Don't require a PKI for IPSec.

Instead, generate a server certificate for each host (on the machine
itself).  Then fetch all these certs locally, and copy them over to each
IPSec peer.  That requires more certs to be stored on each machines (n
vs 2), but it can be done automatically, and is easier to deploy.

Note: When adding a new machine to the inventory, one needs to run the
playbook on that machine (to generate the cert and fetch it locally)
first, then on all other machines.

1 files changed, 0 insertions, 3 deletions

diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 2f4f900..89e4b6b 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -1,40 +1,37 @@
 # 'service: name=... state=started' tasks should NOT run if there is a
 # corresponding state=restarted handler.  (Register the task notifying
 # the handler, and add a conditional.)
 ---
 - name: Refresh hostname
   service: name=hostname.sh state=restarted
 
 - name: apt-get update
   apt: update_cache=yes
 
 - name: Reload samhain
   service: name=samhain state=reloaded
 
 - name: Update rkhunter's data file
   command: /usr/bin/rkhunter --propupd
 
 - name: Restart fail2ban
   service: name=fail2ban state=restarted
 
-- name: Missing IPSec certificate
-  fail: msg="strongswan IPsec is lacking public or private keys on '{{ ansible_fqdn }}'."
-
 - name: Restart IPSec
   service: name=ipsec state=restarted
 
 - name: Reload networking
   # /etc/init.d/networking doesn't answer the status command; but since
   # it should be "up" whenever ansible has access to the machine, we use
   # pattern=init as a dummy assumption.
   service: name=networking pattern=init state=reloaded
 
 - name: Restart ntp
   service: name=ntp state=restarted
 
 # TODO: should be in a separate file, since it's used by other roles
 - name: Restart Postfix
   service: name=postfix state=restarted
 
 - name: Reload Postfix
   service: name=postfix state=reloaded