summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/tasks')
-rw-r--r--roles/common/tasks/ipsec.yml96
-rw-r--r--roles/common/tasks/logging.yml1
-rw-r--r--roles/common/tasks/main.yml5
3 files changed, 102 insertions, 0 deletions
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
new file mode 100644
index 0000000..b82c281
--- /dev/null
+++ b/roles/common/tasks/ipsec.yml
@@ -0,0 +1,96 @@
+- name: Install strongSwan
+ apt: pkg={{ item }}
+ with_items:
+ - strongswan-charon
+ # for the GCM and openssl plugins
+ - libstrongswan-standard-plugins
+ notify:
+ - Update firewall
+ - Restart IPSec
+
+- name: Auto-create a dedicated virtual subnet for IPSec
+ template: src=etc/network/if-up.d/ipsec.j2
+ dest=/etc/network/if-up.d/ipsec
+ owner=root group=root
+ mode=0755
+ notify:
+ - Reload networking
+
+- name: Auto-deactivate the dedicated virtual subnet for IPSec
+ file: src=../if-up.d/ipsec
+ dest=/etc/network/if-down.d/ipsec
+ owner=root group=root state=link force=yes
+
+- meta: flush_handlers
+
+
+- name: Configure IPSec
+ template: src=etc/ipsec.conf.j2
+ dest=/etc/ipsec.conf
+ owner=root group=root
+ mode=0644
+ register: r1
+ notify:
+ - Restart IPSec
+
+- name: Configure IPSec's secrets
+ template: src=etc/ipsec.secrets.j2
+ dest=/etc/ipsec.secrets
+ owner=root group=root
+ mode=0600
+ register: r2
+ notify:
+ - Restart IPSec
+
+- name: Configure Charon
+ copy: src=etc/strongswan.d/{{ item }}
+ dest=/etc/strongswan.d/{{ item }}
+ owner=root group=root
+ mode=0644
+ with_items:
+ - charon.conf
+ - charon/socket-default.conf
+ register: r3
+ notify:
+ - Restart IPSec
+
+- name: Generate a private key and a X.509 certificate for IPSec
+ command: genkeypair.sh x509
+ --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
+ --privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key
+ --ou=IPSec --cn={{ inventory_hostname_short }}
+ -t rsa -b 4096 -h sha512
+ register: r4
+ changed_when: r4.rc == 0
+ failed_when: r4.rc > 1
+ notify:
+ - Restart IPSec
+ tags:
+ - genkey
+
+- name: Fetch IPSec X.509 certificate
+ # Ensure we don't fetch private data
+ become: False
+ fetch_cmd: cmd="openssl x509"
+ stdin=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
+ dest=certs/ipsec/{{ inventory_hostname_short }}.pem
+ tags:
+ - genkey
+
+# Don't copy our pubkey due to a possible race condition. Only the
+# remote machine has authority regarding its key.
+- name: Copy IPSec X.509 certificates (except ours)
+ copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem
+ dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem
+ owner=root group=root
+ mode=0644
+ with_items: "{{ groups.all | difference([inventory_hostname]) }}"
+ register: r5
+ tags:
+ - genkey
+ notify:
+ - Restart IPSec
+
+- name: Start IPSec
+ service: name=ipsec state=started
+ when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)
diff --git a/roles/common/tasks/logging.yml b/roles/common/tasks/logging.yml
index 3b86294..b27fc41 100644
--- a/roles/common/tasks/logging.yml
+++ b/roles/common/tasks/logging.yml
@@ -30,40 +30,41 @@
- syslog
- name: Start rsyslog
service: name=rsyslog state=started
when: not (r1.changed or r2.changed)
tags:
- syslog
- meta: flush_handlers
- name: Configure logcheck (1)
copy: src=etc/logcheck/{{ item }}
dest=/etc/logcheck/{{ item }}
owner=root group=logcheck
mode=0644
with_items:
- logcheck.conf
- ignore.d.server/common-local
- ignore.d.server/dovecot-local
- ignore.d.server/postfix-local
+ - ignore.d.server/strongswan-local
# logcheck-sudo already exists, but changing the filename for our
# local modifications would defeat the ruleset
- violations.ignore.d/logcheck-sudo
tags:
- logcheck
- name: Configure logcheck (2)
lineinfile: dest=/etc/logcheck/logcheck.logfiles
line={{ item }}
state=present
create=yes
owner=root group=logcheck
mode=0640
with_items:
- /var/log/syslog
- /var/log/auth.log
- /var/log/mail.log
tags:
- logcheck
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 1226d37..88d44f3 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -30,40 +30,45 @@
- smartmontools
- smart
when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')"
- include: haveged.yml
tags:
- haveged
- entropy
- name: Copy genkeypair.sh and gendhparam.sh
copy: src=usr/local/bin/{{ item }}
dest=/usr/local/bin/{{ item }}
owner=root group=root
mode=0755
tags: genkey
with_items:
- genkeypair.sh
- gendhparam.sh
- name: Generate DH parameters
command: gendhparam.sh /etc/ssl/dhparams.pem 2048
creates=/etc/ssl/dhparams.pem
tags: genkey
+- include: ipsec.yml
+ tags:
+ - strongswan
+ - ipsec
+ when: "groups.all | length > 1"
- include: logging.yml
tags: logging
- include: ntp.yml
tags: ntp
- include: mail.yml
tags:
- mail
- postfix
- include: bacula.yml
tags:
- bacula-fd
- bacula
- include: munin-node.yml
tags:
- munin-node
- munin
- include: munin-node-ssl.yml
when: "'munin-master' not in group_names"
tags:
- munin-node