ansible-playbooks/roles/strongswan/tasks/main.yml

- name: import dns vars
  include_vars:
    file: dns.yml
    hash_behaviour: merge
  when: strongswan_use_dns | d(false) == true


- name: set strongswan_cfg
  set_fact:
    strongswan_cfg: "{{ strongswan_default_config | d({}) | combine(strongswan_config | d({}), recursive=true) }}"


- name: install strongswan
  include_tasks: tasks/install_packages.yml
  vars:
    package:
      - strongswan
      - alpine: strongswan-openrc


- name: ensure strongswan user exists
  include_tasks: tasks/create_user.yml
  vars:
    user:
      name: "{{ strongswan_user }}"
      group: "{{ strongswan_group }}"
      notify: restart charon


- name: change resolv.conf permissions
  file:
    path: /etc/resolv.conf
    mode: 0664
    group: "{{ strongswan_group }}"


- name: add forwarding to sysctl file
  ansible.posix.sysctl:
    name: "{{ item }}"
    value: "1"
    sysctl_set: yes
  notify: restart charon
  loop:
    - net.ipv4.ip_forward
    - net.ipv6.conf.all.forwarding


- name: remove unnecessary config files and directories
  file:
    path: "/etc/{{ item }}"
    state: absent
  loop:
    - swanctl/bliss
    - swanctl/conf.d
    - swanctl/pkcs12
    - swanctl/pkcs8
    - swanctl/x509aa
    - swanctl/x509ac
    - swanctl/x509crl
    - swanctl/x509ocsp
    - ipsec.d/
    - ipsec.conf
    - ipsec.secrets
  notify: restart charon


- name: template configuration files
  template:
    src: "{{ item.src }}.j2"
    dest: "/etc/{{ item.dest | d(item.src) }}.conf"
    force: yes
    lstrip_blocks: yes
    mode: "{{ item.mode | d('0644') }}"
  notify: restart charon
  loop:
    - src: swanctl
      dest: swanctl/swanctl
    - src: charon-logging
      dest: strongswan.d/charon-logging
    - src: attr
      dest: strongswan.d/charon/attr
    - src: strongswan
      dest: strongswan.d/strongswan-custom


- name: disable unnecessary charon plugins
  lineinfile:
    path: "/etc/strongswan.d/charon/{{ item }}.conf"
    regexp: '^(\s*)load\s?=\s?yes\s*'
    line: '\1load = no'
    backrefs: yes
  notify: restart charon
  loop:
    - attr-sql
    - dhcp
    - dnskey
    - eap-aka-3gpp2
    - eap-aka
    - eap-md5
    - eap-radius
    - eap-sim-file
    - eap-sim
    - eap-simaka-pseudonym
    - eap-simaka-reauth
    - eap-tls
    - fips-prf
    - ha
    - sqlite
    - stroke
    - unity
    - xauth-eap
    - xauth-generic


- name: template init script
  template:
    src: init.j2
    dest: /etc/init.d/charon
    force: yes
    mode: 0755
  notify: restart charon


- name: deploy ecc384 cert
  include_role:
    name: certs
  vars:
    certs:
      cert: "/etc/swanctl/x509/{{ strongswan_cert_name }}"
      key: "/etc/swanctl/private/{{ strongswan_cert_name }}"
      chain: "/etc/swanctl/x509ca/{{ strongswan_cert_name }}"
      ecc: yes
      post_hook: service charon restart
      notify: restart charon
      owner: "{{ strongswan_user }}"
      group: "{{ strongswan_group }}"
      tld: "{{ host_tld }}"


- name: add directories to backup plan
  include_role:
    name: backup
  vars:
    function: add
    backup_items:
      - /etc/strongswan.d
      - /etc/swanctl


- name: flush handlers
  meta: flush_handlers


- name: install prometheus metrics
  include_tasks: prometheus.yml
  when: host_metrics | d(false) == true


- name: start and enable charon
  service:
    name: charon
    enabled: yes
    state: started