236 lines
7.9 KiB
YAML
236 lines
7.9 KiB
YAML
---
|
|
- name: openvpn | Manage the packages and the file system
|
|
when: openvpn_enabled
|
|
tags: openvpn
|
|
block:
|
|
- name: openvpn | Install the OpenVPN main packages
|
|
ansible.builtin.apt:
|
|
pkg: "{{ openvpn_pkgs }}"
|
|
state: "{{ openvpn_pkg_state }}"
|
|
update_cache: true
|
|
cache_valid_time: 1800
|
|
- name: openvpn | Create the auth, ipp, ccd and status subdirs
|
|
ansible.builtin.file:
|
|
dest: "{{ openvpn_conf_dir }}/{{ item }}"
|
|
state: directory
|
|
owner: "{{ openvpn_unprivileged_user }}"
|
|
group: root
|
|
mode: "0770"
|
|
loop:
|
|
- ipp
|
|
- status
|
|
- auth
|
|
- ccd
|
|
|
|
- name: openvpn | Management key
|
|
when: openvpn_management_enabled
|
|
tags: ['openvpn', 'openvpn_management']
|
|
block:
|
|
- name: openvpn | Install the OpenVPN management key file
|
|
ansible.builtin.template:
|
|
src: management.txt.j2
|
|
dest: "{{ openvpn_management_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0400"
|
|
|
|
- name: openvpn | Plugins to enable the radius authentication
|
|
when: openvpn_radius_auth
|
|
tags: ['openvpn', 'openvpn_radius']
|
|
block:
|
|
- name: openvpn | Install the OpenVPN radius auth plugin package
|
|
ansible.builtin.apt:
|
|
pkg: "{{ openvpn_radius_pkg }}"
|
|
state: "{{ openvpn_pkg_state }}"
|
|
update_cache: true
|
|
cache_valid_time: 1800
|
|
|
|
- name: openvpn | Plugin that manages the LDAP authentication
|
|
when: openvpn_ldap_auth
|
|
tags: ['openvpn', 'openvpn_ldap', 'openvpn_basic_conf']
|
|
block:
|
|
- name: openvpn | Install the OpenVPN ldap auth plugin package
|
|
ansible.builtin.apt:
|
|
pkg: "{{ openvpn_ldap_pkg }}"
|
|
state: "{{ openvpn_pkg_state }}"
|
|
update_cache: true
|
|
cache_valid_time: 1800
|
|
- name: openvpn | Install the LDAP auth configuration file
|
|
ansible.builtin.template:
|
|
src: auth-ldap.conf.j2
|
|
dest: "{{ openvpn_conf_dir }}/auth/auth-ldap.conf"
|
|
owner: root
|
|
group: "{{ openvpn_unprivileged_group }}"
|
|
mode: "0440"
|
|
notify: Reload OpenVPN
|
|
|
|
- name: openvpn | Remove the LDAP plugin configuration
|
|
when: not openvpn_ldap_auth
|
|
tags: ['openvpn', 'openvpn_ldap', 'openvpn_basic_conf']
|
|
block:
|
|
- name: openvpn | Remove the LDAP auth configuration file if LDAP is not used
|
|
ansible.builtin.file:
|
|
dest: "{{ openvpn_conf_dir }}/auth/auth-ldap.conf"
|
|
state: absent
|
|
notify: Reload OpenVPN
|
|
|
|
- name: openvpn | OpenVPN configuration
|
|
when: openvpn_mode == 'server'
|
|
tags: ['openvpn', 'openvpn_conf']
|
|
block:
|
|
- name: openvpn | Install the main OpenVPN configuration file on the servers
|
|
ansible.builtin.template:
|
|
src: server.conf.j2
|
|
dest: "{{ openvpn_conf_dir }}/{{ openvpn_conf_name }}"
|
|
owner: root
|
|
group: "{{ openvpn_unprivileged_group }}"
|
|
mode: "0440"
|
|
notify: Restart OpenVPN
|
|
tags: ['openvpn', 'openvpn_conf', 'openvpn_conf_file', 'openvpn_basic_conf']
|
|
- name: openvpn | Install the custom configuration for specific OpenVPN users in the servers
|
|
ansible.builtin.template:
|
|
src: user-ccd.conf.j2
|
|
dest: "{{ openvpn_conf_dir }}/ccd/{{ item.cn }}"
|
|
owner: root
|
|
group: "{{ openvpn_unprivileged_group }}"
|
|
mode: "0440"
|
|
loop: '{{ openvpn_users_customizations | default([]) }}'
|
|
when: item.state is not defined or item.state == "present"
|
|
tags: ['openvpn', 'openvpn_conf', 'openvpn_ccd']
|
|
- name: openvpn | Remove some ccd configurations
|
|
ansible.builtin.file:
|
|
dest: "{{ openvpn_conf_dir }}/ccd/{{ item.cn }}"
|
|
state: absent
|
|
loop: '{{ openvpn_users_customizations | default([]) }}'
|
|
when: item.state defined and item.state == "absent"
|
|
tags: ['openvpn', 'openvpn_conf', 'openvpn_ccd']
|
|
- name: openvpn | Install the easy-rsa package on servers when we use the certificate authentication
|
|
ansible.builtin.apt:
|
|
pkg: easy-rsa
|
|
state: "{{ openvpn_pkg_state }}"
|
|
update_cache: true
|
|
cache_valid_time: 1800
|
|
when:
|
|
- openvpn_cert_auth_enabled | bool
|
|
- openvpn_is_master_host | bool
|
|
|
|
- name: openvpn | Clients configuration
|
|
when: openvpn_mode != 'server'
|
|
tags: ['openvpn', 'openvpn_conf']
|
|
block:
|
|
- name: openvpn | Install the main OpenVPN configuration file on the clients
|
|
ansible.builtin.template:
|
|
src: client.conf.j2
|
|
dest: "{{ openvpn_conf_dir }}/{{ openvpn_conf_name }}"
|
|
owner: root
|
|
group: "{{ openvpn_unprivileged_group }}"
|
|
mode: "0440"
|
|
notify: Restart OpenVPN
|
|
|
|
- name: openvpn | Service defaults
|
|
tags: ['openvpn', 'openvpn_conf']
|
|
block:
|
|
- name: openvpn | Install the OpenVPN init defaults
|
|
ansible.builtin.template:
|
|
src: openvpn-defaults.j2
|
|
dest: /etc/default/openvpn
|
|
owner: root
|
|
group: root
|
|
mode: "0444"
|
|
notify:
|
|
- Restart OpenVPN
|
|
- Reload systemd
|
|
|
|
- name: openvpn | Manage the ta and dh files
|
|
when: openvpn_is_master_host
|
|
tags: ['openvpn', 'openvpn_conf']
|
|
block:
|
|
- name: openvpn | Create the dh file
|
|
ansible.builtin.command: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048
|
|
args:
|
|
creates: '{{ openvpn_conf_dir }}/dh2048.pem'
|
|
- name: openvpn | Fix the dh file permissions
|
|
ansible.builtin.file:
|
|
dest: "{{ openvpn_conf_dir }}/dh2048.pem"
|
|
owner: root
|
|
group: root
|
|
mode: "0444"
|
|
- name: openvpn | Create the ta key
|
|
ansible.builtin.command: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key
|
|
args:
|
|
creates: '{{ openvpn_conf_dir }}/ta.key'
|
|
- name: openvpn | Fix the ta.key file permissions
|
|
ansible.builtin.file:
|
|
dest: "{{ openvpn_conf_dir }}/ta.key"
|
|
owner: root
|
|
group: root
|
|
mode: "0400"
|
|
- name: openvpn | Fetch both the ta and the dh files from the master node
|
|
ansible.builtin.fetch:
|
|
src: "{{ item }}"
|
|
dest: /tmp/openvpn_secrets
|
|
loop:
|
|
- '{{ openvpn_conf_dir }}/ta.key'
|
|
- '{{ openvpn_conf_dir }}/dh2048.pem'
|
|
|
|
- name: openvpn | Manage the ta and dh files in the remote nodes
|
|
when: not openvpn_is_master_host
|
|
tags: ['openvpn', 'openvpn_conf', 'openvpn_shared_secrets']
|
|
block:
|
|
- name: openvpn | Install the dh and ta.key files
|
|
ansible.builtin.copy:
|
|
src: "/tmp/openvpn_secrets/{{ openvpn_master_host }}/{{ openvpn_conf_dir }}/{{ item }}"
|
|
dest: "{{ openvpn_conf_dir }}/{{ item }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0400"
|
|
force: true
|
|
loop:
|
|
- 'ta.key'
|
|
- 'dh2048.pem'
|
|
|
|
- name: openvpn | Manage the service status
|
|
tags: ['openvpn', 'openvpn_service']
|
|
block:
|
|
- name: openvpn | Ensure that the OpenVPN service is enabled and running
|
|
ansible.builtin.service:
|
|
name: openvpn
|
|
state: started
|
|
enabled: true
|
|
when: openvpn_enabled
|
|
|
|
- name: openvpn | Ensure that the OpenVPN service is stopped and disabled
|
|
ansible.builtin.service:
|
|
name: openvpn
|
|
state: stopped
|
|
enabled: false
|
|
when: not openvpn_enabled
|
|
|
|
- name: openvpn | Manage the kernel forwarding
|
|
tags: ['openvpn', 'openvpn_kernel_forwarding']
|
|
block:
|
|
- name: openvpn | Enable kernel forwarding
|
|
ansible.posix.sysctl:
|
|
name: "{{ item }}"
|
|
value: "{% if openvpn_enable_system_forward and openvpn_enabled %}1{% else %}0{% endif %}"
|
|
reload: true
|
|
state: present
|
|
loop:
|
|
- net.ipv4.ip_forward
|
|
# - net.ipv6.conf.all.forwarding
|
|
|
|
- name: openvpn | Manage the SYN cookies settings
|
|
tags: ['openvpn', 'openvpn_kernel_syn_cookies']
|
|
block:
|
|
- name: openvpn | Disable tcp syn cookies
|
|
ansible.posix.sysctl:
|
|
name: "{{ item }}"
|
|
value: "{% if openvpn_disable_tcp_syn_cookie and openvpn_protocol == 'tcp' %}0{% else %}1{% endif %}"
|
|
reload: true
|
|
state: present
|
|
loop:
|
|
- net.ipv4.tcp_syncookies
|
|
when:
|
|
- openvpn_disable_tcp_syn_cookie | bool
|
|
- openvpn_protocol == 'tcp'
|