diff options
Diffstat (limited to 'roles/openvpn/tasks')
| -rw-r--r-- | roles/openvpn/tasks/config.yml | 28 | ||||
| -rw-r--r-- | roles/openvpn/tasks/keys.yml | 13 | ||||
| -rw-r--r-- | roles/openvpn/tasks/main.yml | 62 |
3 files changed, 103 insertions, 0 deletions
diff --git a/roles/openvpn/tasks/config.yml b/roles/openvpn/tasks/config.yml new file mode 100644 index 0000000..67fdfa1 --- /dev/null +++ b/roles/openvpn/tasks/config.yml @@ -0,0 +1,28 @@ +- name: create openvpn configuration directory + file: path="{{openvpn_dir}}" state=directory + +- name: create openvpn key directory + file: path="{{openvpn_keydir}}" state=directory + +- name: create openvpn client config directory + file: path="{{openvpn_ccdir}}" state=directory + when: openvpn_servers in group_names + +- name: copy templates + template: src="{{item}}" dest="{{openvpn_ccdir}}/{{ item | basename | regex_replace('\.j2','') }}" owner=root group=root mode="0644" + with_fileglob: + - ../templates/{{ openvpn_config }}/ccd/* + when: openvpn_servers in group_names + +- name: generate cluster templates + template: src="{{ openvpn_config }}/ccd.j2" dest="{{openvpn_ccdir}}/{{ hostvars[item]['ansible_hostname'] }}" owner=root group=root mode="0644" + vars: + id: "{{ hostvars[item]['ands_host_id'] }}" + with_inventory_hostnames: + - nodes:!{{openvpn_servers}} + when: openvpn_servers in group_names + +- name: create openvpn config file + template: src="{{ openvpn_config }}/{{ (openvpn_servers in group_names) | ternary('openvpn_server.j2', 'openvpn_client.j2') }}" dest="{{ openvpn_config_file }}" owner=root group=root + notify: + - openvpn diff --git a/roles/openvpn/tasks/keys.yml b/roles/openvpn/tasks/keys.yml new file mode 100644 index 0000000..dd9f4ec --- /dev/null +++ b/roles/openvpn/tasks/keys.yml @@ -0,0 +1,13 @@ +- name: Copy CA private key + copy: src="ca/ca.key" dest="{{openvpn_keydir}}/" owner="root" group="root" mode="0400" + +- name: OpenSSL generate request + command: openssl req -subj '/CN={{ ansible_hostname }}' -new -keyout "node.key" -out "node.csr" -batch -nodes chdir="{{openvpn_keydir}}" creates="{{openvpn_keydir}}/node.csr" + +- name: Generate CA serial file + copy: content="01" dest="{{openvpn_keydir}}/ca.srl" + +- name: OpenSSL sign the request + command: openssl x509 -req -days 3650 -in "node.csr" -CA "ca.crt" -CAkey "ca.key" -out "node.crt" chdir="{{openvpn_keydir}}" creates="{{openvpn_keydir}}/node.crt" + notify: + - openvpn diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml new file mode 100644 index 0000000..df49976 --- /dev/null +++ b/roles/openvpn/tasks/main.yml @@ -0,0 +1,62 @@ +--- +- name: Ensure OpenVPN and OpenSSL are installed + yum: name={{item}} state=present + with_items: + - openvpn + - openssl + +- name: copy openvpn logrotate config file + copy: src="openvpn_logrotate.conf" dest="/etc/logrotate.d/openvpn.conf" owner="root" group="root" mode="0400" + +- name: Copy CA certificate and the keys + copy: src="{{ item }}" dest="{{openvpn_keydir}}/" owner="root" group="root" mode="0400" + with_fileglob: + - ca/ca.crt + - keys/* + +- name: Check if OpenSSL certificate is already generated + stat: path="{{ openvpn_keydir }}/node.crt" + register: result + +- name: setup openvpn keys + include: keys.yml + when: result.stat.exists == False + +- name: Ensure CA key is removed + file: path="{{openvpn_keydir}}/ca.key" state=absent + +- name: setup openvpn configuration + include: config.yml + +- name: Ensure OpenVPN service is enabled + service: name="{{openvpn_service}}" enabled=yes + +- name: Check if we already reconfigured SystemD Unit + stat: path={{ item }} + register: result + vars: + item: "/etc/systemd/system/{{openvpn_service}}" + +- name: Copy SystemD Unit + copy: src="/usr/lib/systemd/system/openvpn@.service" dest="{{ item }}" remote_src=true + vars: + item: "/etc/systemd/system/{{openvpn_service}}" + when: result.stat.exists == False + +- name: Re-configure systemd to start OpenVPN after origin-node + lineinfile: dest="/etc/systemd/system/{{openvpn_service}}" regexp="^After=" line="After=network.target origin-node.service" state=present + notify: daemon-reload + +- name: Ensure OpenVPN service is running + service: name="{{openvpn_service}}" state=started + +- name: Ensure firewalld is running + service: name=firewalld state=started enabled=yes + when: openvpn_servers in group_names + +- name: Configure firewalld + firewalld: port="{{openvpn_port}}/tcp" state="enabled" permanent="true" immediate="true" + notify: + - firewalld + when: openvpn_servers in group_names + |