Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
fix/14704
dependabot/pip/ansible-9.4.0
master
dependabot/github_actions/actions/setup-python-5.1.0
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ff66be9ba8'
${ noResults }
algo/roles/vpn/tasks/main.yml

228 lines
8.3 KiB
YAML
Raw Blame History

- name: Gather Facts
setup:
- name: Install StrongSwan
apt: name=strongswan state=latest update_cache=yes
- name: Enforcing ipsec with apparmor
shell: aa-enforce "{{ item }}"
with_items:
- /usr/lib/ipsec/charon
- /usr/lib/ipsec/lookip
- /usr/lib/ipsec/stroke
notify:
- restart apparmor
- name: Enable services
service: name={{ item }} enabled=yes
with_items:
- apparmor
- strongswan
- netfilter-persistent
- name: Configure iptables so IPSec traffic can traverse the tunnel
iptables: table=nat chain=POSTROUTING source="{{ vpn_network }}" jump=MASQUERADE
when: (security_enabled is not defined) or
(security_enabled is defined and security_enabled != "y")
notify:
- save iptables
- name: Configure ip6tables so IPSec traffic can traverse the tunnel
iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE
when: (security_enabled is not defined) or
(security_enabled is defined and security_enabled != "y")
notify:
- save iptables
- name: Ensure that the strongswan group exist
group: name=strongswan state=present
- name: Ensure that the strongswan user exist
user: name=strongswan group=strongswan state=present
- name: Ensure that the strongswan service directory exist
file: path=/etc/systemd/system/strongswan.service.d/ state=directory mode=0755 owner=root group=root
- name: Setup the cgroup limitations for the ipsec daemon
template: src=100-CustomLimitations.conf.j2 dest=/etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf
notify:
- daemon-reload
- restart strongswan
- meta: flush_handlers
- name: Setup the strongswan.conf file from our template
template: src=strongswan.conf.j2 dest=/etc/strongswan.conf owner=root group=root mode=0644
notify:
- restart strongswan
- name: Setup the ipsec.conf file from our template
template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644
notify:
- restart strongswan
- name: Setup the ipsec.secrets file
template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=strongswan group=root mode=0600
notify:
- restart strongswan
- name: Get loaded plugins
shell: >
find /etc/strongswan.d/charon/ -type f -name '*.conf' -printf '%f\n' | cut -f1 -d.
register: strongswan_plugins
- name: Disable unneeded plugins
lineinfile: dest="/etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = no' state=present
notify:
- restart strongswan
when: item not in strongswan_enabled_plugins
with_items: "{{ strongswan_plugins.stdout_lines }}"
- name: Ensure that required plugins are enabled
lineinfile: dest="/etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = yes' state=present
notify:
- restart strongswan
when: item in strongswan_enabled_plugins
with_items: "{{ strongswan_plugins.stdout_lines }}"
- name: Fetch easy-rsa-ipsec from git
git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git version=ed4de10d7ce0726357fb1bb4729f8eb440c06e2b dest="{{ easyrsa_dir }}"
- name: Setup the vars file from our template
template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars
- name: Ensure the pki directory is not exist
file: dest={{ easyrsa_dir }}/easyrsa3/pki state=absent
when: easyrsa_reinit_existent == True
- name: Build the pki enviroments
shell: >
./easyrsa init-pki &&
touch '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'
args:
chdir: '{{ easyrsa_dir }}/easyrsa3/'
creates: '{{ easyrsa_dir }}/easyrsa3/pki/pki_initialized'
- name: Build the CA pair
shell: >
./easyrsa build-ca nopass &&
touch {{ easyrsa_dir }}/easyrsa3/pki/ca_initialized
args:
chdir: '{{ easyrsa_dir }}/easyrsa3/'
creates: '{{ easyrsa_dir }}/easyrsa3/pki/ca_initialized'
notify:
- restart strongswan
- name: Build the server pair
shell: >
./easyrsa --subject-alt-name='DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}' build-server-full {{ IP_subject_alt_name }} nopass &&
touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
args:
chdir: '{{ easyrsa_dir }}/easyrsa3/'
creates: '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
notify:
- restart strongswan
- name: Build the client's pair
shell: >
./easyrsa build-client-full {{ item }} nopass &&
touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
args:
chdir: '{{ easyrsa_dir }}/easyrsa3/'
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
with_items: "{{ users }}"
- name: Build the client's p12
shell: >
openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} &&
touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
args:
chdir: '{{ easyrsa_dir }}/easyrsa3/'
creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
with_items: "{{ users }}"
- name: Copy the CA cert to the strongswan directory
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=strongswan group=root mode=0600
notify:
- restart strongswan
- name: Copy the server cert to the strongswan directory
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ IP_subject_alt_name }}.crt' dest=/etc/ipsec.d/certs/{{ IP_subject_alt_name }}.crt owner=strongswan group=root mode=0600
notify:
- restart strongswan
- name: Copy the server key to the strongswan directory
copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ IP_subject_alt_name }}.key' dest=/etc/ipsec.d/private/{{ IP_subject_alt_name }}.key owner=strongswan group=root mode=0600
notify:
- restart strongswan
- name: Register p12 PayloadContent
shell: >
cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
register: PayloadContent
with_items: "{{ users }}"
- name: Register CA PayloadContent
shell: >
cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
register: PayloadContentCA
- name: Set facts for mobileconfigs
set_fact:
proxy_enabled: false
- name: Build the mobileconfigs
template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
with_together:
- "{{ users }}"
- "{{ PayloadContent.results }}"
no_log: True
- name: Build the client ipsec config file
template: src=client_ipsec.conf.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf mode=0600
with_items:
- "{{ users }}"
- name: Build the client ipsec secret file
template: src=client_ipsec.secrets.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets mode=0600
with_items:
- "{{ users }}"
- name: Fetch users P12
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
with_items: "{{ users }}"
- name: Fetch users mobileconfig
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
with_items: "{{ users }}"
- name: Fetch users certificates
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt dest=configs/{{ IP_subject_alt_name }}_{{ item }}.crt flat=yes
with_items: "{{ users }}"
- name: Fetch users keys
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key dest=configs/{{ IP_subject_alt_name }}_{{ item }}.key flat=yes
with_items: "{{ users }}"
- name: Fetch users ipsec configs
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.conf dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.conf flat=yes
with_items: "{{ users }}"
- name: Fetch users ipsec secrets
fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/ipsec_{{ item }}.secrets dest=configs/{{ IP_subject_alt_name }}_{{ item }}_ipsec.secrets flat=yes
with_items: "{{ users }}"
- name: Restrict permissions
file: path="{{ item }}" state=directory mode=0700 owner=strongswan group=root
with_items:
- /etc/ipsec.d/private
- name: Fetch server CA certificate
fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
notify:
- congrats
- include: iptables.yml
tags: iptables
Reference in New Issue View Git Blame Copy Permalink