Remove IPSec related files.

5 files changed, 0 insertions, 181 deletions

diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec
deleted file mode 100755
index 4a84112..0000000
--- a/roles/common/files/etc/network/if-up.d/ipsec
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/bin/sh
-
-# A post-up/down hook to automatically create/delete a 'sec' VLAN
-# device, and a dedicated, host-scoped, IP for IPSec (v4 only).
-# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-set -ue
-PATH=/usr/sbin:/usr/bin:/sbin:/bin
-
-ifsec=sec0
-ipsec=172.16.0.1/32
-
-# /!\ This mark much match that in /usr/local/sbin/update-firewall.sh.
-secmark=0xA99
-
-# Ignore the loopback interface and non inet4 families.
-[ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0
-
-# Only the device with the default, globally-scoped route, is of
-# interest here.
-[ "$( /bin/ip -4 route show to default scope global \
-    | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" \
-  = \
-  "$IFACE" ] || exit 0
-
-case "$MODE" in
-    start) # Don't create $ifsec if it's already there
-           if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
-               # Create a new VLAN $IFACE on physical device $ifsec. This is
-               # required otherwise charon thinks the left peer is that
-               # host-scoped, non-routable IP.
-               /bin/ip link    add link "$IFACE" name "$ifsec" type vlan id 2713
-               /bin/ip address add "$ipsec" dev "$ifsec" scope host
-               /bin/ip link    set dev "$ifsec" up
-           fi
-
-           # If a packet retained its mark that far, it means it has
-           # been SNAT'ed from $ipsec, and didn't have a xfrm
-           # association.  Hence we nullroute it to avoid to leak data
-           # intented to be tunneled through IPSec.  /!\ The priority
-           # must be >220 (which the one used by strongSwan IPSec) since
-           # xfrm lookup must take precedence.
-           /bin/ip rule  add fwmark "$secmark" table 666 priority 666 || true
-           /bin/ip route add prohibit default  table 666              || true
-    ;;
-    stop)  if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
-               # Deactivate the VLAN
-               /bin/ip link set dev "$ifsec" down
-           fi
-
-           # Delete the 'prohibit' rule
-           /bin/ip rule  del fwmark "$secmark" table 666 priority 666 || true
-           /bin/ip route flush table 666
-    ;;
-esac
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 1e0a21e..d20f7b6 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -17,9 +17,6 @@
 - name: Restart fail2ban
   service: name=fail2ban state=restarted
 
-- name: Restart IPSec
-  service: name=ipsec state=restarted
-
 - name: Reload networking
   # /etc/init.d/networking doesn't answer the status command; but since
   # it should be "up" whenever ansible has access to the machine, we use
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
deleted file mode 100644
index 36807d2..0000000
--- a/roles/common/tasks/ipsec.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-- name: Install strongSwan
-  apt: pkg=strongswan-ikev2
-
-- name: Generate a private key and a X.509 certificate for IPSec
-  command: genkeypair.sh x509
-                         --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
-                         --privkey=/etc/ipsec.d/private/{{ inventory_hostname }}.key
-                         --dns={{ inventory_hostname }}
-                         -t ecdsa -b secp521r1 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart IPSec
-  tags:
-    - genkey
-
-- name: Fetch the public part of IPSec's host key
-  # Ensure we don't fetch private data
-  sudo: False
-  fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
-         dest=certs/ipsec/
-         fail_on_missing=yes
-         flat=yes
-  tags:
-    - genkey
-
-# Don't copy our pubkey due to a possible race condition.  Only the
-# remote machine has authority regarding its key.
-- name: Copy IPSec host pubkeys (except ours)
-  copy: src=certs/ipsec/{{ item }}.pem
-        dest=/etc/ipsec.d/certs/{{ item }}.pem
-        owner=root group=root
-        mode=0644
-  with_items: groups.all | difference([inventory_hostname])
-  register: r2
-  notify:
-    - Restart IPSec
-
-- name: Configure IPSec's secrets
-  template: src=etc/ipsec.secrets.j2
-            dest=/etc/ipsec.secrets
-            owner=root group=root
-            mode=0600
-  register: r3
-  notify:
-    - Restart IPSec
-
-- name: Configure IPSec
-  template: src=etc/ipsec.conf.j2
-            dest=/etc/ipsec.conf
-            owner=root group=root
-            mode=0644
-  register: r4
-  notify:
-    - Restart IPSec
-
-- name: Start IPSec
-  service: name=ipsec state=started
-  when: not (r1.changed or r2.changed or r3.changed or r4.changed)
-
-- name: Auto-create a dedicated interface for IPSec
-  copy: src=etc/network/if-up.d/ipsec
-        dest=/etc/network/if-up.d/ipsec
-        owner=root group=root
-        mode=0755
-  notify:
-    - Reload networking
-
-- name: Auto-deactivate the dedicated interface for IPSec
-  file: src=../if-up.d/ipsec
-        dest=/etc/network/if-down.d/ipsec
-        owner=root group=root state=link force=yes
-
-- meta: flush_handlers
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
deleted file mode 100644
index 1dbcdbd..0000000
--- a/roles/common/templates/etc/ipsec.conf.j2
+++ /dev/null
@@ -1,30 +0,0 @@
-# {{ ansible_managed }}
-# Do NOT edit this file directly!
-
-config setup
-    plutostart = no
-
-# Add connections here.
-
-conn %default
-    keyexchange  = ikev2
-    ikelifetime  = 1h
-    keylife      = 15m
-    rekeymargin  = 3m
-    keyingtries  = 1
-    esp          = aes128gcm16-ecp256!
-    ike          = aes128gcm16-aesxcbc-ecp256!
-    # TODO: test DynDNS
-    mobike       = no
-    leftauth     = pubkey
-    left         = %defaultroute
-    leftcert     = {{ inventory_hostname }}.pem
-    leftfirewall = yes
-    rightauth    = pubkey
-    auto         = start
-{% for host in groups.all | difference([inventory_hostname]) | sort %}
-
-conn {{ host }}
-    right     = {{ hostvars[host]['inventory_hostname'] }}
-    rightcert = {{ hostvars[host]['inventory_hostname'] }}.pem
-{%- endfor %}
diff --git a/roles/common/templates/etc/ipsec.secrets.j2 b/roles/common/templates/etc/ipsec.secrets.j2
deleted file mode 100644
index da707bd..0000000
--- a/roles/common/templates/etc/ipsec.secrets.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-# {{ ansible_managed }}
-# Do NOT edit this file directly!
-
-# Our VPN uses ECC only.
-: ECDSA {{ inventory_hostname }}.key