forked from evolix/ansible-roles
Add the first version of OpenVPN role
This commit is contained in:
parent
db683ea9c3
commit
8ad8c2c798
13
openvpn/README.md
Normal file
13
openvpn/README.md
Normal file
|
@ -0,0 +1,13 @@
|
|||
# OpenVPN
|
||||
|
||||
Installation and custom configuration of OpenVPN server.
|
||||
|
||||
## Tasks
|
||||
|
||||
Everything is in the `tasks/main.yml` file.
|
||||
|
||||
## Available variables
|
||||
|
||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
||||
|
||||
NOTE: Make sure you have already cloned shellpki in ~/GIT/
|
3
openvpn/defaults/main.yml
Normal file
3
openvpn/defaults/main.yml
Normal file
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
openvpn_lan: "192.168.42.0"
|
||||
openvpn_netmask: "255.255.255.0"
|
1
openvpn/files/shellpki
Symbolic link
1
openvpn/files/shellpki
Symbolic link
|
@ -0,0 +1 @@
|
|||
/home/tpilat/GIT/shellpki/
|
1
openvpn/files/sudo_shellpki
Normal file
1
openvpn/files/sudo_shellpki
Normal file
|
@ -0,0 +1 @@
|
|||
%shellpki ALL = (root) /usr/local/sbin/shellpki
|
11
openvpn/handlers/main.yml
Normal file
11
openvpn/handlers/main.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
- name: restart openvpn
|
||||
service:
|
||||
name: openvpn
|
||||
state: restarted
|
||||
|
||||
- name: restart minifirewall
|
||||
command: /etc/init.d/minifirewall restart
|
||||
register: minifirewall_init_restart
|
||||
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
|
||||
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"
|
19
openvpn/meta/main.yml
Normal file
19
openvpn/meta/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
galaxy_info:
|
||||
author: Evolix
|
||||
description: Installation and custom configuration of OpenVPN server.
|
||||
|
||||
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||
|
||||
license: GPLv2
|
||||
|
||||
min_ansible_version: 2.2
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- stretch
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line.
|
||||
# Be sure to remove the '[]' above if you add dependencies
|
||||
# to this list.
|
78
openvpn/tasks/main.yml
Normal file
78
openvpn/tasks/main.yml
Normal file
|
@ -0,0 +1,78 @@
|
|||
---
|
||||
- name: Install OpenVPN package
|
||||
apt:
|
||||
name: "openvpn"
|
||||
tags:
|
||||
- openvpn
|
||||
|
||||
- name: Deploy OpenVPN configuration
|
||||
template:
|
||||
src: "server.conf.j2"
|
||||
dest: "/etc/openvpn/server.conf"
|
||||
mode: "0600"
|
||||
notify: restart openvpn
|
||||
tags:
|
||||
- openvpn
|
||||
|
||||
- set_fact:
|
||||
minifirewall_tail_included: True
|
||||
minifirewall_tail_file: /etc/default/minifirewall.tail
|
||||
|
||||
- include_role:
|
||||
name: minifirewall
|
||||
tags:
|
||||
- openvpn
|
||||
|
||||
- name: Allow OpenVPN input
|
||||
blockinfile:
|
||||
dest: "{{ minifirewall_tail_file }}"
|
||||
marker: "# {mark} INPUT OPENVPN"
|
||||
block: |
|
||||
/sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
||||
notify: restart minifirewall
|
||||
tags:
|
||||
- openvpn
|
||||
|
||||
- name: Create /etc/shellpki directory
|
||||
file:
|
||||
path: /etc/shellpki
|
||||
state: directory
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0755"
|
||||
tags:
|
||||
- openvpn
|
||||
|
||||
- name: Create shellpki user
|
||||
user:
|
||||
name: "shellpki"
|
||||
system: yes
|
||||
state: present
|
||||
home: "/etc/shellpki/"
|
||||
shell: "/usr/sbin/nologin"
|
||||
tags:
|
||||
- openvpn
|
||||
|
||||
- name: Copy some shellpki files
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "{{ item.mode }}"
|
||||
force: yes
|
||||
with_items:
|
||||
- { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
|
||||
- { src: 'files/shellpki/shellpki.sh', dest: '/usr/local/sbin/shellpki', mode: '0755' }
|
||||
tags:
|
||||
- openvpn
|
||||
|
||||
- name: Verify shellpki sudoers file presence
|
||||
copy:
|
||||
src: "sudo_shellpki"
|
||||
dest: "/etc/sudoers.d/shellpki"
|
||||
force: true
|
||||
mode: "0440"
|
||||
validate: '/usr/sbin/visudo -cf %s'
|
||||
tags:
|
||||
- openvpn
|
27
openvpn/templates/server.conf.j2
Normal file
27
openvpn/templates/server.conf.j2
Normal file
|
@ -0,0 +1,27 @@
|
|||
user nobody
|
||||
group nogroup
|
||||
|
||||
local {{ ansible_default_ipv4.address }}
|
||||
port 1194
|
||||
proto udp
|
||||
dev tun
|
||||
mode server
|
||||
keepalive 10 120
|
||||
|
||||
cipher AES-128-CBC # AES
|
||||
#comp-lzo
|
||||
# compress (à partir d'OpenVPN 2.4)
|
||||
|
||||
persist-key
|
||||
persist-tun
|
||||
|
||||
status /var/log/openvpn/openvpn-status.log
|
||||
log-append /var/log/openvpn/openvpn.log
|
||||
|
||||
ca /etc/shellpki/cacert.pem
|
||||
cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
|
||||
key /etc/shellpki/private/{{ ansible_fqdn }}.key
|
||||
dh /etc/shellpkca/dh2048.pem
|
||||
|
||||
server {{ openvpn_lan }} {{ openvpn_netmask }}
|
||||
|
Loading…
Reference in a new issue