chd/deployments/serverBuild/vpnBuild.yml

# playbook to go from a "base configured" server to a strongswan vpn

- hosts: vpn
  remote_user: josiah
  gather_facts: false
  become: yes
  vars:
    vpn_packages: [ 'strongswan','strongswan-pki','ufw' ]
    remote_host: 165.22.156.25
    local_host:  0.0.0.0

  tasks:
    - name: Update apt
      apt: update_cache=yes

    - name: Install required system packages
      apt: name={{ vpn_packages }} state=latest

    - name: set kernel params
      shell: |
        cat >> /etc/sysctl.conf << EOF
        net.ipv4.ip_forward = 1 
        net.ipv4.conf.all.accept_redirects = 0 
        net.ipv4.conf.all.send_redirects = 0
        EOF

    - name: save kernel params
      shell: sysctl -p /etc/sysctl.conf
      
    - name: Generate preshared key
      shell: openssl rand -hex 32
      register: awful_psk

    - debug:
        msg: got this key {{ awful_psk }}

    - name: Copy my ipsec.conf file to the VPN host
      # this file does a lot. view more info in the readme.md
      copy:
        src: ipsec.conf
        dest: /etc/ipsec.conf
        owner: root
        group: root

    - name: remove existing ipsec.secerts
      shell: rm /etc/ipsec.secrets

    - name: create ipsec.secrets with psk info
      shell: |
        cat >> /etc/ipsec.secrets << EOF
        {{ remote_host }} {{local_host}}: PSK "{{awful_psk.stdout}}"
        EOF
      
    - name: update route rules
      shell: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.138.0.0/16 -j MASQUERADE

    # - name: copy psk down to local machine
    #   local_action: copy_content={{ awful_psk }} dest=psk.txt
Build out deploy skeleton for VPN role. 2019-09-28 22:45:47 +00:00			`# playbook to go from a "base configured" server to a strongswan vpn`

			`- hosts: vpn`
			`remote_user: josiah`
			`gather_facts: false`
			`become: yes`
			`vars:`
			`vpn_packages: [ 'strongswan','strongswan-pki','ufw' ]`
a bunch of updates, with some new ways of doing old things - no one agreeing on iptables vs ufw vs nftables is confusing. 2019-09-29 04:16:11 +00:00			`remote_host: 165.22.156.25`
			`local_host: 0.0.0.0`
Build out deploy skeleton for VPN role. 2019-09-28 22:45:47 +00:00
			`tasks:`
			`- name: Update apt`
			`apt: update_cache=yes`

			`- name: Install required system packages`
			`apt: name={{ vpn_packages }} state=latest`

a bunch of updates, with some new ways of doing old things - no one agreeing on iptables vs ufw vs nftables is confusing. 2019-09-29 04:16:11 +00:00			`- name: set kernel params`
			`shell: \|`
			`cat >> /etc/sysctl.conf << EOF`
			`net.ipv4.ip_forward = 1`
			`net.ipv4.conf.all.accept_redirects = 0`
			`net.ipv4.conf.all.send_redirects = 0`
			`EOF`
Build out deploy skeleton for VPN role. 2019-09-28 22:45:47 +00:00
a bunch of updates, with some new ways of doing old things - no one agreeing on iptables vs ufw vs nftables is confusing. 2019-09-29 04:16:11 +00:00			`- name: save kernel params`
			`shell: sysctl -p /etc/sysctl.conf`

			`- name: Generate preshared key`
			`shell: openssl rand -hex 32`
			`register: awful_psk`
Build out deploy skeleton for VPN role. 2019-09-28 22:45:47 +00:00
a bunch of updates, with some new ways of doing old things - no one agreeing on iptables vs ufw vs nftables is confusing. 2019-09-29 04:16:11 +00:00			`- debug:`
			`msg: got this key {{ awful_psk }}`
Build out deploy skeleton for VPN role. 2019-09-28 22:45:47 +00:00
			`- name: Copy my ipsec.conf file to the VPN host`
			`# this file does a lot. view more info in the readme.md`
			`copy:`
			`src: ipsec.conf`
			`dest: /etc/ipsec.conf`
			`owner: root`
			`group: root`

a bunch of updates, with some new ways of doing old things - no one agreeing on iptables vs ufw vs nftables is confusing. 2019-09-29 04:16:11 +00:00			`- name: remove existing ipsec.secerts`
			`shell: rm /etc/ipsec.secrets`
Build out deploy skeleton for VPN role. 2019-09-28 22:45:47 +00:00
a bunch of updates, with some new ways of doing old things - no one agreeing on iptables vs ufw vs nftables is confusing. 2019-09-29 04:16:11 +00:00			`- name: create ipsec.secrets with psk info`
			`shell: \|`
			`cat >> /etc/ipsec.secrets << EOF`
			`{{ remote_host }} {{local_host}}: PSK "{{awful_psk.stdout}}"`
			`EOF`
Build out deploy skeleton for VPN role. 2019-09-28 22:45:47 +00:00
a bunch of updates, with some new ways of doing old things - no one agreeing on iptables vs ufw vs nftables is confusing. 2019-09-29 04:16:11 +00:00			`- name: update route rules`
			`shell: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.138.0.0/16 -j MASQUERADE`
Build out deploy skeleton for VPN role. 2019-09-28 22:45:47 +00:00
a bunch of updates, with some new ways of doing old things - no one agreeing on iptables vs ufw vs nftables is confusing. 2019-09-29 04:16:11 +00:00			`# - name: copy psk down to local machine`
			`# local_action: copy_content={{ awful_psk }} dest=psk.txt`