ansible-playbooks/roles/strongswan/tasks/main.yml

- name: import dns vars
  include_vars:
    file: dns.yml
    hash_behaviour: merge
  when: strongswan_use_dns | d(false) == true


- name: set strongswan_cfg
  set_fact:
    strongswan_cfg: "{{ strongswan_default_config | d({}) | combine(strongswan_config | d({}), recursive=true) }}"


- name: install strongswan
  include_tasks: tasks/install_packages.yml
  vars:
    package:
      - strongswan
      - alpine: strongswan-openrc


- name: ensure strongswan user exists
  include_tasks: tasks/create_user.yml
  vars:
    user:
      name: "{{ strongswan_user }}"
      group: "{{ strongswan_group }}"
      notify: restart charon


- name: change resolv.conf permissions
  file:
    path: /etc/resolv.conf
    mode: 0664
    group: "{{ strongswan_group }}"


- name: add forwarding to sysctl file
  ansible.posix.sysctl:
    name: "{{ item }}"
    value: "1"
    sysctl_set: yes
  notify: restart charon
  loop:
    - net.ipv4.ip_forward
    - net.ipv6.conf.all.forwarding


- name: remove unnecessary config files and directories
  file:
    path: "/etc/{{ item }}"
    state: absent
  loop:
    - swanctl/bliss
    - swanctl/conf.d
    - swanctl/pkcs12
    - swanctl/pkcs8
    - swanctl/x509aa
    - swanctl/x509ac
    - swanctl/x509crl
    - swanctl/x509ocsp
    - ipsec.d/
    - ipsec.conf
    - ipsec.secrets
  notify: restart charon


- name: template configuration files
  template:
    src: "{{ item.src }}.j2"
    dest: "/etc/{{ item.dest | d(item.src) }}.conf"
    force: yes
    lstrip_blocks: yes
    mode: "{{ item.mode | d('0644') }}"
  notify: restart charon
  loop:
    - src: swanctl
      dest: swanctl/swanctl
    - src: charon-logging
      dest: strongswan.d/charon-logging
    - src: attr
      dest: strongswan.d/charon/attr
    - src: strongswan
      dest: strongswan.d/strongswan-custom


- name: disable unnecessary charon plugins
  lineinfile:
    path: "/etc/strongswan.d/charon/{{ item }}.conf"
    regexp: '^(\s*)load\s?=\s?yes\s*'
    line: '\1load = no'
    backrefs: yes
  notify: restart charon
  loop:
    - attr-sql
    - dhcp
    - dnskey
    - eap-aka-3gpp2
    - eap-aka
    - eap-md5
    - eap-radius
    - eap-sim-file
    - eap-sim
    - eap-simaka-pseudonym
    - eap-simaka-reauth
    - eap-tls
    - fips-prf
    - ha
    - sqlite
    - stroke
    - unity
    - xauth-eap
    - xauth-generic


- name: template init script
  template:
    src: init.j2
    dest: /etc/init.d/charon
    force: yes
    mode: 0755
  notify: restart charon


- name: deploy ecc384 cert
  include_role:
    name: certs
  vars:
    certs:
      cert: "/etc/swanctl/x509/{{ strongswan_cert_name }}"
      key: "/etc/swanctl/private/{{ strongswan_cert_name }}"
      chain: "/etc/swanctl/x509ca/{{ strongswan_cert_name }}"
      ecc: yes
      post_hook: service charon restart
      notify: restart charon
      owner: "{{ strongswan_user }}"
      group: "{{ strongswan_group }}"
      tld: "{{ host_tld }}"


- name: add directories to backup plan
  include_role:
    name: backup
  vars:
    function: add
    backup_items:
      - /etc/strongswan.d
      - /etc/swanctl


- name: flush handlers
  meta: flush_handlers


- name: install prometheus metrics
  include_tasks: prometheus.yml
  when: host_metrics | d(false) == true


- name: start and enable charon
  service:
    name: charon
    enabled: yes
    state: started
init 2 years ago			`- name: import dns vars`
			`include_vars:`
			`file: dns.yml`
			`hash_behaviour: merge`
			`when: strongswan_use_dns \| d(false) == true`


			`- name: set strongswan_cfg`
			`set_fact:`
			`strongswan_cfg: "{{ strongswan_default_config \| d({}) \| combine(strongswan_config \| d({}), recursive=true) }}"`


			`- name: install strongswan`
			`include_tasks: tasks/install_packages.yml`
			`vars:`
			`package:`
			`- strongswan`
			`- alpine: strongswan-openrc`


			`- name: ensure strongswan user exists`
			`include_tasks: tasks/create_user.yml`
			`vars:`
			`user:`
			`name: "{{ strongswan_user }}"`
			`group: "{{ strongswan_group }}"`
			`notify: restart charon`


			`- name: change resolv.conf permissions`
			`file:`
			`path: /etc/resolv.conf`
			`mode: 0664`
			`group: "{{ strongswan_group }}"`


			`- name: add forwarding to sysctl file`
			`ansible.posix.sysctl:`
			`name: "{{ item }}"`
			`value: "1"`
			`sysctl_set: yes`
			`notify: restart charon`
			`loop:`
			`- net.ipv4.ip_forward`
			`- net.ipv6.conf.all.forwarding`


			`- name: remove unnecessary config files and directories`
			`file:`
			`path: "/etc/{{ item }}"`
			`state: absent`
			`loop:`
			`- swanctl/bliss`
			`- swanctl/conf.d`
			`- swanctl/pkcs12`
			`- swanctl/pkcs8`
			`- swanctl/x509aa`
			`- swanctl/x509ac`
			`- swanctl/x509crl`
			`- swanctl/x509ocsp`
			`- ipsec.d/`
			`- ipsec.conf`
			`- ipsec.secrets`
			`notify: restart charon`


			`- name: template configuration files`
			`template:`
			`src: "{{ item.src }}.j2"`
			`dest: "/etc/{{ item.dest \| d(item.src) }}.conf"`
			`force: yes`
			`lstrip_blocks: yes`
			`mode: "{{ item.mode \| d('0644') }}"`
			`notify: restart charon`
			`loop:`
			`- src: swanctl`
			`dest: swanctl/swanctl`
			`- src: charon-logging`
			`dest: strongswan.d/charon-logging`
			`- src: attr`
			`dest: strongswan.d/charon/attr`
			`- src: strongswan`
			`dest: strongswan.d/strongswan-custom`


			`- name: disable unnecessary charon plugins`
			`lineinfile:`
			`path: "/etc/strongswan.d/charon/{{ item }}.conf"`
			`regexp: '^(\s)load\s?=\s?yes\s'`
			`line: '\1load = no'`
			`backrefs: yes`
			`notify: restart charon`
			`loop:`
			`- attr-sql`
			`- dhcp`
			`- dnskey`
			`- eap-aka-3gpp2`
			`- eap-aka`
			`- eap-md5`
			`- eap-radius`
			`- eap-sim-file`
			`- eap-sim`
			`- eap-simaka-pseudonym`
			`- eap-simaka-reauth`
			`- eap-tls`
			`- fips-prf`
			`- ha`
			`- sqlite`
			`- stroke`
			`- unity`
			`- xauth-eap`
			`- xauth-generic`


			`- name: template init script`
			`template:`
			`src: init.j2`
			`dest: /etc/init.d/charon`
			`force: yes`
			`mode: 0755`
			`notify: restart charon`


			`- name: deploy ecc384 cert`
			`include_role:`
			`name: certs`
			`vars:`
			`certs:`
			`cert: "/etc/swanctl/x509/{{ strongswan_cert_name }}"`
			`key: "/etc/swanctl/private/{{ strongswan_cert_name }}"`
			`chain: "/etc/swanctl/x509ca/{{ strongswan_cert_name }}"`
			`ecc: yes`
			`post_hook: service charon restart`
			`notify: restart charon`
			`owner: "{{ strongswan_user }}"`
			`group: "{{ strongswan_group }}"`
			`tld: "{{ host_tld }}"`


			`- name: add directories to backup plan`
			`include_role:`
			`name: backup`
			`vars:`
			`function: add`
			`backup_items:`
			`- /etc/strongswan.d`
			`- /etc/swanctl`


			`- name: flush handlers`
			`meta: flush_handlers`


			`- name: install prometheus metrics`
			`include_tasks: prometheus.yml`
			`when: host_metrics \| d(false) == true`


			`- name: start and enable charon`
			`service:`
			`name: charon`
			`enabled: yes`
			`state: started`