diff options
Diffstat (limited to 'roles/common/tasks')
-rw-r--r-- | roles/common/tasks/ipsec.yml | 96 | ||||
-rw-r--r-- | roles/common/tasks/logging.yml | 1 | ||||
-rw-r--r-- | roles/common/tasks/main.yml | 5 |
3 files changed, 102 insertions, 0 deletions
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml new file mode 100644 index 0000000..b82c281 --- /dev/null +++ b/roles/common/tasks/ipsec.yml @@ -0,0 +1,96 @@ +- name: Install strongSwan + apt: pkg={{ item }} + with_items: + - strongswan-charon + # for the GCM and openssl plugins + - libstrongswan-standard-plugins + notify: + - Update firewall + - Restart IPSec + +- name: Auto-create a dedicated virtual subnet for IPSec + template: src=etc/network/if-up.d/ipsec.j2 + dest=/etc/network/if-up.d/ipsec + owner=root group=root + mode=0755 + notify: + - Reload networking + +- name: Auto-deactivate the dedicated virtual subnet for IPSec + file: src=../if-up.d/ipsec + dest=/etc/network/if-down.d/ipsec + owner=root group=root state=link force=yes + +- meta: flush_handlers + + +- name: Configure IPSec + template: src=etc/ipsec.conf.j2 + dest=/etc/ipsec.conf + owner=root group=root + mode=0644 + register: r1 + notify: + - Restart IPSec + +- name: Configure IPSec's secrets + template: src=etc/ipsec.secrets.j2 + dest=/etc/ipsec.secrets + owner=root group=root + mode=0600 + register: r2 + notify: + - Restart IPSec + +- name: Configure Charon + copy: src=etc/strongswan.d/{{ item }} + dest=/etc/strongswan.d/{{ item }} + owner=root group=root + mode=0644 + with_items: + - charon.conf + - charon/socket-default.conf + register: r3 + notify: + - Restart IPSec + +- name: Generate a private key and a X.509 certificate for IPSec + command: genkeypair.sh x509 + --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem + --privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key + --ou=IPSec --cn={{ inventory_hostname_short }} + -t rsa -b 4096 -h sha512 + register: r4 + changed_when: r4.rc == 0 + failed_when: r4.rc > 1 + notify: + - Restart IPSec + tags: + - genkey + +- name: Fetch IPSec X.509 certificate + # Ensure we don't fetch private data + become: False + fetch_cmd: cmd="openssl x509" + stdin=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem + dest=certs/ipsec/{{ inventory_hostname_short }}.pem + tags: + - genkey + +# Don't copy our pubkey due to a possible race condition. Only the +# remote machine has authority regarding its key. +- name: Copy IPSec X.509 certificates (except ours) + copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem + dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem + owner=root group=root + mode=0644 + with_items: "{{ groups.all | difference([inventory_hostname]) }}" + register: r5 + tags: + - genkey + notify: + - Restart IPSec + +- name: Start IPSec + service: name=ipsec state=started + when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed) diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml index 3b86294..b27fc41 100644 --- a/roles/common/tasks/logging.yml +++ b/roles/common/tasks/logging.yml @@ -30,40 +30,41 @@ - syslog - name: Start rsyslog service: name=rsyslog state=started when: not (r1.changed or r2.changed) tags: - syslog - meta: flush_handlers - name: Configure logcheck (1) copy: src=etc/logcheck/{{ item }} dest=/etc/logcheck/{{ item }} owner=root group=logcheck mode=0644 with_items: - logcheck.conf - ignore.d.server/common-local - ignore.d.server/dovecot-local - ignore.d.server/postfix-local + - ignore.d.server/strongswan-local # logcheck-sudo already exists, but changing the filename for our # local modifications would defeat the ruleset - violations.ignore.d/logcheck-sudo tags: - logcheck - name: Configure logcheck (2) lineinfile: dest=/etc/logcheck/logcheck.logfiles line={{ item }} state=present create=yes owner=root group=logcheck mode=0640 with_items: - /var/log/syslog - /var/log/auth.log - /var/log/mail.log tags: - logcheck diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 1226d37..88d44f3 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -30,40 +30,45 @@ - smartmontools - smart when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" - include: haveged.yml tags: - haveged - entropy - name: Copy genkeypair.sh and gendhparam.sh copy: src=usr/local/bin/{{ item }} dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 tags: genkey with_items: - genkeypair.sh - gendhparam.sh - name: Generate DH parameters command: gendhparam.sh /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem tags: genkey +- include: ipsec.yml + tags: + - strongswan + - ipsec + when: "groups.all | length > 1" - include: logging.yml tags: logging - include: ntp.yml tags: ntp - include: mail.yml tags: - mail - postfix - include: bacula.yml tags: - bacula-fd - bacula - include: munin-node.yml tags: - munin-node - munin - include: munin-node-ssl.yml when: "'munin-master' not in group_names" tags: - munin-node |