diff --git a/algo b/algo index b8f1ac9..551dbe4 100755 --- a/algo +++ b/algo @@ -440,7 +440,7 @@ Enter the password for the private CA key: $ADDITIONAL_PROMPT : " -rs easyrsa_CA_password -ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled IP_subject=$IP_subject easyrsa_CA_password=$easyrsa_CA_password" +ansible-playbook users.yml -e "server_ip=$server_ip server_user=$server_user ssh_tunneling_enabled=$ssh_tunneling_enabled IP_subject=$IP_subject easyrsa_CA_password=$easyrsa_CA_password" -t update-users --skip-tags common } case "$1" in diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 90ff26f..35161bc 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -82,6 +82,21 @@ become: no with_items: - "{{ users }}" + + - name: SSH | Get active system users + shell: > + getent group algo | cut -f4 -d: | sed "s/,/\n/g" + register: valid_users + when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" + + - name: SSH | Delete non-existing users + user: + name: "{{ item }}" + state: absent + remove: yes + force: yes + when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" + with_items: "{{ valid_users.stdout_lines | default('null') }}" rescue: - debug: var=fail_hint tags: always diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index 32885b5..9b481d4 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -12,3 +12,6 @@ - name: restart iptables service: name=netfilter-persistent state=restarted + +- name: rereadcrls + shell: ipsec rereadcrls diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index d250caf..9a9c927 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -21,8 +21,10 @@ - include: ipec_configuration.yml - include: openssl.yml + tags: update-users - include: distribute_keys.yml - include: client_configs.yml + tags: update-users - meta: flush_handlers diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml index 8f9d52a..8c84a9b 100644 --- a/roles/vpn/tasks/openssl.yml +++ b/roles/vpn/tasks/openssl.yml @@ -115,3 +115,34 @@ become: no with_items: - "{{ users }}" + +- name: Get active users + local_action: > + shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g' + become: no + args: + chdir: "configs/{{ IP_subject_alt_name }}/pki/" + register: valid_certs + +- name: Revoke non-existing users + local_action: > + shell openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt && + openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt + touch crl/{{ item }}_revoked + become: no + args: + chdir: "configs/{{ IP_subject_alt_name }}/pki/" + creates: crl/{{ item }}_revoked + environment: + subjectAltName: "DNS:{{ item }}" + when: item not in users + with_items: "{{ valid_certs.stdout_lines }}" + +- name: Copy the revoked certificates to the vpn server + copy: + src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt + dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/{{ item }}.crt" + when: item not in users + with_items: "{{ valid_certs.stdout_lines }}" + notify: + - rereadcrls diff --git a/users.yml b/users.yml index 5f55bc0..a9be55e 100644 --- a/users.yml +++ b/users.yml @@ -2,6 +2,7 @@ - hosts: localhost gather_facts: False + tags: always vars_files: - config.cfg @@ -40,12 +41,12 @@ become: true vars_files: - config.cfg - - roles/vpn/defaults/main.yml pre_tasks: - block: - name: Common pre-tasks include: playbooks/common.yml + tags: always rescue: - debug: var=fail_hint tags: always @@ -53,165 +54,8 @@ tags: always roles: - - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } - - tasks: - - block: - - name: Gather Facts - setup: - - - name: Checking the signature algorithm - local_action: > - shell openssl x509 -text -in certs/{{ IP_subject_alt_name }}.crt | grep 'Signature Algorithm' | head -n1 - become: no - register: sig_algo - args: - chdir: "configs/{{ IP_subject_alt_name }}/pki/" - - - name: Change the algorithm to RSA - set_fact: - algo_params: "rsa:2048" - when: '"ecdsa" not in sig_algo.stdout' - - - name: Build the client's pair - local_action: > - shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch && - openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" && - touch certs/{{ item }}_crt_generated - become: no - args: - chdir: "configs/{{ IP_subject_alt_name }}/pki/" - creates: certs/{{ item }}_crt_generated - environment: - subjectAltName: "DNS:{{ item }}" - with_items: "{{ users }}" - - - name: Build the client's p12 - local_action: > - shell openssl pkcs12 -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export -name {{ item }} -out private/{{ item }}.p12 -certfile cacert.pem -passout pass:"{{ easyrsa_p12_export_password }}" - become: no - args: - chdir: "configs/{{ IP_subject_alt_name }}/pki/" - with_items: "{{ users }}" - - - name: Copy the p12 certificates - local_action: - module: copy - src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12" - dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12" - mode: 0600 - become: no - with_items: - - "{{ users }}" - - - name: Get active users - local_action: > - shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g' - become: no - args: - chdir: "configs/{{ IP_subject_alt_name }}/pki/" - register: valid_certs - - - name: Revoke non-existing users - local_action: > - shell openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt && - openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt - touch crl/{{ item }}_revoked - become: no - args: - chdir: "configs/{{ IP_subject_alt_name }}/pki/" - creates: crl/{{ item }}_revoked - environment: - subjectAltName: "DNS:{{ item }}" - when: item not in users - with_items: "{{ valid_certs.stdout_lines }}" - - - name: Copy the revoked certificates to the vpn server - copy: - src: configs/{{ IP_subject_alt_name }}/pki/crl/{{ item }}.crt - dest: "{{ config_prefix|default('/') }}etc/ipsec.d/crls/{{ item }}.crt" - when: item not in users - with_items: "{{ valid_certs.stdout_lines }}" - notify: - - rereadcrls - - - name: Register p12 PayloadContent - local_action: > - shell cat private/{{ item }}.p12 | base64 - register: PayloadContent - become: no - args: - chdir: "configs/{{ IP_subject_alt_name }}/pki/" - with_items: "{{ users }}" - - - name: Set facts for mobileconfigs - set_fact: - proxy_enabled: false - PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}" - - - name: Build the mobileconfigs - local_action: - module: template - src: roles/vpn/templates/mobileconfig.j2 - dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig - mode: 0600 - become: no - with_together: - - "{{ users }}" - - "{{ PayloadContent.results }}" - no_log: True - - - name: Build the client ipsec config file - local_action: - module: template - src: roles/vpn/templates/client_ipsec.conf.j2 - dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf - mode: 0600 - become: no - with_items: - - "{{ users }}" - - - name: Build the client ipsec secret file - local_action: - module: template - src: roles/vpn/templates/client_ipsec.secrets.j2 - dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets - mode: 0600 - become: no - with_items: - - "{{ users }}" - - - name: Build the windows client powershell script - local_action: - module: template - src: roles/vpn/templates/client_windows.ps1.j2 - dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1 - mode: 0600 - become: no - when: Win10_Enabled is defined and Win10_Enabled == "Y" - with_items: "{{ users }}" - - # SSH - - - name: SSH | Get active system users - shell: > - getent group algo | cut -f4 -d: | sed "s/,/\n/g" - register: valid_users - when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" - - - name: SSH | Delete non-existing users - user: - name: "{{ item }}" - state: absent - remove: yes - force: yes - when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" - with_items: "{{ valid_users.stdout_lines | default('null') }}" - rescue: - - debug: var=fail_hint - tags: always - - fail: - tags: always + - { role: ssh_tunneling, tags: always, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } + - { role: vpn } post_tasks: - block: @@ -225,7 +69,3 @@ tags: always - fail: tags: always - - handlers: - - name: rereadcrls - shell: ipsec rereadcrls