forked from ISTI-ansible-roles/ansible-roles
library/roles/openvpn: Try to cover the multi instance case, where one copy of the dh and the ta.key files must be shared between all the nodes.
This commit is contained in:
Andrea Dell'Amico
parent
f63a2231ff
commit
ac81ef9c32
|
|
@ -47,10 +47,15 @@ openvpn_ca: '/var/lib/acme/live/{{ ansible_fqdn }}/chain'
|
|||
openvpn_cert: '/var/lib/acme/live/{{ ansible_fqdn }}/cert'
|
||||
openvpn_key: '/var/lib/acme/live/{{ ansible_fqdn }}/privkey'
|
||||
|
||||
openvpn_ha: False
|
||||
# Not a real master. It is only the host where the dh.pem and ta.key are generated
|
||||
openvpn_master_host: 'localhost'
|
||||
openvpn_is_master_host: False
|
||||
|
||||
openvpn_compression_enabled: False
|
||||
openvpn_keepalive: '10 120'
|
||||
|
||||
openvpn_max_clients: 50
|
||||
openvpn_max_clients: 100
|
||||
openvpn_run_unprivileged: True
|
||||
openvpn_unprivileged_user: nobody
|
||||
openvpn_unprivileged_group: nogroup
|
||||
|
|
|
|||
|
|
@ -71,6 +71,10 @@
|
|||
template: src=openvpn.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
||||
notify: Reload OpenVPN
|
||||
|
||||
tags: [ 'openvpn', 'openvpn_conf' ]
|
||||
|
||||
|
||||
- block:
|
||||
- name: Create the dh file
|
||||
shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048 ; chmod 444 {{ openvpn_conf_dir }}/dh2048.pem
|
||||
args:
|
||||
|
|
@ -81,8 +85,21 @@
|
|||
args:
|
||||
creates: '{{ openvpn_conf_dir }}/ta.key'
|
||||
|
||||
when: openvpn_is_master_host or not openvpn_ha
|
||||
tags: [ 'openvpn', 'openvpn_conf' ]
|
||||
|
||||
- block:
|
||||
- name: Get the dh file from the master host
|
||||
synchronize: src={{ openvpn_conf_dir }}/dh2048.pem dest=rsync://{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem mode=0440 owner=root group=root
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
|
||||
- name: Get the ta key from the master host
|
||||
synchronize: src={{ openvpn_conf_dir }}/ta.key dest=rsync://{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key mode=0440 owner=root group=root
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
|
||||
when: openvpn_ha and not openvpn_is_master_host
|
||||
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
|
||||
|
||||
|
||||
- block:
|
||||
- name: Enable kernel forwarding
|
||||
|
|
|
|||
Loading…
Reference in New Issue