delete tasks and move to roles (#519)

2025-06-05 22:54:01 +02:00 · 2017-05-08 22:34:45 +02:00 · 2017-05-08 22:34:45 +02:00 · 58d5a06e87
commit 58d5a06e87
parent 07ddb5863b
6 changed files with 56 additions and 165 deletions
--- a/2
+++ b/2
@ -440,7 +440,7 @@ Enter the password for the private CA key:
 $ADDITIONAL_PROMPT
 : " -rs easyrsa_CA_password

-ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled IP_subject=$IP_subject easyrsa_CA_password=$easyrsa_CA_password"
+ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled IP_subject=$IP_subject easyrsa_CA_password=$easyrsa_CA_password" -t update-users --skip-tags common
 }

 case "$1" in
--- a/roles/ssh_tunneling/tasks/main.yml
+++ b/roles/ssh_tunneling/tasks/main.yml
@ -82,6 +82,21 @@
      become: no
      with_items:
        - "{{ users }}"
+        
+    - name: SSH | Get active system users
+      shell: >
+        getent group algo | cut -f4 -d: | sed "s/,/\n/g"
+      register: valid_users
+      when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
+
+    - name: SSH | Delete non-existing users
+      user:
+        name: "{{ item }}"
+        state: absent
+        remove: yes
+        force: yes
+      when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
+      with_items: "{{ valid_users.stdout_lines | default('null') }}"
  rescue:
    - debug: var=fail_hint
      tags: always
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@ -12,3 +12,6 @@

 - name: restart iptables
  service: name=netfilter-persistent state=restarted
+
+- name: rereadcrls
+  shell: ipsec rereadcrls
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -21,8 +21,10 @@

    - include: ipec_configuration.yml
    - include: openssl.yml
+      tags: update-users
    - include: distribute_keys.yml
    - include: client_configs.yml
+      tags: update-users

    - meta: flush_handlers

--- a/roles/vpn/tasks/openssl.yml
+++ b/roles/vpn/tasks/openssl.yml
@ -115,3 +115,34 @@
  become: no
  with_items:
    - "{{ users }}"
+
+- name: Get active users
+  local_action: >
+    shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
+  become: no
+  args:
+    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+  register: valid_certs
+
+- name: Revoke non-existing users
+  local_action: >
+    shell openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt &&
+      openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt
+      touch crl/{{ item }}_revoked
+  become: no
+  args:
+    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+    creates: crl/{{ item }}_revoked
+  environment:
+    subjectAltName: "DNS:{{ item }}"
+  when: item not in users
+  with_items: "{{ valid_certs.stdout_lines }}"
+
+- name: Copy the revoked certificates to the vpn server
+  copy:
+    src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt
+    dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/{{ item }}.crt"
+  when: item not in users
+  with_items: "{{ valid_certs.stdout_lines }}"
+  notify:
+    - rereadcrls
--- a/users.yml
+++ b/users.yml
@ -2,6 +2,7 @@

 - hosts: localhost
  gather_facts: False
+  tags: always
  vars_files:
    - config.cfg

@ -40,12 +41,12 @@
  become: true
  vars_files:
    - config.cfg
-    - roles/vpn/defaults/main.yml

  pre_tasks:
    - block:
        - name: Common pre-tasks
          include: playbooks/common.yml
+          tags: always
      rescue:
        - debug: var=fail_hint
          tags: always
@ -53,165 +54,8 @@
          tags: always

  roles:
-    - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
-
-  tasks:
-    - block:
-        - name: Gather Facts
-          setup:
-
-        - name: Checking the signature algorithm
-          local_action: >
-              shell openssl x509 -text -in certs/{{ IP_subject_alt_name }}.crt  | grep 'Signature Algorithm' | head -n1
-          become: no
-          register: sig_algo
-          args:
-            chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-
-        - name: Change the algorithm to RSA
-          set_fact:
-            algo_params: "rsa:2048"
-          when: '"ecdsa" not in sig_algo.stdout'
-
-        - name: Build the client's pair
-          local_action: >
-            shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
-              openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
-              touch certs/{{ item }}_crt_generated
-          become: no
-          args:
-            chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-            creates: certs/{{ item }}_crt_generated
-          environment:
-            subjectAltName: "DNS:{{ item }}"
-          with_items: "{{ users }}"
-
-        - name: Build the client's p12
-          local_action: >
-            shell openssl pkcs12 -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export -name {{ item }} -out private/{{ item }}.p12 -certfile cacert.pem -passout pass:"{{ easyrsa_p12_export_password }}"
-          become: no
-          args:
-            chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-          with_items: "{{ users }}"
-
-        - name: Copy the p12 certificates
-          local_action:
-            module: copy
-            src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
-            dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
-            mode: 0600
-          become: no
-          with_items:
-            - "{{ users }}"
-
-        - name: Get active users
-          local_action: >
-            shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
-          become: no
-          args:
-            chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-          register: valid_certs
-
-        - name: Revoke non-existing users
-          local_action: >
-            shell openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt &&
-              openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt
-              touch crl/{{ item }}_revoked
-          become: no
-          args:
-            chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-            creates: crl/{{ item }}_revoked
-          environment:
-            subjectAltName: "DNS:{{ item }}"
-          when: item not in users
-          with_items: "{{ valid_certs.stdout_lines }}"
-
-        - name: Copy the revoked certificates to the vpn server
-          copy:
-            src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt
-            dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/{{ item }}.crt"
-          when: item not in users
-          with_items: "{{ valid_certs.stdout_lines }}"
-          notify:
-            - rereadcrls
-
-        - name: Register p12 PayloadContent
-          local_action: >
-            shell cat private/{{ item }}.p12 | base64
-          register:  PayloadContent
-          become: no
-          args:
-            chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-          with_items: "{{ users }}"
-
-        - name: Set facts for mobileconfigs
-          set_fact:
-            proxy_enabled: false
-            PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
-
-        - name: Build the mobileconfigs
-          local_action:
-            module: template
-            src: roles/vpn/templates/mobileconfig.j2
-            dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig
-            mode: 0600
-          become: no
-          with_together:
-            - "{{ users }}"
-            - "{{ PayloadContent.results }}"
-          no_log: True
-
-        - name: Build the client ipsec config file
-          local_action:
-            module: template
-            src: roles/vpn/templates/client_ipsec.conf.j2
-            dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf
-            mode: 0600
-          become: no
-          with_items:
-            - "{{ users }}"
-
-        - name: Build the client ipsec secret file
-          local_action:
-            module: template
-            src: roles/vpn/templates/client_ipsec.secrets.j2
-            dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets
-            mode: 0600
-          become: no
-          with_items:
-            - "{{ users }}"
-
-        - name: Build the windows client powershell script
-          local_action:
-            module: template
-            src: roles/vpn/templates/client_windows.ps1.j2
-            dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1
-            mode: 0600
-          become: no
-          when: Win10_Enabled is defined and Win10_Enabled == "Y"
-          with_items: "{{ users }}"
-
-        # SSH
-
-        - name: SSH | Get active system users
-          shell: >
-            getent group algo | cut -f4 -d: | sed "s/,/\n/g"
-          register: valid_users
-          when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
-
-        - name: SSH | Delete non-existing users
-          user:
-            name: "{{ item }}"
-            state: absent
-            remove: yes
-            force: yes
-          when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
-          with_items: "{{ valid_users.stdout_lines | default('null') }}"
-      rescue:
-        - debug: var=fail_hint
-          tags: always
-        - fail:
-          tags: always
+    - { role: ssh_tunneling, tags: always, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
+    - { role: vpn }

  post_tasks:
    - block:
@ -225,7 +69,3 @@
          tags: always
        - fail:
          tags: always
-
-  handlers:
-    - name: rereadcrls
-      shell: ipsec rereadcrls