayloadContent
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Register CA PayloadContent
|
|
shell: >
|
|
cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
|
|
register: PayloadContentCA
|
|
|
|
- name: Set facts for mobileconfigs
|
|
set_fact:
|
|
proxy_enabled: false
|
|
|
|
- name: Build the mobileconfigs
|
|
template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
|
|
with_together:
|
|
- "{{ users }}"
|
|
- "{{ PayloadContent.results }}"
|
|
no_log: True
|
|
|
|
- name: Build the client ipsec config file
|
|
template: src=client_ipsec.conf.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf mode=0600
|
|
with_items:
|
|
- "{{ users }}"
|
|
|
|
- name: Build the client ipsec secret file
|
|
template: src=client_ipsec.secrets.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets mode=0600
|
|
with_items:
|
|
- "{{ users }}"
|
|
|
|
- name: Fetch users P12
|
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Fetch users mobileconfig
|
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Fetch users certificates
|
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt dest=configs/{{ IP_subject_alt_name }}_{{ item }}.crt flat=yes
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Fetch users keys
|
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key dest=configs/{{ IP_subject_alt_name }}_{{ item }}.key flat=yes
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Fetch users ipsec configs
|
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.conf flat=yes
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Fetch users ipsec secrets
|
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
|
|
with_items: "{{ users }}"
|
|
|
|
- name: Restrict permissions
|
|
file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root
|
|
with_items:
|
|
- /etc/ipsec.d/private
|
|
|
|
- name: Fetch server CA certificate
|
|
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
|
|
notify:
|
|
- congrats
|
|
|
|
- include: iptables.yml
|
|
tags: iptables
|
|
|