From ac81ef9c32699722be52f399d61cbdcfdf75de38 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@isti.cnr.it>
Date: Tue, 18 Oct 2016 18:33:06 +0200
Subject: [PATCH] library/roles/openvpn: Try to cover the multi instance case,
 where one copy of the dh and the ta.key files must be shared between all the
 nodes.

---
 openvpn/defaults/main.yml |  7 ++++++-
 openvpn/tasks/openvpn.yml | 17 +++++++++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/openvpn/defaults/main.yml b/openvpn/defaults/main.yml
index bf13e47..3802691 100644
--- a/openvpn/defaults/main.yml
+++ b/openvpn/defaults/main.yml
@@ -47,10 +47,15 @@ openvpn_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
 openvpn_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
 openvpn_key: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
 
+openvpn_ha: False
+# Not a real master. It is only the host where the dh.pem and ta.key are generated
+openvpn_master_host: 'localhost'
+openvpn_is_master_host: False 
+
 openvpn_compression_enabled: False
 openvpn_keepalive: '10 120'
 
-openvpn_max_clients: 50
+openvpn_max_clients: 100
 openvpn_run_unprivileged: True
 openvpn_unprivileged_user: nobody
 openvpn_unprivileged_group: nogroup
diff --git a/openvpn/tasks/openvpn.yml b/openvpn/tasks/openvpn.yml
index b3146aa..1e76ca9 100644
--- a/openvpn/tasks/openvpn.yml
+++ b/openvpn/tasks/openvpn.yml
@@ -71,6 +71,10 @@
       template: src=openvpn.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
       notify: Reload OpenVPN
 
+  tags: [ 'openvpn', 'openvpn_conf' ]
+
+
+- block:
     - name: Create the dh file
       shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048 ; chmod 444 {{ openvpn_conf_dir }}/dh2048.pem
       args:
@@ -81,8 +85,21 @@
       args:
         creates: '{{ openvpn_conf_dir }}/ta.key'
 
+  when: openvpn_is_master_host or not openvpn_ha
   tags: [ 'openvpn', 'openvpn_conf' ]
 
+- block:
+    - name: Get the dh file from the master host
+      synchronize: src={{ openvpn_conf_dir }}/dh2048.pem dest=rsync://{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem mode=0440 owner=root group=root
+      delegate_to: '{{ openvpn_master_host }}'
+      
+    - name: Get the ta key from the master host
+      synchronize: src={{ openvpn_conf_dir }}/ta.key dest=rsync://{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key mode=0440 owner=root group=root
+      delegate_to: '{{ openvpn_master_host }}'
+
+  when: openvpn_ha and not openvpn_is_master_host
+  tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
+
 
 - block:
     - name: Enable kernel forwarding