Refactor l2tp-ipsec services launch (StreisandEffect#947)

This commit enables separate `ipsec` and `xl2tpd` systemd services. Required `iptables` rules are applied via `oneshot` tasks. This replaces the legacy init scripts for l2tp-ipsec.
owenson · Oct 14, 2017 · 54285eb · 54285eb
1 parent 66f27ec
commit 54285eb
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 44 deletions.
diff --git a/playbooks/roles/l2tp-ipsec/handlers/main.yml b/playbooks/roles/l2tp-ipsec/handlers/main.yml
@@ -1,19 +1,5 @@
 ---
-- name: Restart Libreswan
-  service:
-    name: ipsec
-    state: restarted
-
-- name: Restart xl2tpd
-  service:
-    name: xl2tpd
-    state: restarted
-  register: xl2tpd_restart_result
-  until: xl2tpd_restart_result|success
-  retries: 3
-  delay: 5
-
 - name: Restart rsyslog for Libreswan
-  service:
+  systemd:
     name: rsyslog
     state: restarted
diff --git a/playbooks/roles/l2tp-ipsec/tasks/firewall.yml b/playbooks/roles/l2tp-ipsec/tasks/firewall.yml
@@ -9,17 +9,15 @@
     - "1701"
     - "4500"
 
-- name: Allow L2TP/IPsec through the firewall
-  command: "{{ item }}"
-  with_items: "{{ l2tp_ipsec_firewall_rules }}"
-
-- name: "Add L2TP/IPsec firewall persistence service to init"
+- name: "Install L2TP/IPsec iptables service file"
   template:
-    src: streisand-l2tp-service.sh.j2
-    dest: /etc/init.d/streisand-l2tp
-    mode: 0755
+    src: streisand-l2tp-iptables.service.j2
+    dest: /etc/systemd/system/streisand-l2tp-iptables.service
+    mode: 0644
 
-- name: "Enable the streisand-l2tp init service"
-  service:
-    name: streisand-l2tp
+- name: "Enable the streisand-l2tp-iptables service"
+  systemd:
+    daemon_reload: yes
+    name: streisand-l2tp-iptables
     enabled: yes
+    state: started
diff --git a/playbooks/roles/l2tp-ipsec/tasks/main.yml b/playbooks/roles/l2tp-ipsec/tasks/main.yml
@@ -45,7 +45,6 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart Libreswan
 
 - name: Generate a random IPsec pre-shared key
   shell: grep -v -P "[\x80-\xFF]" /usr/share/dict/american-english-huge | sed -e "s/'//" | shuf -n 3 | xargs | sed -e 's/ /-/g' > {{ ipsec_preshared_key_file }}
@@ -84,7 +83,6 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart xl2tpd
 
 - name: Copy xl2tpd secrets file
   copy:
@@ -147,5 +145,15 @@
 # Ensure l2tp firewall rules are in place
 - include: firewall.yml
 
+- name: Enable and start ipsec and l2tp services
+  systemd:
+    daemon_reload: yes
+    name: "{{ item }}"
+    enabled: yes
+    state: restarted
+  with_items:
+    - ipsec
+    - xl2tpd
+
 # Generate l2tp instructions and mobile profiles
 - include: docs.yml
diff --git a/playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-iptables.service.j2 b/playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-iptables.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=Set iptables rules required for L2TP/IPsec gateway
+After=network.target
+Before=ipsec.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+{% for rule in l2tp_ipsec_firewall_rules %}
+ExecStart=/sbin/{{ rule }}
+{% endfor %}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-service.sh.j2 b/playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-service.sh.j2