summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks/ipsec.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/tasks/ipsec.yml')
-rw-r--r--roles/common/tasks/ipsec.yml6
1 files changed, 5 insertions, 1 deletions
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 51d717f..36807d2 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -1,42 +1,46 @@
- name: Install strongSwan
apt: pkg=strongswan-ikev2
- name: Generate a private key and a X.509 certificate for IPSec
command: genkeypair.sh x509
--pubkey=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
--privkey=/etc/ipsec.d/private/{{ inventory_hostname }}.key
--dns={{ inventory_hostname }}
-t ecdsa -b secp521r1 -h sha512
register: r1
changed_when: r1.rc == 0
failed_when: r1.rc > 1
notify:
- Restart IPSec
+ tags:
+ - genkey
- name: Fetch the public part of IPSec's host key
- sudo: False
# Ensure we don't fetch private data
+ sudo: False
fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
dest=certs/ipsec/
fail_on_missing=yes
flat=yes
+ tags:
+ - genkey
# Don't copy our pubkey due to a possible race condition. Only the
# remote machine has authority regarding its key.
- name: Copy IPSec host pubkeys (except ours)
copy: src=certs/ipsec/{{ item }}.pem
dest=/etc/ipsec.d/certs/{{ item }}.pem
owner=root group=root
mode=0644
with_items: groups.all | difference([inventory_hostname])
register: r2
notify:
- Restart IPSec
- name: Configure IPSec's secrets
template: src=etc/ipsec.secrets.j2
dest=/etc/ipsec.secrets
owner=root group=root
mode=0600
register: r3
notify:
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-14 16:30:46 +0000