summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks/ipsec.yml
blob: 989541b8218ca2e95fe9c45c9733ce50917b53fb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
- name: Install strongSwan
  apt: pkg={{ packages }}
  vars:
    packages:
    - strongswan-charon
      # for the GCM and openssl plugins
    - libstrongswan-standard-plugins
  notify:
    - Update firewall
    - Restart IPsec

- name: Auto-create a dedicated virtual subnet for IPsec
  template: src=etc/network/if-up.d/ipsec.j2
            dest=/etc/network/if-up.d/ipsec
            owner=root group=root
            mode=0755
  notify:
    - Reload networking

- name: Auto-deactivate the dedicated virtual subnet for IPsec
  file: src=../if-up.d/ipsec
        dest=/etc/network/if-down.d/ipsec
        owner=root group=root state=link force=yes

- meta: flush_handlers


- name: Configure IPsec
  template: src=etc/ipsec.conf.j2
            dest=/etc/ipsec.conf
            owner=root group=root
            mode=0644
  register: r1
  notify:
    - Restart IPsec

- name: Configure IPsec's secrets
  template: src=etc/ipsec.secrets.j2
            dest=/etc/ipsec.secrets
            owner=root group=root
            mode=0600
  register: r2
  notify:
    - Restart IPsec

- name: Configure Charon
  copy: src=etc/strongswan.d/{{ item }}
        dest=/etc/strongswan.d/{{ item }}
        owner=root group=root
        mode=0644
  with_items:
    - charon.conf
    - charon/socket-default.conf
  register: r3
  notify:
    - Restart IPsec

- name: Generate a key pair for IPsec public key authentication
  command: genkeypair.sh keypair
                         --pubkey=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
                         --privkey=/etc/ipsec.d/private/{{ inventory_hostname_short }}.key
                         -t rsa -b 4096
  register: r4
  changed_when: r4.rc == 0
  failed_when: r4.rc > 1
  notify:
    - Restart IPsec
  tags:
    - genkey

- name: Fetch the public part of IPsec host key
  # Ensure we don't fetch private data
  become: False
  fetch: src=/etc/ipsec.d/certs/{{ inventory_hostname_short }}.pem
         dest=certs/ipsec/{{ inventory_hostname_short }}.pem
         fail_on_missing=yes flat=yes
  tags:
    - genkey

# Don't copy our pubkey due to a possible race condition.  Only the
# remote machine has authority regarding its key.
- name: Copy the public part of IPsec peers' key
  copy: src=certs/ipsec/{{ hostvars[item].inventory_hostname_short }}.pem
        dest=/etc/ipsec.d/certs/{{ hostvars[item].inventory_hostname_short }}.pem
        owner=root group=root
        mode=0644
  with_items: "{{ groups.all | difference([inventory_hostname]) }}"
  register: r5
  tags:
    - genkey
  notify:
    - Restart IPsec

- name: Start IPsec
  service: name=ipsec state=started
  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)