Make role multiplatform
- On debian 11 strongswan daemon has different name
- Make config file backups when overwriting
- Add closeaction configuration option
- More metadata fixes
- Change tests to run standalone
Change-Id: I04474cb4601060059c4e603560d1873ad6598a77
diff --git a/README.md b/README.md
index ed7ee98..382f4d9 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# strongSwan
-strongSwan IPSec VPN
+strongSwan IPSec VPN daemon
## Requirements
diff --git a/defaults/main.yml b/defaults/main.yml
index 6ca42d9..ef5e6cf 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -32,11 +32,15 @@
strongswan_conf_auth_type: "psk"
# What operation should be done automatically at IPsec startup
-# Acceptable values are add, start, or route
+# Acceptable values: add, start, or route
strongswan_conf_auto: "route"
-strongswan_conf_dpdaction: "clear"
strongswan_conf_keyingtries: "3"
+# Actions that are taken when a connection drops
+# Acceptable values: clear, hold, restart
+strongswan_conf_dpdaction: "clear"
+strongswan_conf_closeaction: "clear"
+
# Whether rekeying of an IKE_SA should also reauthenticate the peer
strongswan_conf_reauth: "no"
diff --git a/meta/main.yml b/meta/main.yml
index c58f172..6603393 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -6,6 +6,8 @@
galaxy_info:
role_name: strongswan
+ namespace: onf
+
author: Open Networking Foundation
description: strongSwan IPSec VPN
company: Open Networking Foundation
@@ -14,15 +16,18 @@
license: Apache-2.0
- min_ansible_version: 2.9.5
+ min_ansible_version: 2.10.17
platforms:
- - name: Ubuntu
+ - name: ubuntu
versions:
- - "16.04"
- - "18.04"
+ - bionic
+ - name: Debian
+ versions:
+ - bullseye
galaxy_tags:
- strongswan
+ - ipsec
dependencies: []
diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
index a63ac89..63eea59 100644
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -7,7 +7,6 @@
- name: Converge
hosts: all
vars:
- strongswan_conf_auto: "start"
strongswan_conf_connections:
- name: tunnel1
psk: secret
@@ -15,9 +14,10 @@
local: 169.254.0.2/30
remote: 169.254.0.1/30
left: 10.0.0.3
- leftid: 128.105.144.189
+ leftid: 10.0.0.3
left_subnets: 0.0.0.0/0
- right: 34.124.6.243
+ right: 172.16.0.3
+ rightid: 172.16.0.3
right_subnets: 0.0.0.0/0
- name: tunnel2
psk: secret
@@ -25,9 +25,10 @@
local: 169.254.0.6/30
remote: 169.254.0.5/30
left: 10.0.0.3
- leftid: 128.105.144.189
+ leftid: 10.0.0.3
left_subnets: 0.0.0.0/0
- right: 34.104.68.245
+ right: 172.16.0.4
+ rightid: 172.16.0.3
right_subnets: 0.0.0.0/0
tasks:
- name: "Include strongswan"
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
index 5cd3ff9..97f6bcf 100644
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -14,6 +14,11 @@
privileged: true
volumes:
- "/sys/fs/cgroup:/sys/fs/cgroup:ro"
+ - name: "debian-11-priv"
+ image: "onfinfra/molecule-systemd:debian-11"
+ privileged: true
+ volumes:
+ - "/sys/fs/cgroup:/sys/fs/cgroup:ro"
provisioner:
name: ansible
verifier:
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
index 37b0ca0..a8de3cc 100644
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -18,15 +18,8 @@
with_items:
- strongswan
- - name: Verify ipsec connections are configured
- command: ipsec status
- register: ipsec_status
+ - name: Verify ipsec command is functional
+ command: ipsec version
+ register: ipsec_version
changed_when: false
- failed_when: item not in ipsec_status.stdout
- with_items:
- - tunnel1
- - tunnel2
-
- - name: Debug results
- debug:
- var: ipsec_status
+ failed_when: '"strongSwan" not in ipsec_version.stdout'
diff --git a/tasks/main.yml b/tasks/main.yml
index dff3f3a..3ae28a9 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -5,7 +5,11 @@
# SPDX-License-Identifier: Apache-2.0
- name: Include OS-specific vars
- include_vars: "{{ ansible_os_family }}.yml"
+ include_vars: "{{ item }}"
+ with_first_found:
+ - "{{ ansible_distribution }}_{{ ansible_distribution_version }}.yml"
+ - "{{ ansible_distribution }}.yml"
+ - "{{ ansible_os_family }}.yml"
- name: Include OS-specific tasks
include_tasks: "{{ ansible_os_family }}.yml"
@@ -14,6 +18,7 @@
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
+ backup: true
owner: root
group: root
mode: "{{ item.mode }}"
@@ -26,6 +31,7 @@
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
+ backup: true
owner: root
group: root
mode: 0640
diff --git a/templates/ipsec.conf.j2 b/templates/ipsec.conf.j2
index 67f4e6c..0bf4a67 100644
--- a/templates/ipsec.conf.j2
+++ b/templates/ipsec.conf.j2
@@ -23,6 +23,7 @@
reauth={{ strongswan_conf_reauth }}
type=tunnel
dpdaction={{ strongswan_conf_dpdaction }}
+ closeaction={{ strongswan_conf_closeaction }}
{% for conn in strongswan_conf_connections %}
conn {{ conn.name }}
diff --git a/vars/Debian.yml b/vars/Debian.yml
index 90f8855..c476543 100644
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@@ -8,4 +8,4 @@
# Put all other variables in the 'defaults/main.yml' file.
strongswan_package: strongswan
-strongswan_service: strongswan
+strongswan_service: strongswan-starter
diff --git a/vars/Ubuntu_18.04.yml b/vars/Ubuntu_18.04.yml
new file mode 100644
index 0000000..692e778
--- /dev/null
+++ b/vars/Ubuntu_18.04.yml
@@ -0,0 +1,11 @@
+---
+# strongswan vars/Ubuntu_18.04.yml
+#
+# SPDX-FileCopyrightText: © 2022 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+#
+# NOTE: Only put platform/OS-specific variables in this file.
+# Put all other variables in the 'defaults/main.yml' file.
+
+strongswan_package: strongswan
+strongswan_service: strongswan