2022-02-03 18:35:16 +01:00
---
- name : Install OpenVPN
2023-03-20 23:33:19 +01:00
community.general.openbsd_pkg :
2022-02-03 18:35:16 +01:00
name : openvpn--
when : ansible_distribution == 'OpenBSD'
- name : Create /etc/openvpn
2023-03-20 23:33:19 +01:00
ansible.builtin.file :
2022-02-03 18:35:16 +01:00
dest : "/etc/openvpn"
state : directory
owner : root
group : wheel
mode : "0755"
- name : Create the shellpki user
2023-03-20 23:33:19 +01:00
ansible.builtin.user :
2022-02-03 18:35:16 +01:00
name : _shellpki
system : yes
create_home : no
home : "/etc/shellpki"
shell : "/sbin/nologin"
- name : Create /etc/shellpki
2023-03-20 23:33:19 +01:00
ansible.builtin.file :
2022-02-03 18:35:16 +01:00
dest : "/etc/shellpki"
state : directory
owner : _shellpki
group : _shellpki
mode : "0755"
- name : Copy shellpki files
2023-03-20 23:33:19 +01:00
ansible.builtin.copy :
2022-04-14 16:34:43 +02:00
src : "shellpki/{{ item.source }}"
2022-02-03 18:35:16 +01:00
dest : "{{ item.destination }}"
mode : "{{ item.mode }}"
owner : "{{ item.owner }}"
group : "{{ item.group }}"
with_items :
2022-04-14 16:34:43 +02:00
- { source : "openssl.cnf" , destination : "/etc/shellpki/openssl.cnf" , mode : "0640" , owner : "_shellpki" , group : "_shellpki" }
2022-12-13 19:37:54 +01:00
- { source : "shellpki" , destination : "/usr/local/sbin/shellpki" , mode : "0750" , owner : "root" , group : "wheel" }
2022-02-03 18:35:16 +01:00
- name : Add sudo rights
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-02-03 18:35:16 +01:00
dest : "/etc/sudoers"
regexp : '/usr/local/sbin/shellpki'
line : "%_shellpki ALL = (root) /usr/local/sbin/shellpki"
validate : 'visudo -cf %s'
- name : Deploy OpenVPN client config template
2023-03-20 23:33:19 +01:00
ansible.builtin.template :
2022-02-03 18:35:16 +01:00
src : "ovpn.conf.j2"
dest : "/etc/shellpki/ovpn.conf"
mode : "0640"
owner : _shellpki
group : _shellpki
- name : Generate dhparam
2023-03-20 23:33:19 +01:00
community.crypto.openssl_dhparam :
2022-08-10 17:23:47 +02:00
path : /etc/shellpki/dh2048.pem
size : 2048
2022-02-03 18:35:16 +01:00
- name : Deploy OpenVPN server config
2023-03-20 23:33:19 +01:00
ansible.builtin.template :
2022-02-03 18:35:16 +01:00
src : "server.conf.j2"
dest : "/etc/openvpn/server.conf"
mode : "0600"
owner : root
group : wheel
- name : Configure PacketFilter
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-02-03 18:35:16 +01:00
dest : "/etc/pf.conf"
line : "{{ item }}"
validate : 'pfctl -nf %s'
notify : reload packetfilter
with_items :
- "# OpenVPN"
- "pass in quick on $ext_if proto udp from any to self port 1194"
- name : Create a cron to rotate the logs
2023-03-20 23:33:19 +01:00
ansible.builtin.cron :
2022-02-03 18:35:16 +01:00
name : "OpenVPN logs rotation"
weekday : "6"
hour : "4"
minute : "0"
job : "cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo \"$(date +\\%F' '\\%R) - logfile turned over via cron\" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name \"openvpn.log.*\" -mtime +365 -exec rm {} \\+"
- name : Generate a password for the management interface
2023-03-20 23:33:19 +01:00
ansible.builtin.set_fact :
2022-02-03 18:35:16 +01:00
management_pwd : "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"
- name : Set the management password
2023-03-20 23:33:19 +01:00
ansible.builtin.copy :
2022-02-03 18:35:16 +01:00
dest : "/etc/openvpn/management-pwd"
content : "{{ management_pwd }}"
mode : "0600"
owner : root
group : wheel
- name : Enable openvpn service
2023-03-20 23:33:19 +01:00
ansible.builtin.service :
2022-02-03 18:35:16 +01:00
name : openvpn
enabled : yes
- name : Set openvpn flags
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-02-03 18:35:16 +01:00
dest : /etc/rc.conf.local
regexp : "^openvpn_flags="
line : "openvpn_flags=--daemon --config /etc/openvpn/server.conf"
create : yes
- name : Is NRPE installed ?
2023-03-20 23:33:19 +01:00
ansible.builtin.stat :
2022-02-03 18:35:16 +01:00
path : "/etc/nrpe.d/evolix.cfg"
check_mode : no
register : nrpe_evolix_config
- name : Install NRPE check dependencies
2023-03-20 23:33:19 +01:00
community.general.openbsd_pkg :
2022-02-03 18:35:16 +01:00
name : p5-Net-Telnet
when : nrpe_evolix_config.stat.exists
- name : Install OpenVPN NRPE check
2023-03-20 23:33:19 +01:00
ansible.builtin.copy :
2022-02-03 18:35:16 +01:00
src : "files/check_openvpn_openbsd.pl"
dest : "/usr/local/libexec/nagios/plugins/check_openvpn.pl"
mode : "0755"
owner : root
group : wheel
when : nrpe_evolix_config.stat.exists
- name : Configure NRPE OpenVPN check
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2023-01-31 11:13:08 +01:00
dest : "/etc/nrpe.d/evolix.cfg"
2022-02-03 18:35:16 +01:00
regexp : '^command\[check_openvpn\]='
line : "command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
create : yes
mode : "0644"
owner : root
group : wheel
notify : restart nrpe
when : nrpe_evolix_config.stat.exists
- name : Install OpenVPN certificates NRPE check
2023-03-20 23:33:19 +01:00
ansible.builtin.copy :
2022-02-03 18:35:16 +01:00
src : "files/check_openvpn_certificates.sh"
dest : "/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh"
mode : "0755"
owner : root
group : wheel
when : nrpe_evolix_config.stat.exists
- name : Add doas rights for NRPE check
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-02-03 18:35:16 +01:00
dest : "/etc/doas.conf"
regexp : 'check_openvpn_certificates.sh'
line : "permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh"
validate : 'doas -C %s'
when : nrpe_evolix_config.stat.exists
- name : Configure NRPE certificates check
2023-03-20 23:33:19 +01:00
ansible.builtin.lineinfile :
2022-02-03 18:35:16 +01:00
dest : "/etc/nrpe.d/evolix.cfg"
regexp : '^command\[check_openvpn_certificates\]='
line : "command[check_openvpn_certificates]=doas /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh"
notify : restart nrpe
when : nrpe_evolix_config.stat.exists
2022-08-10 17:23:47 +02:00
- name : Copy script to check expirations
2023-03-20 23:33:19 +01:00
ansible.builtin.copy :
2022-04-14 16:34:43 +02:00
src : "shellpki/cert-expirations.sh"
2022-02-03 18:35:16 +01:00
dest : "/usr/share/scripts/cert-expirations.sh"
mode : "0700"
owner : root
group : wheel
- name : Install cron to warn about certificates expiration
2023-03-20 23:33:19 +01:00
ansible.builtin.cron :
2022-02-03 18:35:16 +01:00
name : "OpenVPN certificates expiration"
special_time : monthly
2022-12-05 09:50:29 +01:00
job : '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI OpenVPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}'
2022-02-03 18:35:16 +01:00
2022-08-10 17:23:47 +02:00
- name : Generate the CA password
2023-03-20 23:33:19 +01:00
ansible.builtin.set_fact :
2022-08-10 17:23:47 +02:00
ca_pwd : "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}"
check_mode : no
changed_when : no
- name : Initialization of the CA
2023-03-20 23:33:19 +01:00
ansible.builtin.shell :
cmd : 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}'
2022-08-10 17:23:47 +02:00
- name : Creation of the server's certificate
2023-03-20 23:33:19 +01:00
ansible.builtin.shell :
cmd : 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}'
2022-08-10 17:23:47 +02:00
- name : Get the server key
2023-03-20 23:33:19 +01:00
ansible.builtin.shell :
cmd : 'ls -tr /etc/shellpki/private/ | tail -1'
2022-08-10 17:23:47 +02:00
register : ca_key
check_mode : no
changed_when : no
- name : Configure the server key
2023-03-20 23:33:19 +01:00
ansible.builtin.replace :
2022-08-10 17:23:47 +02:00
path : /etc/openvpn/server.conf
regexp : 'key /etc/shellpki/private/TO_COMPLETE'
replace : 'key /etc/shellpki/private/{{ ca_key.stdout }}'
- name : Restart OpenVPN
2023-03-20 23:33:19 +01:00
ansible.builtin.service :
2022-08-10 17:23:47 +02:00
name : openvpn
state : restarted
- name : Warn the user about manual checks
2023-03-20 23:33:19 +01:00
ansible.builtin.pause :
2022-02-03 18:35:16 +01:00
prompt : |
/!\ WARNING /!\
2022-08-10 17:23:47 +02:00
You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn".
The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN.
Take note of the generated CA password and store it in your password manager : {{ ca_pwd }}
2023-01-06 09:54:51 +01:00
2022-02-03 18:35:16 +01:00
Press enter to exit when it's done.