FreeBSD draft #35

playbooks/common.yml

@@ -1,10 +1,23 @@
 - name: Install prerequisites
   raw: sleep 10 && sudo apt-get update -qq && sudo apt-get install -qq -y python2.7
+  tags:
+    - ubuntu
 
 - name: Configure defaults
   raw: sudo update-alternatives --install /usr/bin/python python /usr/bin/python2.7 1
   tags:
     - update-alternatives
+    - ubuntu
+
+- name: Install prerequisites
+  raw: sleep 10 && sudo pkg install -y python27
+  tags:
+    - freebsd
+
+- name: Configure defaults
+  raw: sudo ln -sf /usr/local/bin/python2.7 /usr/bin/python2.7
+  tags:
+    - freebsd
 
 - name: Ensure the algo ssh key exist on the server
   authorized_key:

roles/common/handlers/main.yml

@@ -6,3 +6,10 @@
 
 - name: restart loopback
   shell: ifdown lo:100 && ifup lo:100
+
+- name: restart loopback bsd
+  shell: >
+    ifconfig lo100 destroy || true &&
+    ifconfig lo100 create &&
+    ifconfig lo100 inet 172.16.0.1 netmask 255.255.255.255 &&
+    ifconfig lo100 inet6 FCAA::1/64; echo $?

roles/common/tasks/freebsd.yml

@@ -0,0 +1,39 @@
+---
+
+- set_fact:
+    tools:
+      - git
+      - screen
+      - coreutils
+      - openssl
+    sysctl:
+      forwarding:
+        - net.inet.ip.forwarding
+        - net.inet6.ip6.forwarding
+  tags:
+    - always
+
+- name: Loopback included into the rc config
+  blockinfile:
+    dest: /etc/rc.conf
+    create: yes
+    block: |
+      cloned_interfaces="lo100"
+      ifconfig_lo100="inet {{ local_service_ip }}/255.255.255.255"
+      ifconfig_lo100="inet6 FCAA::1/64"
+  notify:
+    - restart loopback bsd
+  tags:
+    - always
+
+- name: Enable the gateway features
+  lineinfile: dest=/etc/rc.conf regexp='^{{ item.param }}.*' line='{{ item.param }}={{ item.value }}'
+  with_items:
+    - { param: firewall_enable, value: '"YES"' }
+    - { param: firewall_type, value: '"open"' }
+    - { param: gateway_enable, value: '"YES"' }
+    - { param: natd_enable, value: '"YES"' }
+    - { param: natd_interface, value: '""' }
+    - { param: natd_flags, value: '"-dynamic -m"' }
+  tags:
+    - always

roles/common/tasks/main.yml

@@ -5,101 +5,22 @@
   tags:
     - always
 
-- name: Install software updates
-  apt: update_cache=yes upgrade=dist
-  tags:
-    - cloud
-
-- name: Check if reboot is required
-  shell: >
-    if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
-  args:
-    executable: /bin/bash
-  register: reboot_required
-  tags:
-    - cloud
-
-- name: Reboot
-  shell: sleep 2 && shutdown -r now "Ansible updates triggered"
-  async: 1
-  poll: 0
-  when: reboot_required is defined and reboot_required.stdout == 'required'
-  ignore_errors: true
-  tags:
-    - cloud
-
-- name: Wait until SSH becomes ready...
-  local_action:
-    module: wait_for
-    port: 22
-    host: "{{ inventory_hostname }}"
-    search_regex: OpenSSH
-    delay: 10
-    timeout: 320
-  when: reboot_required is defined and reboot_required.stdout == 'required'
-  become: false
-  tags:
-    - cloud
-
-- name: Disable MOTD on login and SSHD
-  replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
-  with_items:
-    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
-    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
-  tags:
-    - cloud
+- include: ubuntu.yml
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+- include: freebsd.yml
+  when: ansible_distribution == 'FreeBSD'
 
 - name: Install tools
-  apt: name="{{ item }}" state=latest
+  package: name="{{ item }}" state=present
   with_items:
-    - git
-    - screen
-    - apparmor-utils
-    - uuid-runtime
-    - coreutils
-    - sendmail
-    - iptables-persistent
-    - cgroup-tools
-    - openssl
-  tags:
-    - always
-
-- name: Loopback for services configured
-  template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg
-  notify:
-    - restart loopback
-  tags:
-    - always
-
-- name: Loopback included into the network config
-  lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present
-  notify:
-    - restart loopback
-  tags:
-    - always
-
-- meta: flush_handlers
+    - "{{ tools }}"
   tags:
     - always
 
 - name: Enable packet forwarding for IPv4
   sysctl: name="{{ item }}" value=1
   with_items:
-    - net.ipv4.ip_forward
-    - net.ipv4.conf.all.forwarding
-  tags:
-    - always
-
-- name: Enable packet forwarding for IPv6
-  sysctl: name=net.ipv6.conf.all.forwarding value=1
+    - "{{ sysctl.forwarding }}"
   tags:
     - always
-
-- name: Check apparmor support
-  shell: apparmor_status
-  ignore_errors: yes
-  register: apparmor_status
-
-- set_fact:
-    apparmor_enabled: true
-  when: '"profiles are in enforce mode" in apparmor_status.stdout'

roles/common/tasks/ubuntu.yml

@@ -0,0 +1,91 @@
+---
+
+- name: Install software updates
+  apt: update_cache=yes upgrade=dist
+  tags:
+    - cloud
+
+- name: Check if reboot is required
+  shell: >
+    if [[ -e /var/run/reboot-required ]]; then echo "required"; else echo "no"; fi
+  args:
+    executable: /bin/bash
+  register: reboot_required
+  tags:
+    - cloud
+
+- name: Reboot
+  shell: sleep 2 && shutdown -r now "Ansible updates triggered"
+  async: 1
+  poll: 0
+  when: reboot_required is defined and reboot_required.stdout == 'required'
+  ignore_errors: true
+  tags:
+    - cloud
+
+- name: Wait until SSH becomes ready...
+  local_action:
+    module: wait_for
+    port: 22
+    host: "{{ inventory_hostname }}"
+    search_regex: OpenSSH
+    delay: 10
+    timeout: 320
+  when: reboot_required is defined and reboot_required.stdout == 'required'
+  become: false
+  tags:
+    - cloud
+
+- name: Disable MOTD on login and SSHD
+  replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
+  with_items:
+    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/login' }
+    - { regexp: '^session.*optional.*pam_motd.so.*', line: '# MOTD DISABLED', file: '/etc/pam.d/sshd' }
+  tags:
+    - cloud
+
+- name: Loopback for services configured
+  template: src=10-loopback-services.cfg.j2 dest=/etc/network/interfaces.d/10-loopback-services.cfg
+  notify:
+    - restart loopback
+  tags:
+    - always
+
+- name: Loopback included into the network config
+  lineinfile: dest=/etc/network/interfaces line='source /etc/network/interfaces.d/10-loopback-services.cfg' state=present
+  notify:
+    - restart loopback
+  tags:
+    - always
+
+- meta: flush_handlers
+  tags:
+    - always
+
+- name: Check apparmor support
+  shell: apparmor_status
+  ignore_errors: yes
+  register: apparmor_status
+
+- set_fact:
+    apparmor_enabled: true
+  when: '"profiles are in enforce mode" in apparmor_status.stdout'
+
+- set_fact:
+    tools:
+      - git
+      - screen
+      - apparmor-utils
+      - uuid-runtime
+      - coreutils
+      - sendmail
+      - iptables-persistent
+      - cgroup-tools
+      - openssl
+    sysctl:
+      forwarding:
+        - net.ipv4.ip_forward
+        - net.ipv4.conf.all.forwarding
+        - net.ipv6.conf.all.forwarding
+  tags:
+    - always

roles/vpn/tasks/client_configs.yml

@@ -0,0 +1,79 @@
+---
+
+- name: Register p12 PayloadContent
+  local_action: >
+    shell cat private/{{ item }}.p12 | base64
+  register:  PayloadContent
+  become: no
+  args:
+    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+  with_items: "{{ users }}"
+
+- name: Set facts for mobileconfigs
+  set_fact:
+    proxy_enabled: false
+    PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
+
+- name: Build the mobileconfigs
+  local_action:
+    module: template
+    src: mobileconfig.j2
+    dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig
+    mode: 0600
+  become: no
+  with_together:
+    - "{{ users }}"
+    - "{{ PayloadContent.results }}"
+  no_log: True
+
+- name: Build the strongswan app android config
+  local_action:
+    module: template
+    src: sswan.j2
+    dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.sswan
+    mode: 0600
+  become: no
+  with_together:
+    - "{{ users }}"
+    - "{{ PayloadContent.results }}"
+  no_log: True
+
+- name: Build the client ipsec config file
+  local_action:
+    module: template
+    src: client_ipsec.conf.j2
+    dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf
+    mode: 0600
+  become: no
+  with_items:
+    - "{{ users }}"
+
+- name: Build the client ipsec secret file
+  local_action:
+    module: template
+    src: client_ipsec.secrets.j2
+    dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets
+    mode: 0600
+  become: no
+  with_items:
+    - "{{ users }}"
+
+- name: Build the windows client powershell script
+  local_action:
+    module: template
+    src: client_windows.ps1.j2
+    dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1
+    mode: 0600
+  become: no
+  when: Win10_Enabled is defined and Win10_Enabled == "Y"
+  with_items: "{{ users }}"
+
+- name: Restrict permissions for the local private directories
+  local_action:
+    module: file
+    path: "{{ item }}"
+    state: directory
+    mode: 0700
+  become: no
+  with_items:
+    - configs/{{ IP_subject_alt_name }}

roles/vpn/tasks/freebsd.yml

@@ -0,0 +1,19 @@
+---
+
+- set_fact:
+    config_prefix: "/usr/local/"
+    root_group: wheel
+
+- name: Activate IPFW
+  shell: >
+    kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 &&
+    bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1
+
+- name: Enable strongswan
+  lineinfile: dest=/etc/rc.conf regexp=^strongswan_enable= line='strongswan_enable="YES"'
+
+- set_fact:
+    strongswan_enabled_plugins:
+      - "{{ strongswan_enabled_plugins }}"
+      - kernel-pfroute
+      - kernel-pfkey