Delete the deprecated OpenVPN role
This commit is contained in:
parent
93f21a947c
commit
66c84dca6c
|
@ -19,6 +19,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
|
- openvpn : deleted this deprecated role ; use the one provided in the ansible-roles repo
|
||||||
|
|
||||||
## [21.12] - 2021-12-17
|
## [21.12] - 2021-12-17
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
|
|
|
@ -28,7 +28,6 @@
|
||||||
- nagios-nrpe
|
- nagios-nrpe
|
||||||
- evocheck
|
- evocheck
|
||||||
- post-install
|
- post-install
|
||||||
# - openvpn
|
|
||||||
# - ospf
|
# - ospf
|
||||||
# - bgp
|
# - bgp
|
||||||
# - { role: collectd, collectd_server: "127.0.0.1" }
|
# - { role: collectd, collectd_server: "127.0.0.1" }
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
# OpenVPN
|
|
||||||
|
|
||||||
Installation and custom configuration of OpenVPN server.
|
|
||||||
|
|
||||||
## Tasks
|
|
||||||
|
|
||||||
Everything is in the `tasks/main.yml` file.
|
|
||||||
|
|
||||||
## Available variables
|
|
||||||
|
|
||||||
The full list of variables (with default values) can be found in `defaults/main.yml`.
|
|
||||||
|
|
||||||
NOTE: Make sure you have already cloned shellpki in ~/GIT/
|
|
|
@ -1,3 +0,0 @@
|
||||||
---
|
|
||||||
openvpn_lan: "192.168.42.0"
|
|
||||||
openvpn_netmask: "255.255.255.0"
|
|
|
@ -1,215 +0,0 @@
|
||||||
#!/usr/bin/perl -w
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
#
|
|
||||||
# Copyright (c) 2007 Jaime Gascon Romero <jgascon@gmail.com>
|
|
||||||
#
|
|
||||||
# License Information:
|
|
||||||
# This program is free software; you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation; either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# This program is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
# $Id: check_openvpn.pl,v 1.1 2014/09/29 08:39:24 rdessort Exp $
|
|
||||||
# $Revision: 1.1 $
|
|
||||||
# Home Site: http://emergeworld.blogspot.com/
|
|
||||||
# #####################################################################
|
|
||||||
|
|
||||||
use diagnostics;
|
|
||||||
use strict;
|
|
||||||
use Net::Telnet ();
|
|
||||||
use Getopt::Long qw(:config no_ignore_case);
|
|
||||||
use vars qw($PROGNAME $VERSION);
|
|
||||||
use lib "/usr/local/libexec/nagios/";
|
|
||||||
use utils qw(%ERRORS);
|
|
||||||
|
|
||||||
$PROGNAME = "check_openvpn";
|
|
||||||
$VERSION = '$Revision: 1.1 $';
|
|
||||||
|
|
||||||
$ENV{'PATH'}='';
|
|
||||||
$ENV{'BASH_ENV'}='';
|
|
||||||
$ENV{'ENV'}='';
|
|
||||||
|
|
||||||
my ($opt_h, $opt_H, $opt_p, $opt_P, $opt_t, $opt_i, $opt_n, $opt_c, $opt_w, $opt_C, $opt_r);
|
|
||||||
|
|
||||||
sub print_help ();
|
|
||||||
sub print_usage ();
|
|
||||||
|
|
||||||
GetOptions
|
|
||||||
("h" => \$opt_h, "help" => \$opt_h,
|
|
||||||
"H=s" => \$opt_H, "host=s" => \$opt_H,
|
|
||||||
"p=i" => \$opt_p, "port=i" => \$opt_p,
|
|
||||||
"P=s" => \$opt_P, "password=s" => \$opt_P,
|
|
||||||
"t=i" => \$opt_t, "timeout=i" => \$opt_t,
|
|
||||||
"i" => \$opt_i, "ip" => \$opt_i,
|
|
||||||
"n" => \$opt_n, "numeric" => \$opt_n,
|
|
||||||
"c" => \$opt_c, "critical" => \$opt_c,
|
|
||||||
"w" => \$opt_w, "warning" => \$opt_w,
|
|
||||||
"C=s" => \$opt_C, "common_name=s" => \$opt_C,
|
|
||||||
"r=s" => \$opt_r, "remote_ip=s" => \$opt_r,
|
|
||||||
) or exit $ERRORS{'UNKNOWN'};
|
|
||||||
|
|
||||||
# default values
|
|
||||||
unless ( defined $opt_t ) {
|
|
||||||
$opt_t = 10;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($opt_h) {print_help(); exit $ERRORS{'OK'};}
|
|
||||||
|
|
||||||
if ( ! defined($opt_H) || ! defined($opt_p) ) {
|
|
||||||
print_usage();
|
|
||||||
exit $ERRORS{'UNKNOWN'}
|
|
||||||
}
|
|
||||||
|
|
||||||
my @lines;
|
|
||||||
my @clients;
|
|
||||||
my @clients_ip;
|
|
||||||
my $t;
|
|
||||||
|
|
||||||
eval {
|
|
||||||
$t = new Net::Telnet (Timeout => $opt_t,
|
|
||||||
Port => $opt_p,
|
|
||||||
Prompt => '/END$/'
|
|
||||||
);
|
|
||||||
$t->open($opt_H);
|
|
||||||
if ( defined $opt_P ) {
|
|
||||||
$t->waitfor('/ENTER PASSWORD:$/');
|
|
||||||
$t->print($opt_P);
|
|
||||||
}
|
|
||||||
$t->waitfor('/^$/');
|
|
||||||
@lines = $t->cmd("status 2");
|
|
||||||
$t->close;
|
|
||||||
};
|
|
||||||
|
|
||||||
if ($@) {
|
|
||||||
print "OpenVPN Critical: Can't connect to server\n";
|
|
||||||
exit $ERRORS{'CRITICAL'};
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
if (defined $opt_i || defined $opt_r) {
|
|
||||||
foreach (@lines) {
|
|
||||||
if ($_ =~ /CLIENT_LIST,.*,(\d+\.\d+\.\d+\.\d+):\d+,/) {
|
|
||||||
push @clients_ip, $1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if (defined $opt_i) {
|
|
||||||
print "OpenVPN OK: "."@clients_ip ";
|
|
||||||
exit $ERRORS{'OK'};
|
|
||||||
} elsif (defined $opt_r) {
|
|
||||||
if ( ! grep /\b$opt_r\b/, @clients_ip) {
|
|
||||||
if (defined $opt_c) {
|
|
||||||
print "OpenVPN CRITICAL: $opt_r don't found";
|
|
||||||
exit $ERRORS{'CRITICAL'};
|
|
||||||
} else {
|
|
||||||
print "OpenVPN WARNING: $opt_r don't found";
|
|
||||||
exit $ERRORS{'WARNING'};
|
|
||||||
}
|
|
||||||
}
|
|
||||||
print "OpenVPN OK: "."@clients_ip ";
|
|
||||||
exit $ERRORS{'OK'};
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
foreach (@lines) {
|
|
||||||
if ($_ =~ /CLIENT_LIST,(.*),\d+\.\d+\.\d+\.\d+:\d+,/) {
|
|
||||||
push @clients, $1;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if (defined $opt_C) {
|
|
||||||
if ( ! grep /\b$opt_C\b/, @clients) {
|
|
||||||
if (defined $opt_c) {
|
|
||||||
print "OpenVPN CRITICAL: $opt_C don't found";
|
|
||||||
exit $ERRORS{'CRITICAL'};
|
|
||||||
} else {
|
|
||||||
print "OpenVPN WARNING: $opt_C don't found";
|
|
||||||
exit $ERRORS{'WARNING'};
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
if (defined $opt_n) {
|
|
||||||
print "OpenVPN OK: ".@clients." connected clients.";
|
|
||||||
exit $ERRORS{'OK'};
|
|
||||||
}
|
|
||||||
|
|
||||||
print "OpenVPN OK: "."@clients ";
|
|
||||||
exit $ERRORS{'OK'};
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
###### Subroutines ####################################################
|
|
||||||
|
|
||||||
sub print_usage() {
|
|
||||||
print "Usage: $PROGNAME -H | --host <IP or hostname> -p | --port <port number> [-P | --password] <password> [-t | --timeout] <timeout in seconds>
|
|
||||||
[-i | --ip] [-n | --numeric] [-C | --common_name] <common_name> [-r | --remote_ip] <remote_ip> [-c | --critical] [-w | --warning]\n\n";
|
|
||||||
print " $PROGNAME [-h | --help]\n";
|
|
||||||
}
|
|
||||||
|
|
||||||
sub print_help() {
|
|
||||||
print "$PROGNAME $VERSION\n\n";
|
|
||||||
print "Copyright (c) 2007 Jaime Gascon Romero
|
|
||||||
|
|
||||||
Nagios plugin to check the clients connected to a openvpn server.
|
|
||||||
|
|
||||||
";
|
|
||||||
print_usage();
|
|
||||||
print "
|
|
||||||
-H | --host
|
|
||||||
IP address or hostname of the openvpn server.
|
|
||||||
|
|
||||||
-p | --port
|
|
||||||
Management port interface of the openvpn server.
|
|
||||||
|
|
||||||
-P | --password
|
|
||||||
Password for the management interface of the openvpn server.
|
|
||||||
|
|
||||||
-t | --timeout
|
|
||||||
Timeout for the connection attempt. Optional, default 10 seconds.
|
|
||||||
|
|
||||||
|
|
||||||
Optional parameters
|
|
||||||
===================
|
|
||||||
|
|
||||||
-i | --ip
|
|
||||||
Prints the IP address of the remote client instead of the common name.
|
|
||||||
|
|
||||||
-n | --numeric
|
|
||||||
Prints the number of clients connected to the openvpn server.
|
|
||||||
|
|
||||||
|
|
||||||
Matching Parameters
|
|
||||||
===================
|
|
||||||
|
|
||||||
-C | --common_name
|
|
||||||
The common name, as it is specified in the client certificate, who is wanted to check.
|
|
||||||
|
|
||||||
-r | --remote_ip
|
|
||||||
The client remote ip address who is wanted to check.
|
|
||||||
|
|
||||||
-c | --critical
|
|
||||||
Exits with CRITICAL status if the client specified by the common name or the remote ip address is not connected.
|
|
||||||
|
|
||||||
-w | --warning
|
|
||||||
Exits with WARNING status if the client specified by the common name or the remote ip address is not connected.
|
|
||||||
|
|
||||||
|
|
||||||
Other Parameters
|
|
||||||
================
|
|
||||||
|
|
||||||
-h | --help
|
|
||||||
Show this help.
|
|
||||||
";
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
# vim:sts=2:sw=2:ts=2:et
|
|
|
@ -1,140 +0,0 @@
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -eu
|
|
||||||
|
|
||||||
trap error 0
|
|
||||||
|
|
||||||
STATE_OK=0
|
|
||||||
STATE_WARNING=1
|
|
||||||
STATE_CRITICAL=2
|
|
||||||
STATE_UNKNOWN=3
|
|
||||||
STATE=$STATE_OK
|
|
||||||
CERT_STATE=$STATE
|
|
||||||
CA_STATE=$STATE
|
|
||||||
CERT_ECHO=""
|
|
||||||
CA_ECHO=""
|
|
||||||
|
|
||||||
error() {
|
|
||||||
if [ $? -eq 2 ] && [ "X$CERT_ECHO" = "X" ] && [ "X$CA_ECHO" = "X" ] ; then
|
|
||||||
echo "CRITICAL - The check exited with an error. Is the conf_file var containing the real conf file location ? On Debian, is the check executed with sudo ?"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
|
|
||||||
date_cmd=$(command -v date)
|
|
||||||
|
|
||||||
# Dates in seconds
|
|
||||||
_15_days="1296000"
|
|
||||||
_30_days="2592000"
|
|
||||||
current_date=$($date_cmd +"%s")
|
|
||||||
|
|
||||||
# Trying to define the OpenVPN conf file location - default to /etc/openvpn/server.conf
|
|
||||||
conf_file=$(ps auwwwx | grep openvpn | grep -- --config | grep -v sed | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/" | head -1)
|
|
||||||
[ "$SYSTEM" = "openbsd" ] && conf_file=${conf_file:-$(grep openvpn_flags /etc/rc.conf.local | sed -e "s/.*config \(\/etc\/openvpn.*.conf\).*/\1/")}
|
|
||||||
conf_file=${conf_file:-"/etc/openvpn/server.conf"}
|
|
||||||
|
|
||||||
# Get the cert and ca file location, based on the OpenVPN conf file location
|
|
||||||
# Done in 2 times because sh does not support pipefail - needed in the case where $conf_file does not exist
|
|
||||||
cert_file=$(grep -s "^cert " $conf_file)
|
|
||||||
cert_file=$(echo $cert_file | sed -e "s/^cert *\//\//")
|
|
||||||
ca_file=$(grep -s "^ca " $conf_file)
|
|
||||||
ca_file=$(echo $ca_file | sed -e "s/^ca *\//\//")
|
|
||||||
|
|
||||||
# Get expiration date of cert and ca certificates
|
|
||||||
cert_expiration_date=$(grep "Not After" $cert_file | sed -e "s/.*Not After : //")
|
|
||||||
ca_expiration_date=$(openssl x509 -enddate -noout -in $ca_file | cut -d '=' -f 2)
|
|
||||||
|
|
||||||
test_cert_expiration() {
|
|
||||||
# Already expired - Cert file
|
|
||||||
if [ $current_date -ge $1 ]; then
|
|
||||||
CERT_ECHO="CRITICAL - The server certificate has expired on $formatted_cert_expiration_date"
|
|
||||||
CERT_STATE=$STATE_CRITICAL
|
|
||||||
# Expiration in 15 days or less - Cert file
|
|
||||||
elif [ $((current_date+_15_days)) -ge $1 ]; then
|
|
||||||
CERT_ECHO="CRITICAL - The server certificate expires in 15 days or less : $formatted_cert_expiration_date"
|
|
||||||
CERT_STATE=$STATE_CRITICAL
|
|
||||||
# Expiration in 30 days or less - Cert file
|
|
||||||
elif [ $((current_date+_30_days)) -ge $1 ]; then
|
|
||||||
CERT_ECHO="WARNING - The server certificate expires in 30 days or less : $formatted_cert_expiration_date"
|
|
||||||
CERT_STATE=$STATE_WARNING
|
|
||||||
# Expiration in more than 30 days - Cert file
|
|
||||||
else
|
|
||||||
CERT_ECHO="OK - The server certificate expires on $formatted_cert_expiration_date"
|
|
||||||
CERT_STATE=$STATE_OK
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
test_ca_expiration() {
|
|
||||||
# Already expired - CA file
|
|
||||||
if [ $current_date -ge $1 ]; then
|
|
||||||
CA_ECHO="CRITICAL - The server CA has expired on $formatted_ca_expiration_date"
|
|
||||||
CA_STATE=$STATE_CRITICAL
|
|
||||||
# Expiration in 15 days or less - CA file
|
|
||||||
elif [ $((current_date+_15_days)) -ge $1 ]; then
|
|
||||||
CA_ECHO="CRITICAL - The server CA expires in 15 days or less : $formatted_ca_expiration_date"
|
|
||||||
CA_STATE=$STATE_CRITICAL
|
|
||||||
# Expiration in 30 days or less - CA file
|
|
||||||
elif [ $((current_date+_30_days)) -ge $1 ]; then
|
|
||||||
CA_ECHO="WARNING - The server CA expires in 30 days or less : $formatted_ca_expiration_date"
|
|
||||||
CA_STATE=$STATE_WARNING
|
|
||||||
# Expiration in more than 30 days - CA file
|
|
||||||
else
|
|
||||||
CA_ECHO="OK - The server CA expires on $formatted_ca_expiration_date"
|
|
||||||
CA_STATE=$STATE_OK
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Linux and BSD systems do not implement 'date' the same way
|
|
||||||
if [ "$SYSTEM" = "linux" ]; then
|
|
||||||
|
|
||||||
# Cert expiration date human formated then in seconds
|
|
||||||
formatted_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%F %T %Z")
|
|
||||||
seconds_cert_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$cert_expiration_date" +"%s")
|
|
||||||
|
|
||||||
# CA expiration date human formated then in seconds
|
|
||||||
formatted_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%F %T %Z")
|
|
||||||
seconds_ca_expiration_date=$(TZ="Europe/Paris" $date_cmd -d "$ca_expiration_date" +"%s")
|
|
||||||
|
|
||||||
test_cert_expiration $seconds_cert_expiration_date
|
|
||||||
test_ca_expiration $seconds_ca_expiration_date
|
|
||||||
|
|
||||||
elif [ "$SYSTEM" = "openbsd" ]; then
|
|
||||||
|
|
||||||
# Cert expiration date for POSIX date, human formated then in seconds
|
|
||||||
posix_cert_expiration_date=$(echo "$cert_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}')
|
|
||||||
cert_zone=$(echo "$cert_expiration_date" | awk '{print $5}')
|
|
||||||
formatted_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%F %T %Z")
|
|
||||||
seconds_cert_expiration_date=$(TZ=$cert_zone $date_cmd -j -z "Europe/Paris" "$posix_cert_expiration_date" +"%s")
|
|
||||||
|
|
||||||
# CA expiration date for POSIX date, human formated then in seconds
|
|
||||||
posix_ca_expiration_date=$(echo "$ca_expiration_date" | awk '{ printf $4" "(index("JanFebMarAprMayJunJulAugSepOctNovDec",$1)+2)/3" "$2" ",split($3,time,":"); print time[1],time[2],time[3]}' | awk '{printf "%04d%02d%02d%02d%02d.%02d\n", $1, $2, $3, $4, $5, $6}')
|
|
||||||
ca_zone=$(echo "$ca_expiration_date" | awk '{print $5}')
|
|
||||||
formatted_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%F %T %Z")
|
|
||||||
seconds_ca_expiration_date=$(TZ=$ca_zone $date_cmd -j -z "Europe/Paris" "$posix_ca_expiration_date" +"%s")
|
|
||||||
|
|
||||||
test_cert_expiration $seconds_cert_expiration_date
|
|
||||||
test_ca_expiration $seconds_ca_expiration_date
|
|
||||||
|
|
||||||
# If neither Linux nor BSD
|
|
||||||
else
|
|
||||||
|
|
||||||
echo "CRITICAL - OS not supported"
|
|
||||||
STATE=$STATE_CRITICAL
|
|
||||||
exit $STATE
|
|
||||||
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Display the first one that expires first
|
|
||||||
if [ $CA_STATE -gt $CERT_STATE ]; then
|
|
||||||
echo $CA_ECHO
|
|
||||||
echo $CERT_ECHO
|
|
||||||
exit $CA_STATE
|
|
||||||
elif [ $CERT_STATE -gt $CA_STATE ]; then
|
|
||||||
echo $CERT_ECHO
|
|
||||||
echo $CA_ECHO
|
|
||||||
exit $CERT_STATE
|
|
||||||
else
|
|
||||||
echo $CERT_ECHO
|
|
||||||
echo $CA_ECHO
|
|
||||||
exit $CERT_STATE
|
|
||||||
fi
|
|
|
@ -1 +0,0 @@
|
||||||
../../../../shellpki
|
|
|
@ -1 +0,0 @@
|
||||||
%shellpki ALL = (root) /usr/local/sbin/shellpki
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
- name: restart openvpn
|
|
||||||
service:
|
|
||||||
name: openvpn
|
|
||||||
state: restarted
|
|
|
@ -1,136 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install OpenVPN package
|
|
||||||
openbsd_pkg:
|
|
||||||
name: "openvpn--"
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Create /etc/openvpn directory
|
|
||||||
file:
|
|
||||||
path: /etc/openvpn
|
|
||||||
state: directory
|
|
||||||
owner: "root"
|
|
||||||
group: "wheel"
|
|
||||||
mode: "0755"
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Deploy OpenVPN configuration
|
|
||||||
template:
|
|
||||||
src: "server.conf.j2"
|
|
||||||
dest: "/etc/openvpn/server.conf"
|
|
||||||
mode: "0600"
|
|
||||||
notify: restart openvpn
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Enabling OpenVPN
|
|
||||||
service:
|
|
||||||
name: openvpn
|
|
||||||
enabled: true
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Set OpenVPN flag
|
|
||||||
shell: 'rcctl set openvpn flags "--config /etc/openvpn/server.conf"'
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Create shellpki user
|
|
||||||
user:
|
|
||||||
name: "_shellpki"
|
|
||||||
system: true
|
|
||||||
state: present
|
|
||||||
home: "/etc/shellpki/"
|
|
||||||
shell: "/sbin/nologin"
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Copy some shellpki files
|
|
||||||
copy:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
owner: root
|
|
||||||
group: wheel
|
|
||||||
mode: "{{ item.mode }}"
|
|
||||||
force: true
|
|
||||||
with_items:
|
|
||||||
- src: 'files/shellpki/openssl.cnf'
|
|
||||||
dest: '/etc/shellpki/openssl.cnf'
|
|
||||||
mode: '0640'
|
|
||||||
- src: 'files/shellpki/shellpki'
|
|
||||||
dest: '/usr/local/sbin/shellpki'
|
|
||||||
mode: '0755'
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Deploy DH PARAMETERS
|
|
||||||
template:
|
|
||||||
src: "dh2048.pem.j2"
|
|
||||||
dest: "/etc/shellpki/dh2048.pem"
|
|
||||||
mode: "0600"
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Create /etc/sudoers.d directory
|
|
||||||
file:
|
|
||||||
path: /etc/sudoers.d
|
|
||||||
state: directory
|
|
||||||
owner: "root"
|
|
||||||
group: "wheel"
|
|
||||||
mode: "0755"
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Include /etc/sudoers.d in sudoers configuration file
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/sudoers
|
|
||||||
line: '#includedir /etc/sudoers.d'
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Verify shellpki sudoers file presence
|
|
||||||
copy:
|
|
||||||
src: "sudo_shellpki"
|
|
||||||
dest: "/etc/sudoers.d/shellpki"
|
|
||||||
force: true
|
|
||||||
mode: "0440"
|
|
||||||
validate: '/usr/local/sbin/visudo -cf %s'
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Copy check_openvpn
|
|
||||||
copy:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
owner: root
|
|
||||||
group: wheel
|
|
||||||
mode: "{{ item.mode }}"
|
|
||||||
force: true
|
|
||||||
with_items:
|
|
||||||
- src: 'files/check_openvpn.pl'
|
|
||||||
dest: '/usr/local/libexec/nagios/plugins/check_openvpn.pl'
|
|
||||||
mode: '0755'
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Install needed package for check_openvpn
|
|
||||||
openbsd_pkg:
|
|
||||||
name: "p5-Net-Telnet"
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Copy check_openvpn_certificates.sh
|
|
||||||
copy:
|
|
||||||
src: "{{ item.src }}"
|
|
||||||
dest: "{{ item.dest }}"
|
|
||||||
owner: root
|
|
||||||
group: wheel
|
|
||||||
mode: "{{ item.mode }}"
|
|
||||||
force: true
|
|
||||||
with_items:
|
|
||||||
- src: 'files/check_openvpn_certificates.sh'
|
|
||||||
dest: '/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh'
|
|
||||||
mode: '0755'
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
|
@ -1,8 +0,0 @@
|
||||||
-----BEGIN DH PARAMETERS-----
|
|
||||||
MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP
|
|
||||||
R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr
|
|
||||||
TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv
|
|
||||||
ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2
|
|
||||||
Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ
|
|
||||||
aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg==
|
|
||||||
-----END DH PARAMETERS-----
|
|
|
@ -1,26 +0,0 @@
|
||||||
user nobody
|
|
||||||
group nogroup
|
|
||||||
|
|
||||||
local {{ ansible_default_ipv4.address }}
|
|
||||||
port 1194
|
|
||||||
proto udp
|
|
||||||
dev tun
|
|
||||||
mode server
|
|
||||||
keepalive 10 120
|
|
||||||
|
|
||||||
cipher AES-128-CBC # AES
|
|
||||||
#comp-lzo
|
|
||||||
# compress (à partir d'OpenVPN 2.4)
|
|
||||||
|
|
||||||
persist-key
|
|
||||||
persist-tun
|
|
||||||
|
|
||||||
status /var/log/openvpn-status.log
|
|
||||||
log-append /var/log/openvpn.log
|
|
||||||
|
|
||||||
ca /etc/shellpki/cacert.pem
|
|
||||||
cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
|
|
||||||
key /etc/shellpki/private/{{ ansible_fqdn }}.key
|
|
||||||
dh /etc/shellpki/dh2048.pem
|
|
||||||
|
|
||||||
server {{ openvpn_lan }} {{ openvpn_netmask }}
|
|
Loading…
Reference in a new issue