From 81f451d96e3dbb81b07e46a78ba6e404437c2395 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@sevenseas.org>
Date: Thu, 28 Feb 2019 10:56:19 +0100
Subject: [PATCH] openvpn: Manage the ta.key permissions so that it can be
 transferred between nodes.

---
 openvpn/tasks/openvpn.yml | 34 ++++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/openvpn/tasks/openvpn.yml b/openvpn/tasks/openvpn.yml
index d050ba7c..4ab5bdbf 100644
--- a/openvpn/tasks/openvpn.yml
+++ b/openvpn/tasks/openvpn.yml
@@ -87,15 +87,21 @@
 
 - block:
     - name: Create the dh file
-      shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048 ; chmod 444 {{ openvpn_conf_dir }}/dh2048.pem
+      shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048
       args:
         creates: '{{ openvpn_conf_dir }}/dh2048.pem'
   
+    - name: Fix the dh file permissions
+      file: dest={{ openvpn_conf_dir }}/dh2048.pem owner=root group=root mode=0444 
+
     - name: Create the ta key
-      shell: cd {{ openvpn_conf_dir }} ; openvpn --genkey --secret ta.key ; chmod 400 {{ openvpn_conf_dir }}/ta.key
+      shell: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key
       args:
         creates: '{{ openvpn_conf_dir }}/ta.key'
 
+    - name: Fix the ta.key file permissions
+      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 
+
   when: openvpn_is_master_host or not openvpn_ha
   tags: [ 'openvpn', 'openvpn_conf' ]
 
@@ -107,12 +113,24 @@
         dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
       delegate_to: '{{ openvpn_master_host }}'
       
+    - name: Relax the ta.key file permissions so that it can be copied around
+      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
+      delegate_to: '{{ openvpn_master_host }}'
+
     - name: Get the ta key from the master host
       synchronize:
         src: '{{ openvpn_conf_dir }}/ta.key'
         #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
         dest: '/{{ openvpn_conf_dir }}/ta.key'
       delegate_to: '{{ openvpn_master_host }}'
+      ignore_errors: True
+
+    - name: Fix the ta.key file permissions
+      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 
+
+    - name: Fix the ta.key file permissions on the master host
+      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 
+      delegate_to: '{{ openvpn_master_host }}'
 
   when:
     - openvpn_ha
@@ -127,12 +145,24 @@
         dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
       delegate_to: '{{ openvpn_master_host }}'
 
+    - name: Relax the ta.key file permissions so that it can be copied around
+      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
+      delegate_to: '{{ openvpn_master_host }}'
+
     - name: Get the ta key from the master host
       synchronize:
         src: '{{ openvpn_conf_dir }}/ta.key'
         #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
         dest: '/{{ openvpn_conf_dir }}/ta.key'
       delegate_to: '{{ openvpn_master_host }}'
+      ignore_errors: True
+
+    - name: Fix the ta.key file permissions
+      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 
+
+    - name: Fix the ta.key file permissions on the master host
+      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 
+      delegate_to: '{{ openvpn_master_host }}'
 
   when: openvpn_mode != 'server'
   tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]