From 55d40a6b274a4dfe0905e88636d3fa4b409914aa Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Thu, 12 Jan 2017 21:09:29 +0300
Subject: [PATCH] update-users with local_openssl_tasks

---
 roles/vpn/tasks/main.yml |   9 ---
 users.yml                | 143 +++++++++++++++++++++++++++++----------
 2 files changed, 107 insertions(+), 45 deletions(-)

diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 4d842ad9..e0a70c4a 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -241,15 +241,6 @@
     chdir: "configs/{{ IP_subject_alt_name }}/pki/"
   with_items: "{{ users }}"
 
-- name: Register p12 PayloadContent
-  local_action: >
-    shell cat private/{{ item }}.p12 | base64
-  register:  PayloadContent
-  become: no
-  args:
-    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-  with_items: "{{ users }}"
-
 - name: Set facts for mobileconfigs
   set_fact:
     proxy_enabled: false
diff --git a/users.yml b/users.yml
index b6f71307..4064d7bd 100644
--- a/users.yml
+++ b/users.yml
@@ -39,6 +39,7 @@
         ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
         easyrsa_CA_password: "{{ easyrsa_CA_password }}"
         IP_subject: "{{ IP_subject }}"
+        ansible_ssh_private_key_file: "{{ SSH_keys.private }}"
 
     - name: Wait until SSH becomes ready...
       local_action:
@@ -53,7 +54,7 @@
 
 - name: User management
   hosts: vpn-host
-  gather_facts: false
+  gather_facts: true
   become: true
   vars_files:
     - config.cfg
@@ -73,70 +74,136 @@
     - set_fact:
         easyrsa_p12_export_password: "{{ (ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0] }}"
 
-    - name: Build the client's pair
-      shell: >
-        ./easyrsa gen-req {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
-        ./easyrsa --subject-alt-name='DNS:{{ item }}' sign-req client {{ item }} nopass -- -passin pass:"{{ easyrsa_CA_password }}" &&
-        touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
+    - name: Cheking the signature algorithm
+      local_action: >
+          shell openssl x509 -text -in certs/82.196.1.93.crt  | grep 'Signature Algorithm' | head -n1
+      become: no
+      register: sig_algo
       args:
-        chdir: '{{ easyrsa_dir }}/easyrsa3/'
-        creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
+        chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+
+    - name: Change the algorithm to RSA
+      set_fact:
+        algo_params: "rsa:2048"
+      when: '"ecdsa" not in sig_algo.stdout'
+
+    - name: Build the client's pair
+      local_action: >
+        shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
+          openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
+          touch certs/{{ item }}_crt_generated
+      become: no
+      args:
+        chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+        creates: certs/{{ item }}_crt_generated
+      environment:
+        subjectAltName: "DNS:{{ item }}"
       with_items: "{{ users }}"
 
     - name: Build the client's p12
-      shell: >
-        openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }}
+      local_action: >
+        shell openssl pkcs12 -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export -name {{ item }} -out private/{{ item }}.p12 -certfile cacert.pem -passout pass:"{{ easyrsa_p12_export_password }}"
+      become: no
       args:
-        chdir: '{{ easyrsa_dir }}/easyrsa3/'
+        chdir: "configs/{{ IP_subject_alt_name }}/pki/"
       with_items: "{{ users }}"
 
+    - name: Copy the p12 certificates
+      local_action:
+        module: copy
+        src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
+        dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
+        mode: 0600
+      become: no
+      with_items:
+        - "{{ users }}"
+
     - name: Get active users
-      shell: >
-        grep ^V pki/index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
+      local_action: >
+        shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
+      become: no
       args:
-        chdir: '{{ easyrsa_dir }}/easyrsa3/'
+        chdir: "configs/{{ IP_subject_alt_name }}/pki/"
       register: valid_certs
 
     - name: Revoke non-existing users
-      shell: >
-        openssl ec -in pki/private/ca.key -out pki/private/ca.key -passin pass:"{{ easyrsa_CA_password }}" -passout pass:"" &&
-        ipsec pki --signcrl --cacert {{ easyrsa_dir }}/easyrsa3//pki/ca.crt --cakey {{ easyrsa_dir }}/easyrsa3/pki/private/ca.key --reason superseded --cert {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt > /etc/ipsec.d/crls/{{ item }}.der &&
-        ./easyrsa revoke {{ item }} &&
-        openssl ec -aes256 -in pki/private/ca.key -out pki/private/ca.key -passin pass:"" -passout pass:"{{ easyrsa_CA_password }}" &&
-        ipsec rereadcrls
+      local_action: >
+        shell openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt &&
+          openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt
+          touch crl/{{ item }}_revoked
+      become: no
       args:
-        chdir: '{{ easyrsa_dir }}/easyrsa3/'
+        chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+        creates: crl/{{ item }}_revoked
+      environment:
+        subjectAltName: "DNS:{{ item }}"
       when: item not in users
       with_items: "{{ valid_certs.stdout_lines }}"
 
+    - name: Copy the revoked certificates to the vpn server
+      copy:
+        src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt
+        dest: /etc/ipsec.d/crls/{{ item }}.crt
+      when: item not in users
+      with_items: "{{ valid_certs.stdout_lines }}"
+      notify:
+        - rereadcrls
+
     - name: Register p12 PayloadContent
-      shell: >
-        cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
+      local_action: >
+        shell cat private/{{ item }}.p12 | base64
       register:  PayloadContent
+      become: no
+      args:
+        chdir: "configs/{{ IP_subject_alt_name }}/pki/"
       with_items: "{{ users }}"
 
-    - name: Register CA PayloadContent
-      shell: >
-        cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
-      register:  PayloadContentCA
+    - name: Set facts for mobileconfigs
+      set_fact:
+        proxy_enabled: false
+        PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
 
     - name: Build the mobileconfigs
-      template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}.mobileconfig mode=0600
+      local_action:
+        module: template
+        src: roles/vpn/templates/mobileconfig.j2
+        dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig
+        mode: 0600
+      become: no
       with_together:
         - "{{ users }}"
         - "{{ PayloadContent.results }}"
       no_log: True
 
-    - name: Fetch users P12
-      fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 dest=configs/{{ IP_subject_alt_name }}_{{ item }}.p12 flat=yes
-      with_items: "{{ users }}"
+    - name: Build the client ipsec config file
+      local_action:
+        module: template
+        src: roles/vpn/templates/client_ipsec.conf.j2
+        dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf
+        mode: 0600
+      become: no
+      with_items:
+        - "{{ users }}"
 
-    - name: Fetch users mobileconfig
-      fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}.mobileconfig flat=yes
-      with_items: "{{ users }}"
+    - name: Build the client ipsec secret file
+      local_action:
+        module: template
+        src: roles/vpn/templates/client_ipsec.secrets.j2
+        dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets
+        mode: 0600
+      become: no
+      with_items:
+        - "{{ users }}"
 
-    - name: Fetch server CA certificate
-      fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
+    - name: Build the windows client powershell script
+      local_action:
+        module: template
+        src: roles/vpn/templates/client_windows.ps1.j2
+        dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1
+        mode: 0600
+      become: no
+      when: Win10_Enabled is defined and Win10_Enabled == "Y"
+      with_items: "{{ users }}"
 
     # SSH
 
@@ -163,3 +230,7 @@
   post_tasks:
     - debug: msg="{{ congrats.split('\n') }}"
       tags: always
+
+  handlers:
+    - name: rereadcrls
+      shell: ipsec rereadcrls