๐Ÿ“— Ansible playbooks and roles for building an idempotent, interconnected and scalable infrastructure
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
ansible-playbooks/roles/strongswan/tasks/main.yml

164 lines
3.3 KiB

2 years ago
- name: import dns vars
include_vars:
file: dns.yml
hash_behaviour: merge
when: strongswan_use_dns | d(false) == true
- name: set strongswan_cfg
set_fact:
strongswan_cfg: "{{ strongswan_default_config | d({}) | combine(strongswan_config | d({}), recursive=true) }}"
- name: install strongswan
include_tasks: tasks/install_packages.yml
vars:
package:
- strongswan
- alpine: strongswan-openrc
- name: ensure strongswan user exists
include_tasks: tasks/create_user.yml
vars:
user:
name: "{{ strongswan_user }}"
group: "{{ strongswan_group }}"
notify: restart charon
- name: change resolv.conf permissions
file:
path: /etc/resolv.conf
mode: 0664
group: "{{ strongswan_group }}"
- name: add forwarding to sysctl file
ansible.posix.sysctl:
name: "{{ item }}"
value: "1"
sysctl_set: yes
notify: restart charon
loop:
- net.ipv4.ip_forward
- net.ipv6.conf.all.forwarding
- name: remove unnecessary config files and directories
file:
path: "/etc/{{ item }}"
state: absent
loop:
- swanctl/bliss
- swanctl/conf.d
- swanctl/pkcs12
- swanctl/pkcs8
- swanctl/x509aa
- swanctl/x509ac
- swanctl/x509crl
- swanctl/x509ocsp
- ipsec.d/
- ipsec.conf
- ipsec.secrets
notify: restart charon
- name: template configuration files
template:
src: "{{ item.src }}.j2"
dest: "/etc/{{ item.dest | d(item.src) }}.conf"
force: yes
lstrip_blocks: yes
mode: "{{ item.mode | d('0644') }}"
notify: restart charon
loop:
- src: swanctl
dest: swanctl/swanctl
- src: charon-logging
dest: strongswan.d/charon-logging
- src: attr
dest: strongswan.d/charon/attr
- src: strongswan
dest: strongswan.d/strongswan-custom
- name: disable unnecessary charon plugins
lineinfile:
path: "/etc/strongswan.d/charon/{{ item }}.conf"
regexp: '^(\s*)load\s?=\s?yes\s*'
line: '\1load = no'
backrefs: yes
notify: restart charon
loop:
- attr-sql
- dhcp
- dnskey
- eap-aka-3gpp2
- eap-aka
- eap-md5
- eap-radius
- eap-sim-file
- eap-sim
- eap-simaka-pseudonym
- eap-simaka-reauth
- eap-tls
- fips-prf
- ha
- sqlite
- stroke
- unity
- xauth-eap
- xauth-generic
- name: template init script
template:
src: init.j2
dest: /etc/init.d/charon
force: yes
mode: 0755
notify: restart charon
- name: deploy ecc384 cert
include_role:
name: certs
vars:
certs:
cert: "/etc/swanctl/x509/{{ strongswan_cert_name }}"
key: "/etc/swanctl/private/{{ strongswan_cert_name }}"
chain: "/etc/swanctl/x509ca/{{ strongswan_cert_name }}"
ecc: yes
post_hook: service charon restart
notify: restart charon
owner: "{{ strongswan_user }}"
group: "{{ strongswan_group }}"
tld: "{{ host_tld }}"
- name: add directories to backup plan
include_role:
name: backup
vars:
function: add
backup_items:
- /etc/strongswan.d
- /etc/swanctl
- name: flush handlers
meta: flush_handlers
- name: install prometheus metrics
include_tasks: prometheus.yml
when: host_metrics | d(false) == true
- name: start and enable charon
service:
name: charon
enabled: yes
state: started