Don't require a PKI for IPSec.

Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines.
author: Guilhem Moulin <guilhem@fripost.org> 2014-06-25 05:22:58 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:51:51 +0200
commit: a4d0e4a7f8cd829de8346fb6edd9866cc855134f (patch)
tree: 2b66a0fb217b9fc200dcaaa51ca426283318ff58 /roles/common/tasks/main.yml
parent: 01abd3dbf8e357fd71ebfa41519dc4d1f4bc0bd8 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 55feff8..f24a2c9 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -9,6 +9,11 @@
 - include: fail2ban.yml tags=fail2ban
 - include: smart.yml    tags=smartmontools,smart
 - include: haveged.yml  tags=haveged,entropy
+- name: Copy genkeypair.sh
+  copy: src=usr/local/bin/genkeypair.sh
+        dest=/usr/local/bin/genkeypair.sh
+        owner=root group=root
+        mode=0755
 - include: ipsec.yml    tags=strongswan,ipsec
 - include: logging.yml  tags=logging
 - include: ntp.yml      tags=ntp
author	Guilhem Moulin <guilhem@fripost.org>	2014-06-25 05:22:58 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:51:51 +0200
commit	a4d0e4a7f8cd829de8346fb6edd9866cc855134f (patch)
tree	2b66a0fb217b9fc200dcaaa51ca426283318ff58 /roles/common/tasks/main.yml
parent	01abd3dbf8e357fd71ebfa41519dc4d1f4bc0bd8 (diff)