diff --git a/CHANGELOG b/CHANGELOG index 58778f3..a2a2949 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -19,6 +19,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Removed +- openvpn : deleted this deprecated role ; use the one provided in the ansible-roles repo + ## [21.12] - 2021-12-17 ### Changed diff --git a/evolixisation.yml b/evolixisation.yml index b07d5f2..a086e3d 100644 --- a/evolixisation.yml +++ b/evolixisation.yml @@ -28,7 +28,6 @@ - nagios-nrpe - evocheck - post-install - # - openvpn # - ospf # - bgp # - { role: collectd, collectd_server: "127.0.0.1" } diff --git a/roles/openvpn/README.md b/roles/openvpn/README.md deleted file mode 100644 index 18b459f..0000000 --- a/roles/openvpn/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# OpenVPN - -Installation and custom configuration of OpenVPN server. - -## Tasks - -Everything is in the `tasks/main.yml` file. - -## Available variables - -The full list of variables (with default values) can be found in `defaults/main.yml`. - -NOTE: Make sure you have already cloned shellpki in ~/GIT/ diff --git a/roles/openvpn/defaults/main.yml b/roles/openvpn/defaults/main.yml deleted file mode 100644 index dbf2f80..0000000 --- a/roles/openvpn/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -openvpn_lan: "192.168.42.0" -openvpn_netmask: "255.255.255.0" diff --git a/roles/openvpn/files/check_openvpn.pl b/roles/openvpn/files/check_openvpn.pl deleted file mode 100755 index 78e0cdb..0000000 --- a/roles/openvpn/files/check_openvpn.pl +++ /dev/null @@ -1,215 +0,0 @@ -#!/usr/bin/perl -w - -####################################################################### -# -# Copyright (c) 2007 Jaime Gascon Romero -# -# License Information: -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# $Id: check_openvpn.pl,v 1.1 2014/09/29 08:39:24 rdessort Exp $ -# $Revision: 1.1 $ -# Home Site: http://emergeworld.blogspot.com/ -# ##################################################################### - -use diagnostics; -use strict; -use Net::Telnet (); -use Getopt::Long qw(:config no_ignore_case); -use vars qw($PROGNAME $VERSION); -use lib "/usr/local/libexec/nagios/"; -use utils qw(%ERRORS); - -$PROGNAME = "check_openvpn"; -$VERSION = '$Revision: 1.1 $'; - -$ENV{'PATH'}=''; -$ENV{'BASH_ENV'}=''; -$ENV{'ENV'}=''; - -my ($opt_h, $opt_H, $opt_p, $opt_P, $opt_t, $opt_i, $opt_n, $opt_c, $opt_w, $opt_C, $opt_r); - -sub print_help (); -sub print_usage (); - -GetOptions - ("h" => \$opt_h, "help" => \$opt_h, - "H=s" => \$opt_H, "host=s" => \$opt_H, - "p=i" => \$opt_p, "port=i" => \$opt_p, - "P=s" => \$opt_P, "password=s" => \$opt_P, - "t=i" => \$opt_t, "timeout=i" => \$opt_t, - "i" => \$opt_i, "ip" => \$opt_i, - "n" => \$opt_n, "numeric" => \$opt_n, - "c" => \$opt_c, "critical" => \$opt_c, - "w" => \$opt_w, "warning" => \$opt_w, - "C=s" => \$opt_C, "common_name=s" => \$opt_C, - "r=s" => \$opt_r, "remote_ip=s" => \$opt_r, - ) or exit $ERRORS{'UNKNOWN'}; - -# default values -unless ( defined $opt_t ) { - $opt_t = 10; -} - -if ($opt_h) {print_help(); exit $ERRORS{'OK'};} - -if ( ! defined($opt_H) || ! defined($opt_p) ) { - print_usage(); - exit $ERRORS{'UNKNOWN'} -} - -my @lines; -my @clients; -my @clients_ip; -my $t; - -eval { -$t = new Net::Telnet (Timeout => $opt_t, - Port => $opt_p, - Prompt => '/END$/' - ); -$t->open($opt_H); -if ( defined $opt_P ) { - $t->waitfor('/ENTER PASSWORD:$/'); - $t->print($opt_P); -} -$t->waitfor('/^$/'); -@lines = $t->cmd("status 2"); -$t->close; -}; - -if ($@) { - print "OpenVPN Critical: Can't connect to server\n"; - exit $ERRORS{'CRITICAL'}; -} - - -if (defined $opt_i || defined $opt_r) { - foreach (@lines) { - if ($_ =~ /CLIENT_LIST,.*,(\d+\.\d+\.\d+\.\d+):\d+,/) { - push @clients_ip, $1; - } -} - if (defined $opt_i) { - print "OpenVPN OK: "."@clients_ip "; - exit $ERRORS{'OK'}; - } elsif (defined $opt_r) { - if ( ! grep /\b$opt_r\b/, @clients_ip) { - if (defined $opt_c) { - print "OpenVPN CRITICAL: $opt_r don't found"; - exit $ERRORS{'CRITICAL'}; - } else { - print "OpenVPN WARNING: $opt_r don't found"; - exit $ERRORS{'WARNING'}; - } - } - print "OpenVPN OK: "."@clients_ip "; - exit $ERRORS{'OK'}; - } -} - -foreach (@lines) { - if ($_ =~ /CLIENT_LIST,(.*),\d+\.\d+\.\d+\.\d+:\d+,/) { - push @clients, $1; - } -} - -if (defined $opt_C) { - if ( ! grep /\b$opt_C\b/, @clients) { - if (defined $opt_c) { - print "OpenVPN CRITICAL: $opt_C don't found"; - exit $ERRORS{'CRITICAL'}; - } else { - print "OpenVPN WARNING: $opt_C don't found"; - exit $ERRORS{'WARNING'}; - } - } -} - - -if (defined $opt_n) { -print "OpenVPN OK: ".@clients." connected clients."; -exit $ERRORS{'OK'}; -} - -print "OpenVPN OK: "."@clients "; -exit $ERRORS{'OK'}; - -####################################################################### -###### Subroutines #################################################### - -sub print_usage() { - print "Usage: $PROGNAME -H | --host -p | --port [-P | --password] [-t | --timeout] - [-i | --ip] [-n | --numeric] [-C | --common_name] [-r | --remote_ip] [-c | --critical] [-w | --warning]\n\n"; - print " $PROGNAME [-h | --help]\n"; -} - -sub print_help() { - print "$PROGNAME $VERSION\n\n"; - print "Copyright (c) 2007 Jaime Gascon Romero - -Nagios plugin to check the clients connected to a openvpn server. - -"; - print_usage(); - print " --H | --host - IP address or hostname of the openvpn server. - --p | --port - Management port interface of the openvpn server. - --P | --password - Password for the management interface of the openvpn server. - --t | --timeout - Timeout for the connection attempt. Optional, default 10 seconds. - - - Optional parameters - =================== - --i | --ip - Prints the IP address of the remote client instead of the common name. - --n | --numeric - Prints the number of clients connected to the openvpn server. - - - Matching Parameters - =================== - --C | --common_name - The common name, as it is specified in the client certificate, who is wanted to check. - --r | --remote_ip - The client remote ip address who is wanted to check. - --c | --critical - Exits with CRITICAL status if the client specified by the common name or the remote ip address is not connected. - --w | --warning - Exits with WARNING status if the client specified by the common name or the remote ip address is not connected. - - - Other Parameters - ================ - --h | --help - Show this help. -"; - -} - -# vim:sts=2:sw=2:ts=2:et diff --git a/roles/openvpn/files/check_openvpn_certificates.sh b/roles/openvpn/files/check_openvpn_certificates.sh deleted file mode 100755 index 47dca4b..0000000 --- a/roles/openvpn/files/check_openvpn_certificates.sh +++ /dev/null @@ -1,140 +0,0 @@ -#!/bin/sh - -set -eu - -trap error 0 - -STATE_OK=0 -STATE_WARNING=1 -STATE_CRITICAL=2 -STATE_UNKNOWN=3 -STATE=$STATE_OK -CERT_STATE=$STATE -CA_STATE=$STATE -CERT_ECHO="" -CA_ECHO="" - -error() { - if [ $? -eq 2 ] && [ "X$CERT_ECHO" = "X" ] && [ "X$CA_ECHO" = "X" ] ; then - echo "CRITICAL - The check exited with an error. Is the conf_file var containing the real conf file location ? On Debian, is the check executed with sudo ?" - fi -} - -SYSTEM=$(uname | tr '[:upper:]' '[:lower:]') -date_cmd=$(command -v date) - -# Dates in seconds -_15_days="1296000" -_30_days="2592000" -current_date=$($date_cmd +"%s") - -# Trying to define the OpenVPN conf file location - default to /etc/openvpn/server.conf -conf_file=$(ps auwwwx | grep openvpn | grep -- --config | grep -v sed | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/" | head -1) -[ "$SYSTEM" = "openbsd" ] && conf_file=${conf_file:-$(grep openvpn_flags /etc/rc.conf.local | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/")} -conf_file=${conf_file:-"/etc/openvpn/server.conf"} - -# Get the cert and ca file location, based on the OpenVPN conf file location -# Done in 2 times because sh does not support pipefail - needed in the case where $conf_file does not exist -cert_file=$(grep -s "^cert " $conf_file) -cert_file=$(echo $cert_file | sed -e "s/^cert *\//\//") -ca_file=$(grep -s "^ca " $conf_file) -ca_file=$(echo $ca_file | sed -e "s/^ca *\//\//") - -# Get expiration date of cert and ca certificates -cert_expiration_date=$(grep "Not After" $cert_file | sed -e "s/.*Not After : //") -ca_expiration_date=$(openssl x509 -enddate -noout -in $ca_file | cut -d '=' -f 2) - -test_cert_expiration() { - # Already expired - Cert file - if [ $current_date -ge $1 ]; then - CERT_ECHO="CRITICAL - The server certificate has expired on $formatted_cert_expiration_date" - CERT_STATE=$STATE_CRITICAL - # Expiration in 15 days or less - Cert file - elif [ $((current_date+_15_days)) -ge $1 ]; then - CERT_ECHO="CRITICAL - The server certificate expires in 15 days or less : $formatted_cert_expiration_date" - CERT_STATE=$STATE_CRITICAL - # Expiration in 30 days or less - Cert file - elif [ $((current_date+_30_days)) -ge $1 ]; then - CERT_ECHO="WARNING - The server certificate expires in 30 days or less : $formatted_cert_expiration_date" - CERT_STATE=$STATE_WARNING - # Expiration in more than 30 days - Cert file - else - CERT_ECHO="OK - The server certificate expires on $formatted_cert_expiration_date" - CERT_STATE=$STATE_OK - fi -} - -test_ca_expiration() { - # Already expired - CA file - if [ $current_date -ge $1 ]; then - CA_ECHO="CRITICAL - The server CA has expired on $formatted_ca_expiration_date" - CA_STATE=$STATE_CRITICAL - # Expiration in 15 days or less - CA file - elif [ $((current_date+_15_days)) -ge $1 ]; then - CA_ECHO="CRITICAL - The server CA expires in 15 days or less : $formatted_ca_expiration_date" - CA_STATE=$STATE_CRITICAL - # Expiration in 30 days or less - CA file - elif [ $((current_date+_30_days)) -ge $1 ]; then - CA_ECHO="WARNING - The server CA expires in 30 days or less : $formatted_ca_expiration_date" - CA_STATE=$STATE_WARNING - # Expiration in more than 30 days - CA file - else - CA_ECHO="OK - The server CA expires on $formatted_ca_expiration_date" - CA_STATE=$STATE_OK - fi -} - -# Linux and BSD systems do not implement 'date' the same way -if [ "$SYSTEM" = "linux" ]; then - - # Cert expiration date human formated then in seconds - formatted_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%F %T %Z") - seconds_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%s") - - # CA expiration date human formated then in seconds - formatted_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%F %T %Z") - seconds_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%s") - - test_cert_expiration $seconds_cert_expiration_date - test_ca_expiration $seconds_ca_expiration_date - -elif [ "$SYSTEM" = "openbsd" ]; then - - # Cert expiration date for POSIX date, human formated then in seconds - posix_cert_expiration_date=$(echo "$cert_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}') - cert_zone=$(echo "$cert_expiration_date" | awk '{print $5}') - formatted_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%F %T %Z") - seconds_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%s") - - # CA expiration date for POSIX date, human formated then in seconds - posix_ca_expiration_date=$(echo "$ca_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}') - ca_zone=$(echo "$ca_expiration_date" | awk '{print $5}') - formatted_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%F %T %Z") - seconds_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%s") - - test_cert_expiration $seconds_cert_expiration_date - test_ca_expiration $seconds_ca_expiration_date - -# If neither Linux nor BSD -else - - echo "CRITICAL - OS not supported" - STATE=$STATE_CRITICAL - exit $STATE - -fi - -# Display the first one that expires first -if [ $CA_STATE -gt $CERT_STATE ]; then - echo $CA_ECHO - echo $CERT_ECHO - exit $CA_STATE -elif [ $CERT_STATE -gt $CA_STATE ]; then - echo $CERT_ECHO - echo $CA_ECHO - exit $CERT_STATE -else - echo $CERT_ECHO - echo $CA_ECHO - exit $CERT_STATE -fi diff --git a/roles/openvpn/files/shellpki b/roles/openvpn/files/shellpki deleted file mode 120000 index ce09651..0000000 --- a/roles/openvpn/files/shellpki +++ /dev/null @@ -1 +0,0 @@ -../../../../shellpki \ No newline at end of file diff --git a/roles/openvpn/files/sudo_shellpki b/roles/openvpn/files/sudo_shellpki deleted file mode 100644 index 08ca1ab..0000000 --- a/roles/openvpn/files/sudo_shellpki +++ /dev/null @@ -1 +0,0 @@ -%shellpki ALL = (root) /usr/local/sbin/shellpki diff --git a/roles/openvpn/handlers/main.yml b/roles/openvpn/handlers/main.yml deleted file mode 100644 index b22f340..0000000 --- a/roles/openvpn/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: restart openvpn - service: - name: openvpn - state: restarted diff --git a/roles/openvpn/tasks/main.yml b/roles/openvpn/tasks/main.yml deleted file mode 100644 index c94f335..0000000 --- a/roles/openvpn/tasks/main.yml +++ /dev/null @@ -1,136 +0,0 @@ ---- -- name: Install OpenVPN package - openbsd_pkg: - name: "openvpn--" - tags: - - openvpn - -- name: Create /etc/openvpn directory - file: - path: /etc/openvpn - state: directory - owner: "root" - group: "wheel" - mode: "0755" - tags: - - openvpn - -- name: Deploy OpenVPN configuration - template: - src: "server.conf.j2" - dest: "/etc/openvpn/server.conf" - mode: "0600" - notify: restart openvpn - tags: - - openvpn - -- name: Enabling OpenVPN - service: - name: openvpn - enabled: true - tags: - - openvpn - -- name: Set OpenVPN flag - shell: 'rcctl set openvpn flags "--config /etc/openvpn/server.conf"' - tags: - - openvpn - -- name: Create shellpki user - user: - name: "_shellpki" - system: true - state: present - home: "/etc/shellpki/" - shell: "/sbin/nologin" - tags: - - openvpn - -- name: Copy some shellpki files - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: root - group: wheel - mode: "{{ item.mode }}" - force: true - with_items: - - src: 'files/shellpki/openssl.cnf' - dest: '/etc/shellpki/openssl.cnf' - mode: '0640' - - src: 'files/shellpki/shellpki' - dest: '/usr/local/sbin/shellpki' - mode: '0755' - tags: - - openvpn - -- name: Deploy DH PARAMETERS - template: - src: "dh2048.pem.j2" - dest: "/etc/shellpki/dh2048.pem" - mode: "0600" - tags: - - openvpn - -- name: Create /etc/sudoers.d directory - file: - path: /etc/sudoers.d - state: directory - owner: "root" - group: "wheel" - mode: "0755" - tags: - - openvpn - -- name: Include /etc/sudoers.d in sudoers configuration file - lineinfile: - path: /etc/sudoers - line: '#includedir /etc/sudoers.d' - tags: - - openvpn - -- name: Verify shellpki sudoers file presence - copy: - src: "sudo_shellpki" - dest: "/etc/sudoers.d/shellpki" - force: true - mode: "0440" - validate: '/usr/local/sbin/visudo -cf %s' - tags: - - openvpn - -- name: Copy check_openvpn - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: root - group: wheel - mode: "{{ item.mode }}" - force: true - with_items: - - src: 'files/check_openvpn.pl' - dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl' - mode: '0755' - tags: - - openvpn - -- name: Install needed package for check_openvpn - openbsd_pkg: - name: "p5-Net-Telnet" - tags: - - openvpn - -- name: Copy check_openvpn_certificates.sh - copy: - src: "{{ item.src }}" - dest: "{{ item.dest }}" - owner: root - group: wheel - mode: "{{ item.mode }}" - force: true - with_items: - - src: 'files/check_openvpn_certificates.sh' - dest: '/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh' - mode: '0755' - tags: - - openvpn diff --git a/roles/openvpn/templates/dh2048.pem.j2 b/roles/openvpn/templates/dh2048.pem.j2 deleted file mode 100644 index 9db20bb..0000000 --- a/roles/openvpn/templates/dh2048.pem.j2 +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP -R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr -TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv -ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2 -Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ -aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg== ------END DH PARAMETERS----- diff --git a/roles/openvpn/templates/server.conf.j2 b/roles/openvpn/templates/server.conf.j2 deleted file mode 100644 index 377b5b1..0000000 --- a/roles/openvpn/templates/server.conf.j2 +++ /dev/null @@ -1,26 +0,0 @@ -user nobody -group nogroup - -local {{ ansible_default_ipv4.address }} -port 1194 -proto udp -dev tun -mode server -keepalive 10 120 - -cipher AES-128-CBC # AES -#comp-lzo -# compress (à partir d'OpenVPN 2.4) - -persist-key -persist-tun - -status /var/log/openvpn-status.log -log-append /var/log/openvpn.log - -ca /etc/shellpki/cacert.pem -cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt -key /etc/shellpki/private/{{ ansible_fqdn }}.key -dh /etc/shellpki/dh2048.pem - -server {{ openvpn_lan }} {{ openvpn_netmask }}