From 54285ebbd7a401a9754edbaa5bb0d943f6569218 Mon Sep 17 00:00:00 2001
From: Igor Urazov <z0rc@users.noreply.github.com>
Date: Sat, 14 Oct 2017 17:00:47 +0300
Subject: [PATCH] Refactor l2tp-ipsec services launch (#947)

This commit enables separate `ipsec` and `xl2tpd` systemd services. Required `iptables` rules are applied via `oneshot` tasks. This replaces the legacy init scripts for l2tp-ipsec.
---
 playbooks/roles/l2tp-ipsec/handlers/main.yml  | 16 +--------------
 playbooks/roles/l2tp-ipsec/tasks/firewall.yml | 20 +++++++++----------
 playbooks/roles/l2tp-ipsec/tasks/main.yml     | 12 +++++++++--
 .../streisand-l2tp-iptables.service.j2        | 14 +++++++++++++
 .../templates/streisand-l2tp-service.sh.j2    | 16 ---------------
 5 files changed, 34 insertions(+), 44 deletions(-)
 create mode 100644 playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-iptables.service.j2
 delete mode 100644 playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-service.sh.j2

diff --git a/playbooks/roles/l2tp-ipsec/handlers/main.yml b/playbooks/roles/l2tp-ipsec/handlers/main.yml
index 99202e808..514fe87be 100644
--- a/playbooks/roles/l2tp-ipsec/handlers/main.yml
+++ b/playbooks/roles/l2tp-ipsec/handlers/main.yml
@@ -1,19 +1,5 @@
 ---
-- name: Restart Libreswan
-  service:
-    name: ipsec
-    state: restarted
-
-- name: Restart xl2tpd
-  service:
-    name: xl2tpd
-    state: restarted
-  register: xl2tpd_restart_result
-  until: xl2tpd_restart_result|success
-  retries: 3
-  delay: 5
-
 - name: Restart rsyslog for Libreswan
-  service:
+  systemd:
     name: rsyslog
     state: restarted
diff --git a/playbooks/roles/l2tp-ipsec/tasks/firewall.yml b/playbooks/roles/l2tp-ipsec/tasks/firewall.yml
index 68ad60324..d0f149e52 100644
--- a/playbooks/roles/l2tp-ipsec/tasks/firewall.yml
+++ b/playbooks/roles/l2tp-ipsec/tasks/firewall.yml
@@ -9,17 +9,15 @@
     - "1701"
     - "4500"
 
-- name: Allow L2TP/IPsec through the firewall
-  command: "{{ item }}"
-  with_items: "{{ l2tp_ipsec_firewall_rules }}"
-
-- name: "Add L2TP/IPsec firewall persistence service to init"
+- name: "Install L2TP/IPsec iptables service file"
   template:
-    src: streisand-l2tp-service.sh.j2
-    dest: /etc/init.d/streisand-l2tp
-    mode: 0755
+    src: streisand-l2tp-iptables.service.j2
+    dest: /etc/systemd/system/streisand-l2tp-iptables.service
+    mode: 0644
 
-- name: "Enable the streisand-l2tp init service"
-  service:
-    name: streisand-l2tp
+- name: "Enable the streisand-l2tp-iptables service"
+  systemd:
+    daemon_reload: yes
+    name: streisand-l2tp-iptables
     enabled: yes
+    state: started
diff --git a/playbooks/roles/l2tp-ipsec/tasks/main.yml b/playbooks/roles/l2tp-ipsec/tasks/main.yml
index b17e4aa8c..c109e7585 100644
--- a/playbooks/roles/l2tp-ipsec/tasks/main.yml
+++ b/playbooks/roles/l2tp-ipsec/tasks/main.yml
@@ -45,7 +45,6 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart Libreswan
 
 - name: Generate a random IPsec pre-shared key
   shell: grep -v -P "[\x80-\xFF]" /usr/share/dict/american-english-huge | sed -e "s/'//" | shuf -n 3 | xargs | sed -e 's/ /-/g' > {{ ipsec_preshared_key_file }}
@@ -84,7 +83,6 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart xl2tpd
 
 - name: Copy xl2tpd secrets file
   copy:
@@ -147,5 +145,15 @@
 # Ensure l2tp firewall rules are in place
 - include: firewall.yml
 
+- name: Enable and start ipsec and l2tp services
+  systemd:
+    daemon_reload: yes
+    name: "{{ item }}"
+    enabled: yes
+    state: restarted
+  with_items:
+    - ipsec
+    - xl2tpd
+
 # Generate l2tp instructions and mobile profiles
 - include: docs.yml
diff --git a/playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-iptables.service.j2 b/playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-iptables.service.j2
new file mode 100644
index 000000000..e499b1f97
--- /dev/null
+++ b/playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-iptables.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=Set iptables rules required for L2TP/IPsec gateway
+After=network.target
+Before=ipsec.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+{% for rule in l2tp_ipsec_firewall_rules %}
+ExecStart=/sbin/{{ rule }}
+{% endfor %}
+
+[Install]
+WantedBy=multi-user.target
diff --git a/playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-service.sh.j2 b/playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-service.sh.j2
deleted file mode 100644
index 4bb6522f0..000000000
--- a/playbooks/roles/l2tp-ipsec/templates/streisand-l2tp-service.sh.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides:          streisand-l2tp
-# Required-Start:    $network $remote_fs $local_fs
-# Required-Stop:     $network $remote_fs $local_fs
-# Default-Start:     2 3 4 5
-# Default-Stop:      0 1 6
-# Short-Description: Persist L2TP/IPsec firewall rules for Streisand
-### END INIT INFO
-
-{% for rule in l2tp_ipsec_firewall_rules %}
-{{ rule }}
-{% endfor %}
-
-ipsec setup start
-/etc/init.d/xl2tpd restart