2022-02-03 18:35:16 +01:00
---
- name : Install OpenVPN
apt :
name : openvpn
- name : Delete unwanted OpenVPN folders
file :
state : absent
dest : "/etc/openvpn/{{ item }}"
with_items :
- client
- server
- name : Create the shellpki user
user :
name : shellpki
system : yes
create_home : no
home : "/etc/shellpki"
shell : "/usr/sbin/nologin"
- name : Create /etc/shellpki
file :
dest : "/etc/shellpki"
mode : "0755"
owner : shellpki
group : shellpki
state : directory
- include_role :
name : evolix/remount-usr
- name : Copy shellpki files
copy :
2022-04-14 16:34:43 +02:00
src : "shellpki/{{ item.source }}"
2022-02-03 18:35:16 +01:00
dest : "{{ item.destination }}"
mode : "{{ item.mode }}"
owner : "{{ item.owner }}"
group : "{{ item.group }}"
with_items :
2022-04-14 16:34:43 +02:00
- { source : "openssl.cnf" , destination : "/etc/shellpki/openssl.cnf" , mode : "0640" , owner : "shellpki" , group : "shellpki" }
- { source : "shellpki" , destination : "/usr/local/sbin/shellpki" , mode : "0755" , owner : "root" , group : "root" }
2022-02-03 18:35:16 +01:00
- name : Add sudo rights
lineinfile :
dest : "/etc/sudoers.d/shellpki"
regexp : '/usr/local/sbin/shellpki'
line : "%shellpki ALL = (root) /usr/local/sbin/shellpki"
create : yes
mode : "0400"
owner : root
group : root
validate : 'visudo -cf %s'
- name : Deploy OpenVPN client config template
template :
src : "ovpn.conf.j2"
dest : "/etc/shellpki/ovpn.conf"
mode : "0600"
owner : shellpki
group : shellpki
- name : Generate dhparam
command : "openssl dhparam -out /etc/shellpki/dh2048.pem 2048"
- include_role :
name : evolix/remount-usr
- name : Fix CRL rights in shellpki command
lineinfile :
dest : "/usr/local/sbin/shellpki"
regexp : '{{ item.regexp }}'
insertafter : "{{ item.insertafter }}"
line : "{{ item.line }}"
with_items :
- { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line : " chmod 644 /etc/shellpki/crl.pem" , insertafter : '^ chmod 640 "\${CACERT}"$' }
- { regexp: '^ chmod 755 /etc/shellpki/$', line : " chmod 755 /etc/shellpki/" , insertafter : '^ chmod 644 /etc/shellpki/crl.pem$' }
- name : Deploy OpenVPN server config
template :
src : "server.conf.j2"
dest : "/etc/openvpn/server.conf"
mode : "0600"
owner : root
group : root
- name : Is minifirewall installed ?
stat :
path : "/etc/default/minifirewall"
check_mode : no
changed_when : false
register : minifirewall_config
- name : Retrieve the default interface
shell : "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2"
check_mode : no
changed_when : false
register : minifirewall_int
when : minifirewall_config.stat.exists
- name : Add minifirewall rule in config file
lineinfile :
dest : "/etc/default/minifirewall"
line : "{{ item }}"
with_items :
- "# OpenVPN"
- "/sbin/iptables -t nat -A POSTROUTING -s {{ openvpn_lan }}/{{ openvpn_netmask_cidr }} -o $INT -j MASQUERADE"
when : minifirewall_config.stat.exists
- name : Activate minifirewall rule
iptables :
table : nat
chain : POSTROUTING
source : "{{ openvpn_lan }}/{{ openvpn_netmask_cidr }}"
out_interface : "{{ minifirewall_int.stdout }}"
jump : MASQUERADE
when : minifirewall_config.stat.exists
- name : Add 1194/udp OpenVPN port to public services in minifirewall
replace :
dest : "/etc/default/minifirewall"
regexp : "^SERVICESUDP1='(.*)?'$"
replace : "SERVICESUDP1='\\1 1194'"
backup : yes
when : minifirewall_config.stat.exists
- name : Activate minifirewall rule for IPv4
iptables :
chain : INPUT
protocol : udp
destination_port : "1194"
jump : ACCEPT
ip_version : ipv4
when : minifirewall_config.stat.exists
- name : Activate minifirewall rule for IPv6
iptables :
chain : INPUT
protocol : udp
destination_port : "1194"
jump : ACCEPT
ip_version : ipv6
when : minifirewall_config.stat.exists
- name : Enable forwarding
sysctl :
name : net.ipv4.ip_forward
value : "1"
sysctl_file : "/etc/sysctl.d/openvpn.conf"
- name : Generate a password for the management interface
set_fact :
management_pwd : "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"
- name : Set the management password
copy :
dest : "/etc/openvpn/management-pwd"
content : "{{ management_pwd }}"
mode : "0600"
owner : root
group : root
- name : Enable openvpn service
systemd :
name : "openvpn@server.service"
enabled : yes
- name : Is NRPE installed ?
stat :
path : "/etc/nagios/nrpe.d/evolix.cfg"
check_mode : no
changed_when : false
register : nrpe_evolix_config
- name : Install NRPE check dependencies
apt :
name : libnet-telnet-perl
when : nrpe_evolix_config.stat.exists
- include_role :
name : evolix/remount-usr
- name : Install OpenVPN NRPE check
copy :
src : "files/check_openvpn_debian.pl"
dest : "/usr/local/lib/nagios/plugins/check_openvpn"
mode : "0755"
owner : root
group : nagios
when : nrpe_evolix_config.stat.exists
- name : Configure NRPE OpenVPN check
lineinfile :
dest : "/etc/nagios/nrpe.d/evolix.cfg"
regexp : '^command\[check_openvpn\]='
line : "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
notify : restart nagios-nrpe-server
when : nrpe_evolix_config.stat.exists
- include_role :
name : evolix/remount-usr
- name : Install OpenVPN certificates NRPE check
copy :
src : "files/check_openvpn_certificates.sh"
dest : "/usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
mode : "0755"
owner : root
group : nagios
when : nrpe_evolix_config.stat.exists
- name : Add sudo rights for NRPE check
lineinfile :
dest : "/etc/sudoers.d/openvpn"
regexp : 'check_openvpn_certificates.sh'
line : "nagios ALL=NOPASSWD: /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
create : yes
mode : "0400"
owner : root
group : root
validate : 'visudo -cf %s'
when : nrpe_evolix_config.stat.exists
- name : Configure NRPE certificates check
lineinfile :
dest : "/etc/nagios/nrpe.d/evolix.cfg"
regexp : '^command\[check_openvpn_certificates\]='
line : "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
notify : restart nagios-nrpe-server
when : nrpe_evolix_config.stat.exists
- include_role :
name : evolix/remount-usr
- name : Copy shellpki script
copy :
2022-04-14 16:34:43 +02:00
src : "shellpki/cert-expirations.sh"
2022-02-03 18:35:16 +01:00
dest : "/usr/share/scripts/cert-expirations.sh"
mode : "0700"
owner : root
group : root
- name : Install cron to warn about certificates expiration
cron :
name : "OpenVPN certificates expiration"
special_time : monthly
job : '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}'
- name : Warn the user about command to execute manually
pause :
prompt : |
/!\ WARNING /!\
You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times.
You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked.
You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}".
You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed).
Finally, you can (re)start the OpenVPN service with "systemctl restart openvpn@server.service".
Press enter to exit when it's done.