85 lines
2.2 KiB
YAML
85 lines
2.2 KiB
YAML
- name: Update apt cache
|
|
apt:
|
|
update_cache: yes
|
|
- name: Install VPN package requirements
|
|
apt:
|
|
name: "{{ strongswan_requeriments }}"
|
|
state: present
|
|
install_recommends: no
|
|
- name: Create directory /var/log/strongswan
|
|
file:
|
|
path: /var/log/strongswan
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
- name: Insert certificates
|
|
no_log: true
|
|
copy:
|
|
content: "{{ item.content }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: root
|
|
group: root
|
|
mode: "{{ item.mode }}"
|
|
loop: "{{ certificates }}"
|
|
- name: Add private key
|
|
copy:
|
|
content: "{{ lookup(passbolt, 'ipsec_private_key', folder_parent_id=passbolt_folder).description }}"
|
|
dest: /etc/ipsec.d/private/key.pem
|
|
owner: root
|
|
group: root
|
|
mode: u=r,g=r,o=
|
|
- name: Configure ipsec and charon
|
|
template:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: root
|
|
group: root
|
|
mode: "{{ item.mode }}"
|
|
loop: "{{ config_ipsec_files }}"
|
|
notify: restart-ipsec
|
|
- name: Copy Configure file and logrotate Charon
|
|
copy:
|
|
src: "{{ item.src }}"
|
|
dest: "{{ item.dest }}"
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,g=r,o=r
|
|
loop: "{{ config_and_logrotate }}"
|
|
notify: restart-ipsec
|
|
- name: IP forward as a router
|
|
sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: "1"
|
|
state: present
|
|
sysctl_set: yes
|
|
reload: yes
|
|
- name: Add iptables rules in rules.v4 file
|
|
blockinfile:
|
|
path: /etc/iptables/rules.v4
|
|
marker: "# {mark} ANSIBLE-MANAGED MANGLE CHAIN"
|
|
block: "{{ mangle_block }}"
|
|
register: iptables
|
|
- name: Reload iptables rules
|
|
command: netfilter-persistent reload
|
|
when: iptables.changed
|
|
- name: Get default IPv4 interface
|
|
command: ip -o -4 route show default
|
|
register: default_route
|
|
- name: Extract interface default name
|
|
set_fact:
|
|
active_interface: "{{ default_route.stdout.split()[-1] }}"
|
|
- name: Routing table for VPN
|
|
lineinfile:
|
|
path: /etc/iproute2/rt_tables
|
|
line: "10 vpn"
|
|
state: present
|
|
regexp: "vpn"
|
|
- name: Static routing rules to send VPN traffic directly to the firewall
|
|
lineinfile:
|
|
path: /etc/network/interfaces
|
|
insertafter: "dhcp"
|
|
line: "{{ item }}"
|
|
state: present
|
|
loop: "{{ static_routes }}"
|
|
|