apparmom; split up some functions

2025-06-06 15:13:56 +02:00 · 2016-07-17 20:56:26 +03:00 · 2016-07-17 20:56:26 +03:00 · 68945f69d7
commit 68945f69d7
parent 63e67cb3a6
6 changed files with 46 additions and 81 deletions
--- a/config.cfg
+++ b/config.cfg
@ -13,7 +13,7 @@ easyrsa_cert_expire: 3650
 easyrsa_reinit_existent: True

 # Domain or ip
-server_name: ivlis.me
+server_name: www.ivlis.me
 server_ip: "{{ ansible_ssh_host }}"

 users:
--- a/deploy.yml
+++ b/deploy.yml
@ -1,4 +1,5 @@
 ---

-#- include: cloud.yml
+- include: cloud.yml
+- include: common.yml
 - include: vpn.yml
--- a/templates/easy-rsa.vars.j2
+++ b/templates/easy-rsa.vars.j2
@ -102,7 +102,7 @@ set_var EASYRSA_DN "cn_only"
 #  * rsa
 #  * ec

-set_var EASYRSA_ALGO       ec
+set_var EASYRSA_ALGO       rsa

 # Define the named curve, used in ec mode only:

--- a/templates/ipsec.conf.j2
+++ b/templates/ipsec.conf.j2
@ -1,52 +1,24 @@
 config setup
-	uniqueids = never # allow multiple connections per user
+    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

 conn %default
+    keyexchange=ikev2
+    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
+    esp=aes128gcm16-sha2_256-ecp256!
    dpdaction=clear
-    dpddelay=35s
-    dpdtimeout=300s
-    rekey=no
-	keyexchange=ikev2
-    ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
-    esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
-	compress=yes
-	fragmentation=yes
-	
+    dpddelay=300s
+    authby=pubkey
    left=%any
-    leftauth=pubkey
    leftid={{ server_name }}
+    leftsubnet=0.0.0.0/0
    leftcert={{ server_name }}.crt
    leftsendcert=always
-    leftsubnet=0.0.0.0/0,::/0
-
    right=%any
-    rightauth=pubkey
    rightsourceip=10.0.0.0/24
-    rightdns=8.8.8.8,8.8.4.4
+    rightdns=8.8.8.8
+    rightsendcert=never

-conn ikev2-pubkey
+conn IPSec-IKEv2
+    keyexchange=ikev2
    auto=add

-    
-    
-#config setup
-
-#conn %default
-        #ikelifetime=60m
-        #keylife=20m
-        #rekeymargin=3m
-        #keyingtries=1
-
-#conn common
-        #left=%any         # Ip of the host
-        #leftcert={{ server_name }}.crt # the cert we just created and copied
-        #leftid={{ server_name }}  # the Alt name in the Cert we just created
-        #leftsubnet=172.16.31.0/24      # The internal subnet the remote user wants to access
-        #right=%any
-        #rightid=%any # Connections can come from anywhere
-        #rightsourceip=192.168.1.0/24   # Use this pool of IPs to assign to these inbound connections
-        #auto=add
-
-#conn ikev2
-        #keyexchange=ikev2 
-        #also=common
--- a/templates/ipsec.secrets.j2
+++ b/templates/ipsec.secrets.j2
@ -1 +1,2 @@
-: ECDSA {{ server_name }}.key
+: RSA {{ server_name }}.key
+
--- a/vpn.yml
+++ b/vpn.yml
@ -1,6 +1,6 @@
 ---

- name: Install StrongSwan
+- name: VPN Configuration
  hosts: vpn-host
  gather_facts: false
  remote_user: root
@ -8,48 +8,39 @@
    - config.cfg    
  
  tasks:
-  - name: Wait for port 22 to become available
-    local_action: "wait_for port=22 host={{ inventory_hostname }}"
+  - name: Install StrongSwan
+    apt: name=strongswan state=latest update_cache=yes

-  #- name: Updating apt-get
-    #raw: apt-get update -qq
+  - name: Enforcing ipsec with apparmor
+    shell: aa-enforce "{{ item }}"
+    with_items:
+      - /usr/lib/ipsec/charon
+      - /usr/lib/ipsec/lookip
+      - /usr/lib/ipsec/stroke
+    notify:
+    - restart apparmor
    
-  #- name: Install python2.7 for Ansible
-    #raw: apt-get install -qq -y python2.7
+  - name: Enable services
+    service: name={{ item }} enabled=yes
+    with_items:
+      - apparmor
+      - strongswan

-  #- name: Install StrongSwan
-    #apt: name=strongswan state=latest update_cache=yes
-
-  #- name: Enable strongswan
-    #service: name=strongswan enabled=yes
-
-  #- name: Enable packet forwarding for IPv4
-    #sysctl: name=net.ipv4.ip_forward value=1
-
-  #- name: Do not accept ICMP redirects (prevent MITM attacks)
-    #sysctl: name=net.ipv4.conf.all.accept_redirects value=0
-
-  #- name: Do not send ICMP redirects (we are not a router)
-    #sysctl: name=net.ipv4.conf.all.send_redirects value=0
-
-  #- name: Configure iptables so IPSec traffic can traverse the tunnel
-    #iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE
+  - name: Configure iptables so IPSec traffic can traverse the tunnel
+    iptables: table=nat chain=POSTROUTING source=10.0.0.0/24 jump=MASQUERADE

  - name: Setup the ipsec.conf file from our template
    template: src=ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=644
    notify:
    - restart strongswan    

-  - name: Setup the ipsec.secrets file with users and passwords
+  - name: Setup the ipsec.secrets file
    template: src=ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=600
    notify:
    - restart strongswan    
- 
-  - name: Install git
-    apt: name=git state=latest      
    
-  #- name: Fetch easy-rsa-ipsec repo
-    #git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git dest="{{ easyrsa_dir }}"
+  - name: Fetch easy-rsa-ipsec repo
+    git: repo=git://github.com/ValdikSS/easy-rsa-ipsec.git dest="{{ easyrsa_dir }}"

  - name: Setup the vars file from our template
    template: src=easy-rsa.vars.j2 dest={{ easyrsa_dir }}/easyrsa3/vars
@ -78,7 +69,7 @@
    
  - name: Build the server pair
    shell: |
-      ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-server-full {{ server_name }} nopass
+      ./easyrsa build-server-full {{ server_name }} nopass
      touch '{{ easyrsa_dir }}/easyrsa3/pki/server_initialized'
    args:
      chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -88,7 +79,7 @@

  - name: Build the client's pair
    shell: |
-      ./easyrsa --subject-alt-name=DNS:{{ server_name }},IP:{{ server_ip }} build-client-full {{ item }} nopass
+      ./easyrsa build-client-full {{ item }} nopass
      touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_initialized'
    args:
      chdir: '{{ easyrsa_dir }}/easyrsa3/'
@ -104,27 +95,27 @@
      creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized'
    with_items: "{{ users }}"
  
-  - name: Make the CA cert to the strongswan directory
+  - name: Copy the CA cert to the strongswan directory
    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/ca.crt' dest=/etc/ipsec.d/cacerts/ca.crt owner=root group=root mode=0600
    notify:
    - restart strongswan

-  - name: Make the server cert to the strongswan directory
+  - name: Copy the server cert to the strongswan directory
    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/issued/{{ server_name }}.crt' dest=/etc/ipsec.d/certs/{{ server_name }}.crt owner=root group=root mode=0600
    notify:
    - restart strongswan      
    
-  - name: Make the server key to the strongswan directory
+  - name: Copy the server key to the strongswan directory
    copy: remote_src=True src='{{ easyrsa_dir }}/easyrsa3/pki/private/{{ server_name }}.key' dest=/etc/ipsec.d/private/{{ server_name }}.key owner=root group=root mode=0600
    notify:
    - restart strongswan    
-   
-  - name: restart strongswan
-    service: name=strongswan state=restarted
    
  handlers:
    - name: restart strongswan
      service: name=strongswan state=restarted
+
+    - name: restart apparmor
+      service: name=apparmor state=restarted