ISTI-ansible-roles
/
ansible-role-openvpn
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Some cleanup.

This commit is contained in:
Andrea Dell'Amico 2023-10-30 16:39:33 +01:00
parent 7b4f97dcd5
commit bf91aeb58f
Signed by: adellam
GPG Key ID: 147ABE6CEB9E20FF
2 changed files with 197 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
meta/main.yml
View File

@ -1,13 +1,11 @@
galaxy_info: galaxy_info:
author: Andrea Dell'Amico author: Andrea Dell'Amico
description: Systems Architect description: Role that configures a OpenVPN service
company: ISTI-CNR company: ISTI-CNR
role_name: openvpn
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning namespace: adellam
license: EUPL 1.2+ license: EUPL 1.2+
min_ansible_version: "2.9"
min_ansible_version: 2.8
# To view available platforms and versions (or releases), visit: # To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/ # https://galaxy.ansible.com/api/v1/platforms/
@ -16,6 +14,8 @@ galaxy_info:
- name: Ubuntu - name: Ubuntu
versions: versions:
- bionic - bionic
- focal
- jammy
galaxy_tags: galaxy_tags:
- openvpn - openvpn

319
tasks/openvpn.yml
View File

@ -1,172 +1,235 @@
--- ---
- block: - name: openvpn | Manage the packages and the file system
- name: Install the OpenVPN main packages when: openvpn_enabled
apt: pkg={{ openvpn_pkgs }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 tags: openvpn
block:
- name: Create the auth, ipp, ccd and status subdirs - name: openvpn | Install the OpenVPN main packages
file: dest={{ openvpn_conf_dir }}/{{ item }} state=directory owner={{ openvpn_unprivileged_user }} group=root mode=0770 ansible.builtin.apt:
with_items: pkg: "{{ openvpn_pkgs }}"
state: "{{ openvpn_pkg_state }}"
update_cache: true
cache_valid_time: 1800
- name: openvpn | Create the auth, ipp, ccd and status subdirs
ansible.builtin.file:
dest: "{{ openvpn_conf_dir }}/{{ item }}"
state: directory
owner: "{{ openvpn_unprivileged_user }}"
group: root
mode: "0770"
loop:
- ipp - ipp
- status - status
- auth - auth
- ccd - ccd
when: openvpn_enabled | bool - name: openvpn | Management key
tags: openvpn when: openvpn_management_enabled
tags: ['openvpn', 'openvpn_management']
block:
- name: openvpn | Install the OpenVPN management key file
ansible.builtin.template:
src: management.txt.j2
dest: "{{ openvpn_management_file }}"
owner: root
group: root
mode: "0400"
- block: - name: openvpn | Plugins to enable the radius authentication
- name: Install the OpenVPN radius auth plugin package when: openvpn_radius_auth
apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 tags: ['openvpn', 'openvpn_radius']
block:
- name: openvpn | Install the OpenVPN radius auth plugin package
ansible.builtin.apt:
pkg: "{{ openvpn_radius_pkg }}"
state: "{{ openvpn_pkg_state }}"
update_cache: true
cache_valid_time: 1800
when: openvpn_radius_auth | bool - name: openvpn | Plugin that manages the LDAP authentication
tags: [ 'openvpn', 'openvpn_radius' ] when: openvpn_ldap_auth
tags: ['openvpn', 'openvpn_ldap', 'openvpn_basic_conf']
- block: block:
- name: Install the OpenVPN management key file - name: openvpn | Install the OpenVPN ldap auth plugin package
template: src=management.txt.j2 dest={{ openvpn_management_file }} owner=root group=root mode=0400 ansible.builtin.apt:
pkg: "{{ openvpn_ldap_pkg }}"
when: openvpn_management_enabled | bool state: "{{ openvpn_pkg_state }}"
tags: [ 'openvpn', 'openvpn_management' ] update_cache: true
cache_valid_time: 1800
- block: - name: openvpn | Install the LDAP auth configuration file
- name: Install the OpenVPN ldap auth plugin package ansible.builtin.template:
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 src: auth-ldap.conf.j2
dest: "{{ openvpn_conf_dir }}/auth/auth-ldap.conf"
- name: Install the LDAP auth configuration file owner: root
template: src=auth-ldap.conf.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf owner=root group={{ openvpn_unprivileged_group }} mode=0440 group: "{{ openvpn_unprivileged_group }}"
mode: "0440"
notify: Reload OpenVPN notify: Reload OpenVPN
when: openvpn_ldap_auth | bool - name: openvpn | Remove the LDAP plugin configuration
tags: [ 'openvpn', 'openvpn_ldap', 'openvpn_basic_conf' ] when: not openvpn_ldap_auth
tags: ['openvpn', 'openvpn_ldap', 'openvpn_basic_conf']
- block: block:
- name: Remove the LDAP auth configuration file if LDAP is not used - name: openvpn | Remove the LDAP auth configuration file if LDAP is not used
file: dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf state=absent ansible.builtin.file:
dest: "{{ openvpn_conf_dir }}/auth/auth-ldap.conf"
state: absent
notify: Reload OpenVPN notify: Reload OpenVPN
when: not openvpn_ldap_auth | bool - name: openvpn | OpenVPN configuration
tags: [ 'openvpn', 'openvpn_ldap', 'openvpn_basic_conf' ] when: openvpn_mode == 'server'
tags: ['openvpn', 'openvpn_conf']
- block: block:
- name: Install the main OpenVPN configuration file on the servers - name: openvpn | Install the main OpenVPN configuration file on the servers
template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 ansible.builtin.template:
src: server.conf.j2
dest: "{{ openvpn_conf_dir }}/{{ openvpn_conf_name }}"
owner: root
group: "{{ openvpn_unprivileged_group }}"
mode: "0440"
notify: Restart OpenVPN notify: Restart OpenVPN
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_conf_file', 'openvpn_basic_conf' ] tags: ['openvpn', 'openvpn_conf', 'openvpn_conf_file', 'openvpn_basic_conf']
- name: openvpn | Install the custom configuration for specific OpenVPN users in the servers
- name: Install the custom configuration for specific OpenVPN users in the servers ansible.builtin.template:
template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.cn }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 src: user-ccd.conf.j2
with_items: '{{ openvpn_users_customizations | default([]) }}' dest: "{{ openvpn_conf_dir }}/ccd/{{ item.cn }}"
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_ccd' ] owner: root
group: "{{ openvpn_unprivileged_group }}"
- name: Install the easy-rsa package on servers when we use the certificate authentication mode: "0440"
apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 loop: '{{ openvpn_users_customizations | default([]) }}'
when: item.state is not defined or item.state == "present"
tags: ['openvpn', 'openvpn_conf', 'openvpn_ccd']
- name: openvpn | Remove some ccd configurations
ansible.builtin.file:
dest: "{{ openvpn_conf_dir }}/ccd/{{ item.cn }}"
state: absent
loop: '{{ openvpn_users_customizations | default([]) }}'
when: item.state defined and item.state == "absent"
tags: ['openvpn', 'openvpn_conf', 'openvpn_ccd']
- name: openvpn | Install the easy-rsa package on servers when we use the certificate authentication
ansible.builtin.apt:
pkg: easy-rsa
state: "{{ openvpn_pkg_state }}"
update_cache: true
cache_valid_time: 1800
when: when:
- openvpn_cert_auth_enabled | bool - openvpn_cert_auth_enabled | bool
- openvpn_is_master_host | bool - openvpn_is_master_host | bool
when: openvpn_mode == 'server' - name: openvpn | Clients configuration
tags: [ 'openvpn', 'openvpn_conf' ] when: openvpn_mode != 'server'
tags: ['openvpn', 'openvpn_conf']
- block: block:
- name: Install the main OpenVPN configuration file on the clients - name: openvpn | Install the main OpenVPN configuration file on the clients
template: src=client.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440 ansible.builtin.template:
src: client.conf.j2
dest: "{{ openvpn_conf_dir }}/{{ openvpn_conf_name }}"
owner: root
group: "{{ openvpn_unprivileged_group }}"
mode: "0440"
notify: Restart OpenVPN notify: Restart OpenVPN
when: openvpn_mode != 'server' - name: openvpn | Service defaults
tags: [ 'openvpn', 'openvpn_conf' ] tags: ['openvpn', 'openvpn_conf']
block:
- block: - name: openvpn | Install the OpenVPN init defaults
- name: Install the OpenVPN init defaults ansible.builtin.template:
template: src=openvpn-defaults.j2 dest=/etc/default/openvpn owner=root group=root mode=0444 src: openvpn-defaults.j2
dest: /etc/default/openvpn
owner: root
group: root
mode: "0444"
notify: notify:
- Restart OpenVPN - Restart OpenVPN
- Reload systemd - Reload systemd
tags: [ 'openvpn', 'openvpn_conf' ] - name: openvpn | Manage the ta and dh files
when: openvpn_is_master_host
- block: tags: ['openvpn', 'openvpn_conf']
- name: Create the dh file block:
shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048 - name: openvpn | Create the dh file
ansible.builtin.command: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048
args: args:
creates: '{{ openvpn_conf_dir }}/dh2048.pem' creates: '{{ openvpn_conf_dir }}/dh2048.pem'
- name: openvpn | Fix the dh file permissions
- name: Fix the dh file permissions ansible.builtin.file:
file: dest={{ openvpn_conf_dir }}/dh2048.pem owner=root group=root mode=0444 dest: "{{ openvpn_conf_dir }}/dh2048.pem"
owner: root
- name: Create the ta key group: root
shell: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key mode: "0444"
- name: openvpn | Create the ta key
ansible.builtin.command: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key
args: args:
creates: '{{ openvpn_conf_dir }}/ta.key' creates: '{{ openvpn_conf_dir }}/ta.key'
- name: openvpn | Fix the ta.key file permissions
- name: Fix the ta.key file permissions ansible.builtin.file:
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 dest: "{{ openvpn_conf_dir }}/ta.key"
owner: root
- name: Fetch both the ta and the dh files from the master node group: root
fetch: mode: "0400"
- name: openvpn | Fetch both the ta and the dh files from the master node
ansible.builtin.fetch:
src: "{{ item }}" src: "{{ item }}"
dest: /tmp/openvpn_secrets dest: /tmp/openvpn_secrets
with_items: loop:
- '{{ openvpn_conf_dir }}/ta.key' - '{{ openvpn_conf_dir }}/ta.key'
- '{{ openvpn_conf_dir }}/dh2048.pem' - '{{ openvpn_conf_dir }}/dh2048.pem'
when: openvpn_is_master_host - name: openvpn | Manage the ta and dh files in the remote nodes
tags: [ 'openvpn', 'openvpn_conf' ] when: not openvpn_is_master_host
tags: ['openvpn', 'openvpn_conf', 'openvpn_shared_secrets']
- block: block:
- name: Install the dh and ta.key files - name: openvpn | Install the dh and ta.key files
copy: src=/tmp/openvpn_secrets/{{ openvpn_master_host }}/{{ openvpn_conf_dir }}/{{ item }} dest={{ openvpn_conf_dir }}/{{ item }} owner=root group=root mode=0400 force=yes ansible.builtin.copy:
with_items: src: "/tmp/openvpn_secrets/{{ openvpn_master_host }}/{{ openvpn_conf_dir }}/{{ item }}"
dest: "{{ openvpn_conf_dir }}/{{ item }}"
owner: root
group: root
mode: "0400"
force: true
loop:
- 'ta.key' - 'ta.key'
- 'dh2048.pem' - 'dh2048.pem'
when: - name: openvpn | Manage the service status
- not openvpn_is_master_host | bool tags: ['openvpn', 'openvpn_service']
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ] block:
- name: openvpn | Ensure that the OpenVPN service is enabled and running
ansible.builtin.service:
name: openvpn
state: started
enabled: true
when: openvpn_enabled
- block: - name: openvpn | Ensure that the OpenVPN service is stopped and disabled
- name: Ensure that the OpenVPN service is enabled and running ansible.builtin.service:
service: name=openvpn state=started enabled=yes name: openvpn
when: openvpn_enabled | bool state: stopped
enabled: false
when: not openvpn_enabled
- name: Ensure that the OpenVPN service is stopped and disabled - name: openvpn | Manage the kernel forwarding
service: name=openvpn state=stopped enabled=no tags: ['openvpn', 'openvpn_kernel_forwarding']
when: not openvpn_enabled | bool block:
- name: openvpn | Enable kernel forwarding
tags: [ 'openvpn', 'openvpn_service' ] ansible.posix.sysctl:
name: "{{ item }}"
- block: value: "{% if openvpn_enable_system_forward and openvpn_enabled %}1{% else %}0{% endif %}"
- name: Enable kernel forwarding reload: true
sysctl: name={{ item }} value=1 reload=yes state=present state: present
with_items: loop:
- net.ipv4.ip_forward - net.ipv4.ip_forward
# - net.ipv6.conf.all.forwarding # - net.ipv6.conf.all.forwarding
when:
- openvpn_enable_system_forward | bool
- openvpn_enabled | bool
- name: Disable kernel forwarding - name: openvpn | Manage the SYN cookies settings
sysctl: name={{ item }} value=0 reload=yes state=present tags: ['openvpn', 'openvpn_kernel_syn_cookies']
with_items: block:
- net.ipv4.ip_forward - name: openvpn | Disable tcp syn cookies
# - net.ipv6.conf.all.forwarding ansible.posix.sysctl:
when: not openvpn_enable_system_forward name: "{{ item }}"
tags: [ 'openvpn', 'openvpn_kernel_forwarding' ] value: "{% if openvpn_disable_tcp_syn_cookie and openvpn_protocol == 'tcp' %}0{% else %}1{% endif %}"
reload: true
- block: state: present
- name: Disable tcp syn cookies loop:
sysctl: name={{ item }} value=0 reload=yes state=present
with_items:
- net.ipv4.tcp_syncookies - net.ipv4.tcp_syncookies
when: when:
- openvpn_disable_tcp_syn_cookie | bool - openvpn_disable_tcp_syn_cookie | bool
- openvpn_protocol == 'tcp' - openvpn_protocol == 'tcp'
- name: Enable tcp syn cookies
sysctl: name={{ item }} value=1 reload=yes state=present
with_items:
- net.ipv4.tcp_syncookies
when:
- not openvpn_disable_tcp_syn_cookie | bool or openvpn_protocol == 'udp'
tags: [ 'openvpn', 'openvpn_kernel_syn_cookies' ]