diff options
Diffstat (limited to 'roles/common/tasks')
| -rw-r--r-- | roles/common/tasks/ipsec.yml | 5 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 2 |
2 files changed, 5 insertions, 2 deletions
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index 5e0115e..d773c1c 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -1,25 +1,26 @@ - name: Install strongSwan apt: pkg=strongswan-ikev2 -- name: Generate a key pair for IPSec - command: genkeypair.sh --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem +- name: Generate a private key and a X.509 certificate for IPSec + command: genkeypair.sh x509 + --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem --privkey=/etc/ipsec.d/private/{{ inventory_hostname }}.key --dns {{ inventory_hostname }} -t ecdsa -b secp521r1 -h sha512 register: r1 failed_when: r1.rc > 1 changed_when: r1.rc == 0 notify: - Restart IPSec - name: Fetch the public part of IPSec's host key sudo: False # Ensure we don't fetch private data fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem dest=certs/ipsec/ fail_on_missing=yes flat=yes # Don't copy our pubkey due to a possible race condition. Only the # remote machine has authority regarding its key. - name: Copy IPSec host pubkeys (except ours) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index f24a2c9..0048443 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,36 +1,38 @@ --- - include: sysctl.yml tags=sysctl - include: hosts.yml - include: apt.yml tags=apt - include: firewall.yml tags=firewall,iptables - include: samhain.yml tags=samhain - include: rkhunter.yml tags=rkhunter - include: clamav.yml tags=clamav - include: fail2ban.yml tags=fail2ban - include: smart.yml tags=smartmontools,smart - include: haveged.yml tags=haveged,entropy - name: Copy genkeypair.sh copy: src=usr/local/bin/genkeypair.sh dest=/usr/local/bin/genkeypair.sh owner=root group=root mode=0755 + tags: + - genkeypair - include: ipsec.yml tags=strongswan,ipsec - include: logging.yml tags=logging - include: ntp.yml tags=ntp - include: mail.yml tags=mail,postfix - name: Install common packages apt: pkg={{ item }} with_items: - ca-certificates - daemontools - etckeeper - ethtool - git - harden-clients - harden-servers - htop - molly-guard - rsync - screen - telnet-ssl |