summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks/ipsec.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/tasks/ipsec.yml')
-rw-r--r--roles/common/tasks/ipsec.yml93
1 files changed, 93 insertions, 0 deletions
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
new file mode 100644
index 0000000..917c687
--- /dev/null
+++ b/roles/common/tasks/ipsec.yml
@@ -0,0 +1,93 @@
+- name: Install strongSwan
+ apt: pkg={{ packages }}
+ vars:
+ packages:
+ - strongswan-charon
+ - strongswan-starter
+ # for the GCM and openssl plugins
+ - libstrongswan-standard-plugins
+ notify:
+ - Update firewall
+ - Restart IPsec
+
+- name: Auto-create a dedicated virtual subnet for IPsec
+ template: src=etc/network/if-up.d/ipsec.j2
+ dest=/etc/network/if-up.d/ipsec
+ owner=root group=root
+ mode=0755
+
+- name: Auto-deactivate the dedicated virtual subnet for IPsec
+ file: src=../if-up.d/ipsec
+ dest=/etc/network/if-down.d/ipsec
+ owner=root group=root state=link force=yes
+
+
+- name: Configure IPsec
+ template: src=etc/ipsec.conf.j2
+ dest=/etc/ipsec.conf
+ owner=root group=root
+ mode=0644
+ register: r1
+ notify:
+ - Restart IPsec
+
+- name: Configure IPsec's secrets
+ template: src=etc/ipsec.secrets.j2
+ dest=/etc/ipsec.secrets
+ owner=root group=root
+ mode=0600
+ register: r2
+ notify:
+ - Restart IPsec
+
+- name: Configure Charon
+ copy: src=etc/strongswan.d/{{ item }}
+ dest=/etc/strongswan.d/{{ item }}
+ owner=root group=root
+ mode=0644
+ with_items:
+ - charon.conf
+ - charon/socket-default.conf
+ register: r3
+ notify:
+ - Restart IPsec
+
+- name: Generate a key pair for IPsec public key authentication
+ command: genkeypair.sh keypair
+ --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
+ --privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key
+ -t rsa -b 4096
+ register: r4
+ changed_when: r4.rc == 0
+ failed_when: r4.rc > 1
+ notify:
+ - Restart IPsec
+ tags:
+ - genkey
+
+- name: Fetch the public part of IPsec host key
+ # Ensure we don't fetch private data
+ become: False
+ fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
+ dest=certs/ipsec/{{ inventory_hostname_short }}.pem
+ fail_on_missing=yes flat=yes
+ tags:
+ - genkey
+
+# Don't copy our pubkey due to a possible race condition. Only the
+# remote machine has authority regarding its key.
+- name: Copy the public part of IPsec peers' key
+ copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem
+ dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem
+ owner=root group=root
+ mode=0644
+ with_items: "{{ groups.all | difference([inventory_hostname]) }}"
+ register: r5
+ tags:
+ - genkey
+ notify:
+ - Restart IPsec
+
+- name: Start IPsec
+ service: name=ipsec state=started
+ when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 10:12:05 +0000