From bf91aeb58f60ac6d23f8591492a6f60c78fc98a9 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 30 Oct 2023 16:39:33 +0100 Subject: [PATCH] Some cleanup. --- meta/main.yml | 12 +- tasks/openvpn.yml | 319 +++++++++++++++++++++++++++------------------- 2 files changed, 197 insertions(+), 134 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index 03b83d1..1c3cbbf 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,13 +1,11 @@ galaxy_info: author: Andrea Dell'Amico - description: Systems Architect + description: Role that configures a OpenVPN service company: ISTI-CNR - - issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning - + role_name: openvpn + namespace: adellam license: EUPL 1.2+ - - min_ansible_version: 2.8 + min_ansible_version: "2.9" # To view available platforms and versions (or releases), visit: # https://galaxy.ansible.com/api/v1/platforms/ @@ -16,6 +14,8 @@ galaxy_info: - name: Ubuntu versions: - bionic + - focal + - jammy galaxy_tags: - openvpn diff --git a/tasks/openvpn.yml b/tasks/openvpn.yml index 0a70564..3f9b463 100644 --- a/tasks/openvpn.yml +++ b/tasks/openvpn.yml @@ -1,172 +1,235 @@ --- -- block: - - name: Install the OpenVPN main packages - apt: pkg={{ openvpn_pkgs }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 - - - name: Create the auth, ipp, ccd and status subdirs - file: dest={{ openvpn_conf_dir }}/{{ item }} state=directory owner={{ openvpn_unprivileged_user }} group=root mode=0770 - with_items: +- name: openvpn | Manage the packages and the file system + when: openvpn_enabled + tags: openvpn + block: + - name: openvpn | Install the OpenVPN main packages + ansible.builtin.apt: + pkg: "{{ openvpn_pkgs }}" + state: "{{ openvpn_pkg_state }}" + update_cache: true + cache_valid_time: 1800 + - name: openvpn | Create the auth, ipp, ccd and status subdirs + ansible.builtin.file: + dest: "{{ openvpn_conf_dir }}/{{ item }}" + state: directory + owner: "{{ openvpn_unprivileged_user }}" + group: root + mode: "0770" + loop: - ipp - status - auth - ccd - when: openvpn_enabled | bool - tags: openvpn +- name: openvpn | Management key + when: openvpn_management_enabled + tags: ['openvpn', 'openvpn_management'] + block: + - name: openvpn | Install the OpenVPN management key file + ansible.builtin.template: + src: management.txt.j2 + dest: "{{ openvpn_management_file }}" + owner: root + group: root + mode: "0400" -- block: - - name: Install the OpenVPN radius auth plugin package - apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 +- name: openvpn | Plugins to enable the radius authentication + when: openvpn_radius_auth + tags: ['openvpn', 'openvpn_radius'] + block: + - name: openvpn | Install the OpenVPN radius auth plugin package + ansible.builtin.apt: + pkg: "{{ openvpn_radius_pkg }}" + state: "{{ openvpn_pkg_state }}" + update_cache: true + cache_valid_time: 1800 - when: openvpn_radius_auth | bool - tags: [ 'openvpn', 'openvpn_radius' ] - -- block: - - name: Install the OpenVPN management key file - template: src=management.txt.j2 dest={{ openvpn_management_file }} owner=root group=root mode=0400 - - when: openvpn_management_enabled | bool - tags: [ 'openvpn', 'openvpn_management' ] - -- block: - - name: Install the OpenVPN ldap auth plugin package - apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 - - - name: Install the LDAP auth configuration file - template: src=auth-ldap.conf.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf owner=root group={{ openvpn_unprivileged_group }} mode=0440 +- name: openvpn | Plugin that manages the LDAP authentication + when: openvpn_ldap_auth + tags: ['openvpn', 'openvpn_ldap', 'openvpn_basic_conf'] + block: + - name: openvpn | Install the OpenVPN ldap auth plugin package + ansible.builtin.apt: + pkg: "{{ openvpn_ldap_pkg }}" + state: "{{ openvpn_pkg_state }}" + update_cache: true + cache_valid_time: 1800 + - name: openvpn | Install the LDAP auth configuration file + ansible.builtin.template: + src: auth-ldap.conf.j2 + dest: "{{ openvpn_conf_dir }}/auth/auth-ldap.conf" + owner: root + group: "{{ openvpn_unprivileged_group }}" + mode: "0440" notify: Reload OpenVPN - when: openvpn_ldap_auth | bool - tags: [ 'openvpn', 'openvpn_ldap', 'openvpn_basic_conf' ] - -- block: - - name: Remove the LDAP auth configuration file if LDAP is not used - file: dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf state=absent +- name: openvpn | Remove the LDAP plugin configuration + when: not openvpn_ldap_auth + tags: ['openvpn', 'openvpn_ldap', 'openvpn_basic_conf'] + block: + - name: openvpn | Remove the LDAP auth configuration file if LDAP is not used + ansible.builtin.file: + dest: "{{ openvpn_conf_dir }}/auth/auth-ldap.conf" + state: absent notify: Reload OpenVPN - when: not openvpn_ldap_auth | bool - tags: [ 'openvpn', 'openvpn_ldap', 'openvpn_basic_conf' ] - -- block: - - name: Install the main OpenVPN configuration file on the servers - template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 +- name: openvpn | OpenVPN configuration + when: openvpn_mode == 'server' + tags: ['openvpn', 'openvpn_conf'] + block: + - name: openvpn | Install the main OpenVPN configuration file on the servers + ansible.builtin.template: + src: server.conf.j2 + dest: "{{ openvpn_conf_dir }}/{{ openvpn_conf_name }}" + owner: root + group: "{{ openvpn_unprivileged_group }}" + mode: "0440" notify: Restart OpenVPN - tags: [ 'openvpn', 'openvpn_conf', 'openvpn_conf_file', 'openvpn_basic_conf' ] - - - name: Install the custom configuration for specific OpenVPN users in the servers - template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.cn }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 - with_items: '{{ openvpn_users_customizations | default([]) }}' - tags: [ 'openvpn', 'openvpn_conf', 'openvpn_ccd' ] - - - name: Install the easy-rsa package on servers when we use the certificate authentication - apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 + tags: ['openvpn', 'openvpn_conf', 'openvpn_conf_file', 'openvpn_basic_conf'] + - name: openvpn | Install the custom configuration for specific OpenVPN users in the servers + ansible.builtin.template: + src: user-ccd.conf.j2 + dest: "{{ openvpn_conf_dir }}/ccd/{{ item.cn }}" + owner: root + group: "{{ openvpn_unprivileged_group }}" + mode: "0440" + loop: '{{ openvpn_users_customizations | default([]) }}' + when: item.state is not defined or item.state == "present" + tags: ['openvpn', 'openvpn_conf', 'openvpn_ccd'] + - name: openvpn | Remove some ccd configurations + ansible.builtin.file: + dest: "{{ openvpn_conf_dir }}/ccd/{{ item.cn }}" + state: absent + loop: '{{ openvpn_users_customizations | default([]) }}' + when: item.state defined and item.state == "absent" + tags: ['openvpn', 'openvpn_conf', 'openvpn_ccd'] + - name: openvpn | Install the easy-rsa package on servers when we use the certificate authentication + ansible.builtin.apt: + pkg: easy-rsa + state: "{{ openvpn_pkg_state }}" + update_cache: true + cache_valid_time: 1800 when: - openvpn_cert_auth_enabled | bool - openvpn_is_master_host | bool - when: openvpn_mode == 'server' - tags: [ 'openvpn', 'openvpn_conf' ] - -- block: - - name: Install the main OpenVPN configuration file on the clients - template: src=client.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 +- name: openvpn | Clients configuration + when: openvpn_mode != 'server' + tags: ['openvpn', 'openvpn_conf'] + block: + - name: openvpn | Install the main OpenVPN configuration file on the clients + ansible.builtin.template: + src: client.conf.j2 + dest: "{{ openvpn_conf_dir }}/{{ openvpn_conf_name }}" + owner: root + group: "{{ openvpn_unprivileged_group }}" + mode: "0440" notify: Restart OpenVPN - when: openvpn_mode != 'server' - tags: [ 'openvpn', 'openvpn_conf' ] - -- block: - - name: Install the OpenVPN init defaults - template: src=openvpn-defaults.j2 dest=/etc/default/openvpn owner=root group=root mode=0444 +- name: openvpn | Service defaults + tags: ['openvpn', 'openvpn_conf'] + block: + - name: openvpn | Install the OpenVPN init defaults + ansible.builtin.template: + src: openvpn-defaults.j2 + dest: /etc/default/openvpn + owner: root + group: root + mode: "0444" notify: - Restart OpenVPN - Reload systemd - tags: [ 'openvpn', 'openvpn_conf' ] - -- block: - - name: Create the dh file - shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048 +- name: openvpn | Manage the ta and dh files + when: openvpn_is_master_host + tags: ['openvpn', 'openvpn_conf'] + block: + - name: openvpn | Create the dh file + ansible.builtin.command: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048 args: creates: '{{ openvpn_conf_dir }}/dh2048.pem' - - - name: Fix the dh file permissions - file: dest={{ openvpn_conf_dir }}/dh2048.pem owner=root group=root mode=0444 - - - name: Create the ta key - shell: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key + - name: openvpn | Fix the dh file permissions + ansible.builtin.file: + dest: "{{ openvpn_conf_dir }}/dh2048.pem" + owner: root + group: root + mode: "0444" + - name: openvpn | Create the ta key + ansible.builtin.command: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key args: creates: '{{ openvpn_conf_dir }}/ta.key' - - - name: Fix the ta.key file permissions - file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 - - - name: Fetch both the ta and the dh files from the master node - fetch: + - name: openvpn | Fix the ta.key file permissions + ansible.builtin.file: + dest: "{{ openvpn_conf_dir }}/ta.key" + owner: root + group: root + mode: "0400" + - name: openvpn | Fetch both the ta and the dh files from the master node + ansible.builtin.fetch: src: "{{ item }}" dest: /tmp/openvpn_secrets - with_items: + loop: - '{{ openvpn_conf_dir }}/ta.key' - '{{ openvpn_conf_dir }}/dh2048.pem' - when: openvpn_is_master_host - tags: [ 'openvpn', 'openvpn_conf' ] - -- block: - - name: Install the dh and ta.key files - copy: src=/tmp/openvpn_secrets/{{ openvpn_master_host }}/{{ openvpn_conf_dir }}/{{ item }} dest={{ openvpn_conf_dir }}/{{ item }} owner=root group=root mode=0400 force=yes - with_items: +- name: openvpn | Manage the ta and dh files in the remote nodes + when: not openvpn_is_master_host + tags: ['openvpn', 'openvpn_conf', 'openvpn_shared_secrets'] + block: + - name: openvpn | Install the dh and ta.key files + ansible.builtin.copy: + src: "/tmp/openvpn_secrets/{{ openvpn_master_host }}/{{ openvpn_conf_dir }}/{{ item }}" + dest: "{{ openvpn_conf_dir }}/{{ item }}" + owner: root + group: root + mode: "0400" + force: true + loop: - 'ta.key' - 'dh2048.pem' - when: - - not openvpn_is_master_host | bool - tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ] +- name: openvpn | Manage the service status + tags: ['openvpn', 'openvpn_service'] + block: + - name: openvpn | Ensure that the OpenVPN service is enabled and running + ansible.builtin.service: + name: openvpn + state: started + enabled: true + when: openvpn_enabled -- block: - - name: Ensure that the OpenVPN service is enabled and running - service: name=openvpn state=started enabled=yes - when: openvpn_enabled | bool + - name: openvpn | Ensure that the OpenVPN service is stopped and disabled + ansible.builtin.service: + name: openvpn + state: stopped + enabled: false + when: not openvpn_enabled - - name: Ensure that the OpenVPN service is stopped and disabled - service: name=openvpn state=stopped enabled=no - when: not openvpn_enabled | bool - - tags: [ 'openvpn', 'openvpn_service' ] - -- block: - - name: Enable kernel forwarding - sysctl: name={{ item }} value=1 reload=yes state=present - with_items: +- name: openvpn | Manage the kernel forwarding + tags: ['openvpn', 'openvpn_kernel_forwarding'] + block: + - name: openvpn | Enable kernel forwarding + ansible.posix.sysctl: + name: "{{ item }}" + value: "{% if openvpn_enable_system_forward and openvpn_enabled %}1{% else %}0{% endif %}" + reload: true + state: present + loop: - net.ipv4.ip_forward # - net.ipv6.conf.all.forwarding - when: - - openvpn_enable_system_forward | bool - - openvpn_enabled | bool - - name: Disable kernel forwarding - sysctl: name={{ item }} value=0 reload=yes state=present - with_items: - - net.ipv4.ip_forward - # - net.ipv6.conf.all.forwarding - when: not openvpn_enable_system_forward - tags: [ 'openvpn', 'openvpn_kernel_forwarding' ] - -- block: - - name: Disable tcp syn cookies - sysctl: name={{ item }} value=0 reload=yes state=present - with_items: +- name: openvpn | Manage the SYN cookies settings + tags: ['openvpn', 'openvpn_kernel_syn_cookies'] + block: + - name: openvpn | Disable tcp syn cookies + ansible.posix.sysctl: + name: "{{ item }}" + value: "{% if openvpn_disable_tcp_syn_cookie and openvpn_protocol == 'tcp' %}0{% else %}1{% endif %}" + reload: true + state: present + loop: - net.ipv4.tcp_syncookies when: - openvpn_disable_tcp_syn_cookie | bool - openvpn_protocol == 'tcp' - - - name: Enable tcp syn cookies - sysctl: name={{ item }} value=1 reload=yes state=present - with_items: - - net.ipv4.tcp_syncookies - when: - - not openvpn_disable_tcp_syn_cookie | bool or openvpn_protocol == 'udp' - - tags: [ 'openvpn', 'openvpn_kernel_syn_cookies' ] -