From 6aaf1b7dbb02e68125bb6356d43c0e9f267dc6e4 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 17 Feb 2021 20:28:05 -0600
Subject: [PATCH] roles/strongswan-swanctl: Load esp4 module at boot

The *esp4* kernel module does not load automatically on Fedora.  Without
this module, strongSwan can establish IKE SAs, but not ESP SAs.  Listing
the module name in a file in `/etc/modules-load.d` configures the
*systemd-modules-load* service to load it at boot.
---
 roles/strongswan-swanctl/files/esp4.modules-load.conf | 2 ++
 roles/strongswan-swanctl/handlers/main.yml            | 2 ++
 roles/strongswan-swanctl/tasks/main.yml               | 8 ++++++++
 3 files changed, 12 insertions(+)
 create mode 100644 roles/strongswan-swanctl/files/esp4.modules-load.conf
 create mode 100644 roles/strongswan-swanctl/handlers/main.yml

diff --git a/roles/strongswan-swanctl/files/esp4.modules-load.conf b/roles/strongswan-swanctl/files/esp4.modules-load.conf
new file mode 100644
index 0000000..483e5ca
--- /dev/null
+++ b/roles/strongswan-swanctl/files/esp4.modules-load.conf
@@ -0,0 +1,2 @@
+# esp4.ko is required for IPsec ESP VPN connections
+esp4
diff --git a/roles/strongswan-swanctl/handlers/main.yml b/roles/strongswan-swanctl/handlers/main.yml
new file mode 100644
index 0000000..e6bf8ff
--- /dev/null
+++ b/roles/strongswan-swanctl/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: load esp4 kernel module
+  command: modprobe esp4
diff --git a/roles/strongswan-swanctl/tasks/main.yml b/roles/strongswan-swanctl/tasks/main.yml
index 3fb1dac..e81b948 100644
--- a/roles/strongswan-swanctl/tasks/main.yml
+++ b/roles/strongswan-swanctl/tasks/main.yml
@@ -5,6 +5,14 @@
   tags:
   - install
 
+- name: ensure esp4 module is configured to load at boot
+  copy:
+    src: esp4.modules-load.conf
+    dest: /etc/modules-load.d/esp4.conf
+    mode: '0644'
+  notify:
+  - load esp4 kernel module
+
 - name: ensure strongswan starts at boot
   service:
     name: strongswan