summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rwxr-xr-xroles/common/files/etc/network/if-up.d/ipsec68
-rw-r--r--roles/common/handlers/main.yml3
-rw-r--r--roles/common/tasks/ipsec.yml75
-rw-r--r--roles/common/templates/etc/ipsec.conf.j230
-rw-r--r--roles/common/templates/etc/ipsec.secrets.j25
5 files changed, 0 insertions, 181 deletions
diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec
deleted file mode 100755
index 4a84112..0000000
--- a/roles/common/files/etc/network/if-up.d/ipsec
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/bin/sh
-
-# A post-up/down hook to automatically create/delete a 'sec' VLAN
-# device, and a dedicated, host-scoped, IP for IPSec (v4 only).
-# Copyright © 2013 Guilhem Moulin <guilhem@fripost.org>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-set -ue
-PATH=/usr/sbin:/usr/bin:/sbin:/bin
-
-ifsec=sec0
-ipsec=172.16.0.1/32
-
-# /!\ This mark much match that in /usr/local/sbin/update-firewall.sh.
-secmark=0xA99
-
-# Ignore the loopback interface and non inet4 families.
-[ "$IFACE" != lo -a "$ADDRFAM" = inet ] || exit 0
-
-# Only the device with the default, globally-scoped route, is of
-# interest here.
-[ "$( /bin/ip -4 route show to default scope global \
- | sed -nr '/^default via \S+ dev (\S+).*/ {s//\1/p;q}' )" \
- = \
- "$IFACE" ] || exit 0
-
-case "$MODE" in
- start) # Don't create $ifsec if it's already there
- if ! /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
- # Create a new VLAN $IFACE on physical device $ifsec. This is
- # required otherwise charon thinks the left peer is that
- # host-scoped, non-routable IP.
- /bin/ip link add link "$IFACE" name "$ifsec" type vlan id 2713
- /bin/ip address add "$ipsec" dev "$ifsec" scope host
- /bin/ip link set dev "$ifsec" up
- fi
-
- # If a packet retained its mark that far, it means it has
- # been SNAT'ed from $ipsec, and didn't have a xfrm
- # association. Hence we nullroute it to avoid to leak data
- # intented to be tunneled through IPSec. /!\ The priority
- # must be >220 (which the one used by strongSwan IPSec) since
- # xfrm lookup must take precedence.
- /bin/ip rule add fwmark "$secmark" table 666 priority 666 || true
- /bin/ip route add prohibit default table 666 || true
- ;;
- stop) if /bin/ip -o link show | grep -qE "^[0-9]+:\s+$ifsec"; then
- # Deactivate the VLAN
- /bin/ip link set dev "$ifsec" down
- fi
-
- # Delete the 'prohibit' rule
- /bin/ip rule del fwmark "$secmark" table 666 priority 666 || true
- /bin/ip route flush table 666
- ;;
-esac
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 1e0a21e..d20f7b6 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -17,9 +17,6 @@
- name: Restart fail2ban
service: name=fail2ban state=restarted
-- name: Restart IPSec
- service: name=ipsec state=restarted
-
- name: Reload networking
# /etc/init.d/networking doesn't answer the status command; but since
# it should be "up" whenever ansible has access to the machine, we use
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
deleted file mode 100644
index 36807d2..0000000
--- a/roles/common/tasks/ipsec.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-- name: Install strongSwan
- apt: pkg=strongswan-ikev2
-
-- name: Generate a private key and a X.509 certificate for IPSec
- command: genkeypair.sh x509
- --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
- --privkey=/etc/ipsec.d/private/{{ inventory_hostname }}.key
- --dns={{ inventory_hostname }}
- -t ecdsa -b secp521r1 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart IPSec
- tags:
- - genkey
-
-- name: Fetch the public part of IPSec's host key
- # Ensure we don't fetch private data
- sudo: False
- fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
- dest=certs/ipsec/
- fail_on_missing=yes
- flat=yes
- tags:
- - genkey
-
-# Don't copy our pubkey due to a possible race condition. Only the
-# remote machine has authority regarding its key.
-- name: Copy IPSec host pubkeys (except ours)
- copy: src=certs/ipsec/{{ item }}.pem
- dest=/etc/ipsec.d/certs/{{ item }}.pem
- owner=root group=root
- mode=0644
- with_items: groups.all | difference([inventory_hostname])
- register: r2
- notify:
- - Restart IPSec
-
-- name: Configure IPSec's secrets
- template: src=etc/ipsec.secrets.j2
- dest=/etc/ipsec.secrets
- owner=root group=root
- mode=0600
- register: r3
- notify:
- - Restart IPSec
-
-- name: Configure IPSec
- template: src=etc/ipsec.conf.j2
- dest=/etc/ipsec.conf
- owner=root group=root
- mode=0644
- register: r4
- notify:
- - Restart IPSec
-
-- name: Start IPSec
- service: name=ipsec state=started
- when: not (r1.changed or r2.changed or r3.changed or r4.changed)
-
-- name: Auto-create a dedicated interface for IPSec
- copy: src=etc/network/if-up.d/ipsec
- dest=/etc/network/if-up.d/ipsec
- owner=root group=root
- mode=0755
- notify:
- - Reload networking
-
-- name: Auto-deactivate the dedicated interface for IPSec
- file: src=../if-up.d/ipsec
- dest=/etc/network/if-down.d/ipsec
- owner=root group=root state=link force=yes
-
-- meta: flush_handlers
diff --git a/roles/common/templates/etc/ipsec.conf.j2 b/roles/common/templates/etc/ipsec.conf.j2
deleted file mode 100644
index 1dbcdbd..0000000
--- a/roles/common/templates/etc/ipsec.conf.j2
+++ /dev/null
@@ -1,30 +0,0 @@
-# {{ ansible_managed }}
-# Do NOT edit this file directly!
-
-config setup
- plutostart = no
-
-# Add connections here.
-
-conn %default
- keyexchange = ikev2
- ikelifetime = 1h
- keylife = 15m
- rekeymargin = 3m
- keyingtries = 1
- esp = aes128gcm16-ecp256!
- ike = aes128gcm16-aesxcbc-ecp256!
- # TODO: test DynDNS
- mobike = no
- leftauth = pubkey
- left = %defaultroute
- leftcert = {{ inventory_hostname }}.pem
- leftfirewall = yes
- rightauth = pubkey
- auto = start
-{% for host in groups.all | difference([inventory_hostname]) | sort %}
-
-conn {{ host }}
- right = {{ hostvars[host]['inventory_hostname'] }}
- rightcert = {{ hostvars[host]['inventory_hostname'] }}.pem
-{%- endfor %}
diff --git a/roles/common/templates/etc/ipsec.secrets.j2 b/roles/common/templates/etc/ipsec.secrets.j2
deleted file mode 100644
index da707bd..0000000
--- a/roles/common/templates/etc/ipsec.secrets.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-# {{ ansible_managed }}
-# Do NOT edit this file directly!
-
-# Our VPN uses ECC only.
-: ECDSA {{ inventory_hostname }}.key