summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-06-25 05:22:58 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:51 +0200
commita4d0e4a7f8cd829de8346fb6edd9866cc855134f (patch)
tree2b66a0fb217b9fc200dcaaa51ca426283318ff58 /roles/common/tasks
parent01abd3dbf8e357fd71ebfa41519dc4d1f4bc0bd8 (diff)
Don't require a PKI for IPSec.
Instead, generate a server certificate for each host (on the machine itself). Then fetch all these certs locally, and copy them over to each IPSec peer. That requires more certs to be stored on each machines (n vs 2), but it can be done automatically, and is easier to deploy. Note: When adding a new machine to the inventory, one needs to run the playbook on that machine (to generate the cert and fetch it locally) first, then on all other machines.
Diffstat (limited to 'roles/common/tasks')
-rw-r--r--roles/common/tasks/ipsec.yml44
-rw-r--r--roles/common/tasks/main.yml5
2 files changed, 32 insertions, 17 deletions
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 7870626..6b97ddb 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -1,33 +1,43 @@
- name: Install strongSwan
apt: pkg=strongswan-ikev2
-- name: Ensure we have our private key
- file: path=/etc/ipsec.d/private/{{ inventory_hostname }}.key
- owner=root group=root
- mode=0600
+- name: Generate a key pair for IPSec
+ command: genkeypair.sh --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
+ --privkey=/etc/ipsec.d/private/{{ inventory_hostname }}.key
+ -n {{ inventory_hostname }}
+ -t ecdsa -b secp521r1 -h sha512
+ register: r1
+ failed_when: r1.rc > 1
+ changed_when: r1.rc == 0
notify:
- - Missing IPSec certificate
+ - Restart IPSec
-- name: Ensure we have our public key
- file: path=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
- owner=root group=root
- mode=0644
- notify:
- - Missing IPSec certificate
+- name: Fetch the public part of IPSec's host key
+ sudo: False
+ # Ensure we don't fetch private data
+ fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
+ dest=certs/ipsec/
+ fail_on_missing=yes
+ flat=yes
-- name: Ensure we have the CA's public key
- file: path=/etc/ipsec.d/cacerts/cacert.pem
+# Don't copy our pubkey due to a possible race condition. Only the
+# remote machine has authority regarding its key.
+- name: Copy IPSec host pubkeys (except ours)
+ copy: src=certs/ipsec/{{ item }}.pem
+ dest=/etc/ipsec.d/certs/{{ item }}.pem
owner=root group=root
mode=0644
+ with_items: groups.all | difference([inventory_hostname])
+ register: r2
notify:
- - Missing IPSec certificate
+ - Restart IPSec
- name: Configure IPSec's secrets
template: src=etc/ipsec.secrets.j2
dest=/etc/ipsec.secrets
owner=root group=root
mode=0600
- register: r1
+ register: r3
notify:
- Restart IPSec
@@ -36,13 +46,13 @@
dest=/etc/ipsec.conf
owner=root group=root
mode=0644
- register: r2
+ register: r4
notify:
- Restart IPSec
- name: Start IPSec
service: name=ipsec state=started
- when: not (r1.changed or r2.changed)
+ when: not (r1.changed or r2.changed or r3.changed or r4.changed)
- name: Auto-create a dedicated interface for IPSec
copy: src=etc/network/if-up.d/ipsec
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 55feff8..f24a2c9 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -9,6 +9,11 @@
- include: fail2ban.yml tags=fail2ban
- include: smart.yml tags=smartmontools,smart
- include: haveged.yml tags=haveged,entropy
+- name: Copy genkeypair.sh
+ copy: src=usr/local/bin/genkeypair.sh
+ dest=/usr/local/bin/genkeypair.sh
+ owner=root group=root
+ mode=0755
- include: ipsec.yml tags=strongswan,ipsec
- include: logging.yml tags=logging
- include: ntp.yml tags=ntp