diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2014-07-01 23:02:45 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:52:13 +0200 |
commit | de4859456f1de54540c96ad97f62858dd089a980 (patch) | |
tree | 4b4904258ae3daf6a6b4f852cbc9821acdfa8cc4 /roles/common/tasks/ipsec.yml | |
parent | 170dc68f9275dffb48fbe3f8ebb2183cd7ddf111 (diff) |
Replace IPSec tunnels by app-level ephemeral TLS sessions.
For some reason giraff doesn't like IPSec. App-level TLS sessions are
less efficient, but thanks to ansible it still scales well.
Diffstat (limited to 'roles/common/tasks/ipsec.yml')
-rw-r--r-- | roles/common/tasks/ipsec.yml | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index 51d717f..36807d2 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -12,14 +12,18 @@ failed_when: r1.rc > 1 notify: - Restart IPSec + tags: + - genkey - name: Fetch the public part of IPSec's host key - sudo: False # Ensure we don't fetch private data + sudo: False fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem dest=certs/ipsec/ fail_on_missing=yes flat=yes + tags: + - genkey # Don't copy our pubkey due to a possible race condition. Only the # remote machine has authority regarding its key. |