save

835ca1db · nanahira · 8768d99d · 835ca1db · 835ca1db · 835ca1db
Commit 835ca1db authored May 09, 2024 by nanahira
11 changed files
--- a/ocserv-single/docker-compose.yml.j2
+++ b/ocserv-single/docker-compose.yml.j2
@@ -13,8 +13,15 @@ services:
    environment:
      IPTABLES_EXEC: '{{iptables_exec}}'
      MASQ_INTERFACE: '{{masq_interface}}'
+{% if username is defined and username %}
      USERNAME: '{{username}}'
      PASSWORD: '{{password}}'
+{% endif %}
+{% if users is defined and users %}
+{% for user in users %}
+      'USER_{{user.username}}': '{{user.password}}'
+{% endfor %}
+{% endif %}
    entrypoint: 
      - /entrypoint.sh
    command:

--- a/ocserv-single/templates/route-helper/route_helper.py
+++ b/ocserv-single/templates/route-helper/route_helper.py
@@ -33,7 +33,7 @@ def count_chnrouter_length():
 # externals = universe - special
 chnrouter = universe - chnroutes
-expect_length = 200
+expect_length = 198
 chnrouter_length = count_chnrouter_length()

--- a/openconnect/data/.gitkeep
+++ b/openconnect/data/.gitkeep
--- a/openconnect/docker-compose.yml.j2
+++ b/openconnect/docker-compose.yml.j2
+version: '2.4'
+services:
+{% for instance in instances %}
+  'openconnect-{{instance.name}}':
+    restart: always
+    image: git-registry.mycard.moe/railgun/openconnect
+    network_mode: host
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - NET_ADMIN
+    volumes:
+      - ./templates/up.sh:/etc/vpnc/post-connect.d/up.sh:ro
+      - ./templates/down.sh:/etc/vpnc/disconnect.d/down.sh:ro
+    command:
+      - bash
+      - -c
+      - echo '{{instance.password}}' | openconnect '--user={{instance.username}}' --passwd-on-stdin --passtos --interface={{instance.name}} '{{instance.endpoint}}' --no-dtls
+{% endfor %}
--- a/openconnect/templates/.gitkeep
+++ b/openconnect/templates/.gitkeep
--- a/openconnect/templates/down.sh.j2
+++ b/openconnect/templates/down.sh.j2
+#!/bin/sh
+dev="$TUNDEV"
+{% for instance in instances %}
+{% if instance.down is defined and instance.down %}
+if [ "$dev" = '{{instance.name}}' ]; then
+## Down script for {{instance.name}}
+{{instance.down}}
+fi
+{% endif %}
+{% endfor %}
+{% if down is defined and down %}
+# Global down script
+{{down}}
+{% endif %}
+true
--- a/openconnect/templates/up.sh.j2
+++ b/openconnect/templates/up.sh.j2
+#!/bin/sh
+dev="$TUNDEV"
+{% if up is defined and up %}
+# Global up script
+{{up}}
+{% endif %}
+{% for instance in instances %}
+{% if instance.up is defined and instance.up %}
+if [ "$dev" = '{{instance.name}}' ]; then
+## Up script for {{instance.name}}
+{{instance.up}}
+fi
+{% endif %}
+{% endfor %}
+true
--- a/zeeai-ikev2/docker-compose.yml.j2
+++ b/zeeai-ikev2/docker-compose.yml.j2
@@ -10,9 +10,9 @@ services:
      - NET_RAW
    volumes:
      - ./templates/ikev2-express.conf:/etc/swanctl/conf.d/ikev2.conf:ro
-      - ./data/certs/{{inventory_hostname}}/certificate.crt:/etc/swanctl/x509/cert.pem:ro
+      - ./data/certs/{{ansible_ssh_host}}/certificate.crt:/etc/swanctl/x509/cert.pem:ro
-      - ./data/certs/{{inventory_hostname}}/private.key:/etc/swanctl/private/privkey.pem:ro
+      - ./data/certs/{{ansible_ssh_host}}/private.key:/etc/swanctl/private/privkey.pem:ro
-      - ./data/certs/{{inventory_hostname}}/ca_bundle.crt:/etc/swanctl/x509ca/ca.pem:ro
+      - ./data/certs/{{ansible_ssh_host}}/ca_bundle.crt:/etc/swanctl/x509ca/ca.pem:ro
    # command: sleep infinity
    environment:
      FOO: 3

--- a/zeeai-ikev2/extract-certs.sh
+++ b/zeeai-ikev2/extract-certs.sh
 #!/bin/bash
-domain="$1"
+extract_domain() {
-zip="certs/$domain.zip"
+  domain="$1"
-dist="data/certs/$domain"
+  zip="certs/$domain.zip"
+  dist="data/certs/$domain"
-7z x -y -o"$dist" "$zip"
+  7z x -y -o"$dist" "$zip"
+}
+# run for every param in certs directory certs/example.com.zip
+for zip in certs/*.zip; do
+  domain=$(basename "$zip" .zip)
+  extract_domain "$domain"
+done
--- a/zeeai-ikev2/templates/ikev2-express.conf.j2
+++ b/zeeai-ikev2/templates/ikev2-express.conf.j2
@@ -11,7 +11,7 @@ connections {
    local_addrs = %any
    local {
      certs = cert.pem
-      id = {{inventory_hostname}}
+      id = {{server_id}}
    }
    remote {
      auth = eap-mschapv2
@@ -31,10 +31,12 @@ secrets {
  private-cert {
    file = privkey.pem
  }
-  eap-{{inventory_hostname_short}} {
+{% for user in users %}
-    id = {{inventory_hostname_short}}
+  eap-{{user.id}} {
-    secret = "{{secret}}"
+    id = {{user.id}}
+    secret = "{{user.secret}}"
  }
+{% endfor %}
 }
 pools {
  rw_pool {

--- a/zeeai-ikev2/templates/ikev2.conf.j2
+++ b/zeeai-ikev2/templates/ikev2.conf.j2
@@ -11,7 +11,7 @@ connections {
    local_addrs = %any
    local {
      certs = cert.pem
-      id = {{inventory_hostname}}
+      id = {{server_id}}
    }
    remote {
      auth = eap-mschapv2