From 371b20a2cea224d25ab5cfcfc44083ad68f0d2c0 Mon Sep 17 00:00:00 2001 From: Evgeniy Ivanov Date: Thu, 21 Jul 2016 22:38:23 +0300 Subject: [PATCH] mobileconfig implemented --- .gitignore | 3 + common.yml | 2 + config.cfg | 1 + templates/mobileconfig.j2 | 140 ++++++++++++++++++++++++++++++++++++++ users/.gitinit | 0 users/mr.smith | 1 + users/mrs.smith | 1 + users/qwe | Bin 0 -> 3422 bytes vpn.yml | 46 +++++++++---- 9 files changed, 180 insertions(+), 14 deletions(-) create mode 100644 templates/mobileconfig.j2 create mode 100644 users/.gitinit create mode 100644 users/mr.smith create mode 100644 users/mrs.smith create mode 100644 users/qwe diff --git a/.gitignore b/.gitignore index a8b42eb..2ffe569 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,4 @@ *.retry +users/*.mobileconfig +users/*.p12 +users/*.crt diff --git a/common.yml b/common.yml index 396af7b..63a4707 100644 --- a/common.yml +++ b/common.yml @@ -23,6 +23,8 @@ - git - screen - apparmor-utils + - uuid-runtime + - coreutils - name: Enable packet forwarding for IPv4 sysctl: name=net.ipv4.ip_forward value=1 diff --git a/config.cfg b/config.cfg index 1ff0dcd..2348265 100644 --- a/config.cfg +++ b/config.cfg @@ -8,6 +8,7 @@ easyrsa_dir: /opt/easy-rsa-ipsec easyrsa_curve: secp384r1 easyrsa_ca_expire: 3650 easyrsa_cert_expire: 3650 +easyrsa_p12_export_password: vpn # if True re-init all existing certificates. Boolean easyrsa_reinit_existent: True diff --git a/templates/mobileconfig.j2 b/templates/mobileconfig.j2 new file mode 100644 index 0000000..fe8ba42 --- /dev/null +++ b/templates/mobileconfig.j2 @@ -0,0 +1,140 @@ + + + + + PayloadContent + + + IKEv2 + + AuthenticationMethod + Certificate + ChildSecurityAssociationParameters + + DiffieHellmanGroup + 19 + EncryptionAlgorithm + AES-128-GCM + IntegrityAlgorithm + SHA2-256 + LifeTimeInMinutes + 1440 + + DeadPeerDetectionRate + Medium + DisableMOBIKE + 0 + DisableRedirect + 0 + EnableCertificateRevocationCheck + 0 + EnablePFS + + IKESecurityAssociationParameters + + DiffieHellmanGroup + 19 + EncryptionAlgorithm + AES-128-GCM + IntegrityAlgorithm + SHA2-256 + LifeTimeInMinutes + 1440 + + LocalIdentifier + {{ item.0 }} + PayloadCertificateUUID + 1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + RemoteAddress + {{ server_name }} + RemoteIdentifier + {{ server_name }} + UseConfigurationAttributeInternalIPSubnet + 0 + + IPv4 + + OverridePrimary + 1 + + PayloadDescription + Configures VPN settings + PayloadDisplayName + VPN + PayloadIdentifier + com.apple.vpn.managed.D247A30B-6023-4C8E-B3E3-FF1910A65E53 + PayloadType + com.apple.vpn.managed + PayloadUUID + D247A30B-6023-4C8E-B3E3-FF1910A65E53 + PayloadVersion + 1 + Proxies + + HTTPEnable + 0 + HTTPSEnable + 0 + + UserDefinedName + {{ server_name }} IKEv2 + VPNType + IKEv2 + + + Password + {{ easyrsa_p12_export_password }} + PayloadCertificateFileName + {{ item.0 }}.p12 + PayloadContent + + {{ item.1.stdout }} + + PayloadDescription + Adds a PKCS#12-formatted certificate + PayloadDisplayName + {{ item.0 }}.p12 + PayloadIdentifier + com.apple.security.pkcs12.1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + PayloadType + com.apple.security.pkcs12 + PayloadUUID + 1FB2907D-14D3-4BAB-A472-B304F4B7F7D9 + PayloadVersion + 1 + + + PayloadCertificateFileName + ca.crt + PayloadContent + + {{ PayloadContentCA.stdout }} + + PayloadDescription + Adds a CA root certificate + PayloadDisplayName + {{ server_name }} + PayloadIdentifier + com.apple.security.root.32EA3AAA-D19E-43EF-B357-608218745A38 + PayloadType + com.apple.security.root + PayloadUUID + 32EA3AAA-D19E-43EF-B357-608218745A38 + PayloadVersion + 1 + + + PayloadDisplayName + {{ server_name }} IKEv2 + PayloadIdentifier + donut.local.37CA79B1-FC6A-421F-960A-90F91FC983BE + PayloadRemovalDisallowed + + PayloadType + Configuration + PayloadUUID + 743B04A8-5725-45A2-B1BB-836F8C16DB0A + PayloadVersion + 1 + + diff --git a/users/.gitinit b/users/.gitinit new file mode 100644 index 0000000..e69de29 diff --git a/users/mr.smith b/users/mr.smith new file mode 100644 index 0000000..e9e4819 --- /dev/null +++ b/users/mr.smith @@ -0,0 +1 @@ +qwe11 diff --git a/users/mrs.smith b/users/mrs.smith new file mode 100644 index 0000000..e62415c --- /dev/null +++ b/users/mrs.smith @@ -0,0 +1 @@ +qwe diff --git a/users/qwe b/users/qwe new file mode 100644 index 0000000000000000000000000000000000000000..1241a8057ba0221286d8259790f26e9501a2c5b6 GIT binary patch literal 3422 zcmY+FbyO3K8pg-ifQ?ZSf|MYjFk+-Mh~#KcY6wb62vX7#lNg{lDd`>vNK1%FDlu9@ za>x*Iz$C;E$z8v5?!Di=f4t{8=Xsv<{`ve6Xa+kV6*U6QaG3@o7Ox+F$UsF)RfJ|> z0ihWf{@4%%nzrzth^7cli~VCg1yTY2NZdaO6@rHb`tJ`gDjEbMh)(RDTQ~I1i(w#; z4iJr|wedLIoH~JA0XAm5iw#prz|a=M#P;hS-nf{i45NJZdwVT^M9X?qz&nfOsNnV` zOdTvQe0o84hC|0zGI+u^p51Rj?^A}_eEW%VR#i_K_x-@r=Hy5cIsPmAX|z9V^;Okm z^HB#$_ua&cB$Y6bB!DfRE)&bHM&vG+iB^#hzIJTqz`I`R>ZZD4&%@eO-eNksfLqa= zuQ;>>=&scGe0g{~D}7vjteQ*WoJ?sd&6Q`z&qS^`^Ys#y0p0HA283lxO|JBbGLY0! zM#@rBUW$hTL5+n5dok35TvCRj#1s96V+$%&$Mv*owNze=IYmTt+kmw zc>k*~Vl|Ti{+xGEz575z)2A5>h}I7y`#2Tcs6u8r$AuhsH;}NkM_;gWT45_O-MOUd zxntRv4zC;qC3qOx@XtJ3%m!1LYz?(YOHV8guRp8}!d8M&NJFUYRJuq%)Rt`{`;mxj zGFdBnE?h}!Q95D}#B>RRDKnI4!resKR$a$?6XF5L1%+~ihYPrB1z3FRg}`SHxStDi zcgkO1jF>JT1NFZU^$e0qx}pNsdXfmVQ3E_(9$oK28Tr?T=k8W*>xEfm%JJ z%(T9NyyYaA<>xy7&>ERnw^heRa=$>nOdfjHSU#2~Rfm_I3Oa7h8|LFpxz%*vfO}!U zV;|ID8+e$ZiwXgAHeZ0l=$ zYoQO)QGR`UBeqp8O!q1IYI7Wde46t0V>E^yB422nhD1MhGs%#QqdB+UXiTacvo{J= zgYwq1<2Zw78mGHBh4t)D?-s0=V1-h$4uS@ke|k`Pi&To{nk1}lC{Gj@ms96fp6Y&S zZdY0|NW>b4gex-RNU4L#fniW(EgJ7z7hMDTw^HKZBM4gq4$J(K4NIr(YYCD_dB*+6P1R=lY;dbHd zmwCfg+X`9kJtg7zOie9bK{D^J{MhB8(|&@sC#+1iTqx^*lrx3(y+u8y8TUfXVZ;;m zNdQr_I`8Yt0&wZn-;XwXW)Nfnh?4NDd1>`21q#yjJ3|}ICr>q?SXX+LvP zCDX@0K|a*ZVL$NCwXYeiTzGY{41rVRFVH{bfiygITEIHyfN92ptjP)V+W9Smg)YZ$ zG+uX``%zydm4A$zJlws$^&UUTP4j{r9V>Cf8Wui+vA%Sygh=hM*3jL%r_H2ty<8cQffkranrcpa(WJ3gh}2O-&db6RfYRdTXa|mozfvs>yia>uP8gS zqwjAZuk}*xh?nNhm>VssOv-ys8|E7mPlvlqWSs9Ssq|P|ec(w;sC88J=m->rfI2`T z-KX{GBcl_H-@*Q2qcmPscfL}L&Da4}-%`kN+a{|nDQWQobxSsTPEvgd=cB~IDmut_ za@2)I6xUIg{mJ{fE1ftaw17szHASU}fLfulWQ!2%)C>3w9C5sXpxjo1@TbJHt7aaa zDk0n7x@5>-a*Z_5B)sH=|NQWag>zZ!qHsRL6y>7P@zY4-^ME}r=&xNuc8sr;9Q=1W z6?}If#v>hgYmqU+?4x0@;N`7~u{dVE9iIva)Y@VML0!9MSv8=CInXysGae6$c`k8X zW8>_u+3O;Y1+qr=e7{Lv*3)hIl%?DF3D>qBIk*qsCKJ(x*PapoTfy_ws-=Tc!S#16gc3C-i=5q zqDGZe18hN?zJu*C`47FpPX7bqA~e_%ga(`bu?_#69u56}uneUF7NJ2u5NOcm|IwQI zZ(7?BKeeqi4A1^eYY-YV_!@Y(#3&1$yd`pd?wg>SY1I`BAzpWED)79Tl{KH#6&X2+ z%aqhnyf3I&til`6mrJ5=kACf@7_(SH+;{OkYf^MoP`U{{n@)NEN;Fr0b?MAgef=u* zcEX#GCZwf9CsqEvGkJ`WsmjV$8bX|Zuu#WYyJaCVNzjW`0$W%#Rf+ys9BdL2$897t z`Z18!_^@S69a7N!L@haY)auD@*jL#j6hQ8iwiI!i!^k-}q@CLaeQ{pLDiW)zK|?hw z5a_NO{$++IdnmN#vh~J7nSuqnl}Y2<-+PhFCDhvRZgv2f&*lEzay*=u*+^K#nZz&kQvZzd>+YRiiYme_%e7M@ zuowqEW-1+KlbJ)*m?K)ugFpI6_js!ZM9FBK9=gd2?fUQQp*Rdl_71RzA=H=pnhdv> zhGkDzQAyvyRvm0lOyY&>foWSIi|<2vz)Pq`?E8$)&uXpejXOI|_wa74onCoU7kZk@ z3FR@P#vcq`MZEiA@}snh2o@!Xu9I7kGNVKq>7dm4EPj8^{g8KsplH`XaxLd=V50N9 zRLSb?VpFlw$&3VE)?O!Sx+xIQy}G$_TbS`G#!5>)Y)|@i36>8(01N+oa-wl~qF_LY zBkA-Oj6E0j+4q0hj3s#Dhv3S5EFyGeoc!~{6?3T_Aw1)%-RJCQHC?x`52;6-ysfiS zwS@ZU1K-F0-0m-4_G>_$beTq0)K%_k#4AfQ(AY&P4he4ZCLNPbs`47j1@&d9R4i6u z;>cHm_>m~fnV)*lq&doYS>IgIIXh>RR{gXHDl^ICsGKr_jrW4TtlUj0%gy+*+C5dN=L2VE$?(Gi2psfRGrsJU=^ikTY!!hfaaaos1PX>j(;+ z!*wpP7Z2EWNusezLw*M1t<{s0YdT;|dNs#rd)UY$Y~3Yzw&;Sgr?J^&LX3K-Qdd@- zV4@`!{!x`099EH1Al=hhZS<)2K!w6#?)JO+>`3m}>Qr3#zGCQunL6{lx;ilJ zjT^&o+2ez(-j=vUT3(_a-xpcQ#tnjpJ)USlNZ9=Ssh5<9#J< zT~v4fi!qe*0}cRddSi;2G+>LyAU?Q zFrg$j+_! zzQD%}@CNt;Bmn_`)B_L*a7SGEr@$`F0b=tLSU3wg(fRq3+j%3+mm&vLhW + cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64 + register: PayloadContent + with_items: "{{ users }}" + + - name: Register CA PayloadContent + shell: > + cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64 + register: PayloadContentCA + + - name: Build the mobileconfigs + template: src=mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600 + with_together: + - "{{ users }}" + - "{{ PayloadContent.results }}" + + - name: Fetch users P12 + fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=users/{{ server_name }}_{{ item }}.p12 flat=yes + with_items: "{{ users }}" + + - name: Fetch users mobileconfig + fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=users/{{ server_name }}_{{ item }}.mobileconfig flat=yes + with_items: "{{ users }}" + + - name: Fetch server CA certificate + fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=users/{{ server_name }}_ca.crt flat=yes handlers: - name: restart strongswan service: name=strongswan state=restarted - name: restart apparmor - service: name=apparmor state=restarted - - - - - - - - - - + service: name=apparmor state=restarted