--- - name: Include public variables. include_vars: ../public/vars.yml tags: accounts - name: Include private variables. include_vars: ../private/vars.yml tags: accounts - name: Include members. include_vars: "{{ lookup('first_found', membership_rolls) }}" tags: accounts - name: Install netplan (gate). become: yes apt: pkg=netplan.io - name: Configure netplan (gate). become: yes copy: content: | network: ethernets: lan: match: macaddress: {{ gate_lan_mac }} addresses: [ {{ gate_addr_cidr }} ] set-name: lan dhcp4: false nameservers: addresses: [ {{ core_addr }} ] search: [ {{ domain_priv }} ] routes: - to: {{ public_vpn_net_cidr }} via: {{ core_addr }} wifi: match: macaddress: {{ gate_wifi_mac }} addresses: [ {{ gate_wifi_addr_cidr }} ] set-name: wifi dhcp4: false dest: /etc/netplan/60-gate.yaml mode: u=rw,g=r,o= notify: Apply netplan. - name: Install netplan (ISP). become: yes copy: content: | network: ethernets: isp: match: macaddress: {{ gate_isp_mac }} set-name: isp dhcp4: true dhcp4-overrides: use-dns: false dest: /etc/netplan/60-isp.yaml mode: u=rw,g=r,o= force: no notify: Apply netplan. - name: Install UFW. become: apt: pkg=ufw - name: Configure UFW policy. become: yes lineinfile: path: /etc/default/ufw line: "{{ item.line }}" regexp: "{{ item.regexp }}" loop: - { line: "DEFAULT_INPUT_POLICY=\"ACCEPT\"", regexp: "^DEFAULT_INPUT_POLICY=" } - { line: "DEFAULT_OUTPUT_POLICY=\"ACCEPT\"", regexp: "^DEFAULT_OUTPUT_POLICY=" } - { line: "DEFAULT_FORWARD_POLICY=\"DROP\"", regexp: "^DEFAULT_FORWARD_POLICY=" } - name: Configure UFW rules. become: yes vars: ACCEPT_RELATED: -m state --state ESTABLISHED,RELATED -j ACCEPT blockinfile: path: /etc/ufw/before.rules block: | *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE -A POSTROUTING -s {{ gate_wifi_net_cidr }} -o isp -j MASQUERADE COMMIT *filter -A FORWARD -i lan -o isp -j ACCEPT -A FORWARD -i wifi -o isp -j ACCEPT -A FORWARD -i isp -o lan {{ ACCEPT_RELATED }} -A FORWARD -i isp -o wifi {{ ACCEPT_RELATED }} -A FORWARD -i lan -o ovpn -j ACCEPT -A FORWARD -i ovpn -o lan -j ACCEPT COMMIT insertafter: EOF - name: Install DHCP server. become: yes apt: pkg=isc-dhcp-server - name: Configure DHCP interface. become: yes lineinfile: path: /etc/default/isc-dhcp-server line: INTERFACESv4="wifi" regexp: ^INTERFACESv4= notify: Restart DHCP server. - name: Configure DHCP server dependence on interface. become: yes copy: content: | [Unit] Requires=network-online.target dest: /etc/systemd/system/isc-dhcp-server.service.d/depend.conf notify: Reload Systemd. - name: Configure DHCP for WiFiAP service. become: yes copy: content: | default-lease-time 3600; max-lease-time 7200; ddns-update-style none; authoritative; log-facility daemon; subnet {{ gate_wifi_net }} netmask {{ gate_wifi_net_mask }} { option subnet-mask {{ gate_wifi_net_mask }}; option broadcast-address {{ gate_wifi_broadcast }}; option routers {{ gate_wifi_addr }}; } host {{ wifi_wan_name }} { hardware ethernet {{ wifi_wan_mac }}; fixed-address {{ wifi_wan_addr }}; } dest: /etc/dhcp/dhcpd.conf notify: Restart DHCP server. - name: Enable DHCP server. become: yes systemd: service: isc-dhcp-server enabled: yes - name: Install server certificate/key. become: yes copy: src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }} dest: /etc/server.{{ item.typ }} mode: "{{ item.mode }}" loop: - { path: "issued/gate.{{ domain_priv }}", typ: crt, mode: "u=r,g=r,o=r" } - { path: "private/gate.{{ domain_priv }}", typ: key, mode: "u=r,g=,o=" } notify: Restart OpenVPN. - name: Install OpenVPN. become: yes apt: pkg=openvpn - name: Enable IP forwarding. become: yes sysctl: name: net.ipv4.ip_forward value: "1" state: present - name: Create OpenVPN client configuration directory. become: yes file: path: /etc/openvpn/ccd state: directory notify: Restart OpenVPN. - name: Disable former VPN clients. become: yes copy: content: "disable\n" dest: /etc/openvpn/ccd/{{ item }} loop: "{{ revoked }}" notify: Restart OpenVPN. tags: accounts - name: Install OpenVPN secrets. become: yes copy: src: ../Secret/{{ item.src }} dest: /etc/openvpn/{{ item.dest }} mode: u=r,g=,o= loop: - { src: gate-dh2048.pem, dest: dh2048.pem } - { src: gate-ta.key, dest: ta.key } notify: Restart OpenVPN. - name: Configure OpenVPN. become: yes copy: content: | server {{ campus_vpn_net_and_mask }} client-config-dir /etc/openvpn/ccd push "route {{ private_net_and_mask }}" push "route {{ public_vpn_net_and_mask }}" dev-type tun dev ovpn topology subnet client-to-client keepalive 10 120 push "dhcp-option DOMAIN {{ domain_priv }}" push "dhcp-option DNS {{ core_addr }}" user nobody group nogroup persist-key persist-tun cipher AES-256-GCM auth SHA256 max-clients 20 ifconfig-pool-persist ipp.txt status openvpn-status.log verb 3 ca /usr/local/share/ca-certificates/{{ domain_name }}.crt cert /etc/server.crt key /etc/server.key dh dh2048.pem tls-auth ta.key 0 dest: /etc/openvpn/server.conf mode: u=r,g=r,o= notify: Restart OpenVPN.