diff --git a/config.cfg b/config.cfg index 23865ee5..06917655 100644 --- a/config.cfg +++ b/config.cfg @@ -9,10 +9,6 @@ users: # Avoid using '+' in your email address otherwise auditd will fail to start. auditd_action_mail_acct: email@example.com -# Exported certificates will be protected by the password below: -easyrsa_p12_export_password: vpnpws - - ### Advanced users only below this line ### easyrsa_dir: /opt/easy-rsa-ipsec @@ -74,3 +70,14 @@ local_service_ip: 172.16.0.1 pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}" VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}" CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}" + +congrats: | + "#----------------------------------------------------------------------#" + "# Congratulations! #" + "# Your Algo server is running. #" + "# Config files and certificates are in the ./configs/ directory. #" + "# Go to https://whoer.net/ after connecting #" + "# and ensure that all your traffic passes through the VPN. #" + "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}" + "# The p12 password is {{ easyrsa_p12_export_password }}" + "#----------------------------------------------------------------------#" diff --git a/deploy.yml b/deploy.yml index 01d8af89..f8d50710 100644 --- a/deploy.yml +++ b/deploy.yml @@ -53,16 +53,5 @@ - { role: vpn, tags: [ 'vpn' ] } post_tasks: - - shell: | - echo "#----------------------------------------------------------------------#" - echo "# Congratulations! #" - echo "# Your Algo server is running. #" - echo "# Config files and certificates are in the ./configs/ directory. #" - echo "# Go to https://whoer.net/ after connecting #" - echo "# and ensure that all your traffic passes through the VPN. #" - echo "# Local DNS resolver and Proxy IP address: {{ local_service_ip }}" - echo "#----------------------------------------------------------------------#" - tags: always - register: congrats - - debug: msg="{{ congrats.stdout_lines }}" + - debug: msg="{{ congrats.split('\n') }}" tags: always diff --git a/roles/cloud-azure/tasks/main.yml b/roles/cloud-azure/tasks/main.yml index 6c27186d..abe2134b 100644 --- a/roles/cloud-azure/tasks/main.yml +++ b/roles/cloud-azure/tasks/main.yml @@ -63,7 +63,6 @@ groups: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" - easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: azure ipv6_support: no diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index 73ebc2f0..d8dd57cb 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -32,7 +32,6 @@ ansible_python_interpreter: "/usr/bin/python2.7" do_access_token: "{{ do_access_token }}" do_droplet_id: "{{ do.droplet.id }}" - easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: digitalocean ipv6_support: yes diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 8c48019d..5ff40dce 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -103,7 +103,6 @@ groupname: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" - easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: ec2 ipv6_support: no with_items: "{{ ec2.tagged_instances }}" diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 7b88bfd4..c909b3f2 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -20,7 +20,6 @@ groups: vpn-host ansible_ssh_user: ubuntu ansible_python_interpreter: "/usr/bin/python2.7" - easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: gce ipv6_support: no diff --git a/roles/local/tasks/main.yml b/roles/local/tasks/main.yml index b1a73ea9..d2deff6f 100644 --- a/roles/local/tasks/main.yml +++ b/roles/local/tasks/main.yml @@ -4,7 +4,6 @@ groups: vpn-host ansible_ssh_user: "{{ server_user }}" ansible_python_interpreter: "/usr/bin/python2.7" - easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: local when: server_ip != "localhost" @@ -15,7 +14,6 @@ ansible_ssh_user: "{{ server_user }}" ansible_python_interpreter: "/usr/bin/python2.7" ansible_connection: local - easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" cloud_provider: local when: server_ip == "localhost" diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index f5951a45..8c55e63f 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -1,6 +1,9 @@ - name: Gather Facts setup: +- set_fact: + easyrsa_p12_export_password: "{{ (ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0] }}" + - name: Install StrongSwan apt: name=strongswan state=latest update_cache=yes @@ -134,11 +137,9 @@ - name: Build the client's p12 shell: > - openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} && - touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' + openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:"{{ easyrsa_p12_export_password }}" args: chdir: '{{ easyrsa_dir }}/easyrsa3/' - creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' with_items: "{{ users }}" - name: Copy the CA cert to the strongswan directory diff --git a/users.yml b/users.yml index 7f074bc0..ceb460cc 100644 --- a/users.yml +++ b/users.yml @@ -21,11 +21,6 @@ default: "n" private: no - - name: "easyrsa_p12_export_password" - prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n" - default: "vpnpw" - private: yes - - name: "IP_subject" prompt: "Enter public IP address of your server: (IMPORTANT! This IP is used to verify the certificate)\n" private: no @@ -37,7 +32,6 @@ groupname: vpn-host ansible_ssh_user: "{{ server_user }}" ansible_python_interpreter: "/usr/bin/python2.7" - easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}" IP_subject: "{{ IP_subject }}" @@ -67,6 +61,13 @@ - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } tasks: + + - name: Gather Facts + setup: + + - set_fact: + easyrsa_p12_export_password: "{{ (ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0] }}" + - name: Build the client's pair shell: > ./easyrsa build-client-full {{ item }} nopass && @@ -78,11 +79,9 @@ - name: Build the client's p12 shell: > - openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} && - touch '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' + openssl pkcs12 -in {{ easyrsa_dir }}/easyrsa3//pki/issued/{{ item }}.crt -inkey {{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.key -export -name {{ item }} -out /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 -certfile {{ easyrsa_dir }}/easyrsa3//pki/ca.crt -passout pass:{{ easyrsa_p12_export_password }} args: chdir: '{{ easyrsa_dir }}/easyrsa3/' - creates: '{{ easyrsa_dir }}/easyrsa3/pki/{{ item }}_p12_initialized' with_items: "{{ users }}" - name: Get active users @@ -150,4 +149,9 @@ - name: SSH | Fetch users SSH private keys fetch: src='/var/jail/{{ item }}/.ssh/id_rsa' dest=configs/{{ IP_subject_alt_name }}_{{ item }}.ssh.pem flat=yes + when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" with_items: "{{ users }}" + + post_tasks: + - debug: msg="{{ congrats.split('\n') }}" + tags: always