From 4db428a86ec2aa451d8109e8d7b48d7a462eea73 Mon Sep 17 00:00:00 2001 From: Jack Ivanov Date: Mon, 10 Oct 2016 15:42:32 +0300 Subject: [PATCH] Disable unneeded plugins in StrongSwan #84 --- config.cfg | 22 +++++++++++++++++++++- roles/vpn/tasks/main.yml | 19 +++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/config.cfg b/config.cfg index cd827f3..4704920 100644 --- a/config.cfg +++ b/config.cfg @@ -28,12 +28,32 @@ IP_subject_alt_name: "{{ ansible_ssh_host }}" # Enable this variable if you want to use a local DNS resolver to block ads while surfing. (True or False) service_dns: True -# If you don't want to use a local DNS resolver (option `service_dns`) you need to define DNS servers in this list. +# If you don't want to use a local DNS resolver (option `service_dns`) you need to define DNS servers in this list. dns_servers: - 8.8.8.8 - 8.8.4.4 - 2001:4860:4860::8888 - 2001:4860:4860::8844 +strongswan_enabled_plugins: + - aes + - gcm + - hmac + - kernel-netlink + - nonce + - openssl + - pem + - pgp + - pkcs12 + - pkcs7 + - pkcs8 + - pubkey + - random + - revocation + - sha2 + - socket-default + - stroke + - x509 + # IP address for the proxy and the local dns resolver local_service_ip: 172.16.0.1 diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 3b9ea12..690a44a 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -66,6 +66,25 @@ notify: - restart strongswan +- name: Get loaded plugins + shell: > + find /etc/strongswan.d/charon/ -type f -name '*.conf' -printf '%f\n' | cut -f1 -d. + register: strongswan_plugins + +- name: Disable unneeded plugins + lineinfile: dest="/etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = no' state=present + notify: + - restart strongswan + when: item not in strongswan_enabled_plugins + with_items: "{{ strongswan_plugins.stdout_lines }}" + +- name: Ensure that required plugins are enabled + lineinfile: dest="/etc/strongswan.d/charon/{{ item }}.conf" regexp='.*load.*' line='load = yes' state=present + notify: + - restart strongswan + when: item in strongswan_enabled_plugins + with_items: "{{ strongswan_plugins.stdout_lines }}" + - name: Fetch easy-rsa-ipsec from git git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git version=ed4de10d7ce0726357fb1bb4729f8eb440c06e2b dest="{{ easyrsa_dir }}"