forked from ISTI-ansible-roles/ansible-roles
202 lines
7.3 KiB
YAML
202 lines
7.3 KiB
YAML
---
|
|
- block:
|
|
- name: Install the OpenVPN main packages
|
|
apt: pkg={{ openvpn_pkgs }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
|
|
|
- name: Create the auth, ipp, ccd and status subdirs
|
|
file: dest={{ openvpn_conf_dir }}/{{ item }} state=directory owner={{ openvpn_unprivileged_user }} group=root mode=0770
|
|
with_items:
|
|
- ipp
|
|
- status
|
|
- auth
|
|
- ccd
|
|
|
|
when: openvpn_enabled
|
|
tags: openvpn
|
|
|
|
- block:
|
|
- name: Install the OpenVPN radius auth plugin package
|
|
apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
|
|
|
when: openvpn_radius_auth
|
|
tags: [ 'openvpn', 'openvpn_radius' ]
|
|
|
|
- block:
|
|
- name: Install the OpenVPN ldap auth plugin package
|
|
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
|
|
|
- name: Install the LDAP auth configuration file
|
|
template: src=auth-ldap.conf.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
|
notify: Reload OpenVPN
|
|
|
|
when: openvpn_ldap_auth
|
|
tags: [ 'openvpn', 'openvpn_ldap' ]
|
|
|
|
- block:
|
|
- name: Remove the LDAP auth configuration file if LDAP is not used
|
|
file: dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf state=absent
|
|
notify: Reload OpenVPN
|
|
|
|
when: not openvpn_ldap_auth
|
|
tags: [ 'openvpn', 'openvpn_ldap' ]
|
|
|
|
- block:
|
|
- name: Install the perl libraries needed by the LDAP client authentication script
|
|
apt: pkg={{ openvpn_perl_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
|
|
|
- name: Install the perl LDAP auth script
|
|
template: src=auth-ldap.pl.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap owner=root group={{ openvpn_unprivileged_group }} mode=0550
|
|
|
|
when: openvpn_ldap_perl_auth
|
|
tags: [ 'openvpn', 'openvpn_ldap' ]
|
|
|
|
- block:
|
|
- name: Install the main OpenVPN configuration file on the servers
|
|
template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
|
notify: Restart OpenVPN
|
|
|
|
- name: Install the custom configuration for specific OpenVPN users in the servers
|
|
template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.user }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
|
with_items: '{{ openvpn_users_customizations | default([]) }}'
|
|
notify: Reload OpenVPN
|
|
|
|
- name: Install the easy-rsa package on servers when we use the certificate authentication
|
|
apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
|
when:
|
|
- openvpn_cert_auth_enabled
|
|
- openvpn_is_master_host
|
|
|
|
when: openvpn_mode == 'server'
|
|
tags: [ 'openvpn', 'openvpn_conf' ]
|
|
|
|
- block:
|
|
- name: Install the main OpenVPN configuration file on the clients
|
|
template: src=client.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
|
|
notify: Restart OpenVPN
|
|
|
|
when: openvpn_mode != 'server'
|
|
tags: [ 'openvpn', 'openvpn_conf' ]
|
|
|
|
- block:
|
|
- name: Install the OpenVPN init defaults
|
|
template: src=openvpn-defaults.j2 dest=/etc/default/openvpn owner=root group=root mode=0444
|
|
notify:
|
|
- Restart OpenVPN
|
|
- Reload systemd
|
|
|
|
tags: [ 'openvpn', 'openvpn_conf' ]
|
|
|
|
- block:
|
|
- name: Create the dh file
|
|
shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048
|
|
args:
|
|
creates: '{{ openvpn_conf_dir }}/dh2048.pem'
|
|
|
|
- name: Fix the dh file permissions
|
|
file: dest={{ openvpn_conf_dir }}/dh2048.pem owner=root group=root mode=0444
|
|
|
|
- name: Create the ta key
|
|
shell: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key
|
|
args:
|
|
creates: '{{ openvpn_conf_dir }}/ta.key'
|
|
|
|
- name: Fix the ta.key file permissions
|
|
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
|
|
|
when: openvpn_is_master_host or not openvpn_ha
|
|
tags: [ 'openvpn', 'openvpn_conf' ]
|
|
|
|
- block:
|
|
- name: Get the dh file from the master host
|
|
synchronize:
|
|
src: '{{ openvpn_conf_dir }}/dh2048.pem'
|
|
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
|
|
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
|
|
delegate_to: '{{ openvpn_master_host }}'
|
|
ignore_errors: True
|
|
|
|
- name: Relax the ta.key file permissions so that it can be copied around
|
|
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
|
|
delegate_to: '{{ openvpn_master_host }}'
|
|
ignore_errors: True
|
|
|
|
- name: Get the ta key from the master host
|
|
synchronize:
|
|
src: '{{ openvpn_conf_dir }}/ta.key'
|
|
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
|
|
dest: '/{{ openvpn_conf_dir }}/ta.key'
|
|
delegate_to: '{{ openvpn_master_host }}'
|
|
ignore_errors: True
|
|
|
|
- name: Fix the ta.key file permissions
|
|
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
|
|
|
- name: Fix the ta.key file permissions on the master host
|
|
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
|
delegate_to: '{{ openvpn_master_host }}'
|
|
ignore_errors: True
|
|
|
|
when:
|
|
- openvpn_ha
|
|
- not openvpn_is_master_host
|
|
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
|
|
|
|
- block:
|
|
- name: Get the dh file from the master host
|
|
synchronize:
|
|
src: '{{ openvpn_conf_dir }}/dh2048.pem'
|
|
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
|
|
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
|
|
delegate_to: '{{ openvpn_master_host }}'
|
|
|
|
- name: Relax the ta.key file permissions so that it can be copied around
|
|
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
|
|
delegate_to: '{{ openvpn_master_host }}'
|
|
|
|
- name: Get the ta key from the master host
|
|
synchronize:
|
|
src: '{{ openvpn_conf_dir }}/ta.key'
|
|
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
|
|
dest: '/{{ openvpn_conf_dir }}/ta.key'
|
|
delegate_to: '{{ openvpn_master_host }}'
|
|
ignore_errors: True
|
|
|
|
- name: Fix the ta.key file permissions
|
|
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
|
|
|
- name: Fix the ta.key file permissions on the master host
|
|
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
|
delegate_to: '{{ openvpn_master_host }}'
|
|
|
|
when: openvpn_mode != 'server'
|
|
tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]
|
|
|
|
|
|
- block:
|
|
- name: Enable kernel forwarding
|
|
sysctl: name={{ item }} value=1 reload=yes state=present
|
|
with_items:
|
|
- net.ipv4.ip_forward
|
|
# - net.ipv6.conf.all.forwarding
|
|
when:
|
|
- openvpn_enable_system_forward
|
|
- openvpn_enabled
|
|
|
|
- name: Disable kernel forwarding
|
|
sysctl: name={{ item }} value=0 reload=yes state=present
|
|
with_items:
|
|
- net.ipv4.ip_forward
|
|
# - net.ipv6.conf.all.forwarding
|
|
when: not openvpn_enable_system_forward
|
|
|
|
- name: Ensure that the OpenVPN service is enabled and running
|
|
service: name=openvpn state=started enabled=yes
|
|
when: openvpn_enabled
|
|
|
|
- name: Ensure that the OpenVPN service is stopped and disabled
|
|
service: name=openvpn state=stopped enabled=no
|
|
when: not openvpn_enabled
|
|
|
|
tags: openvpn
|
|
|