Ajout verification minifirewall + /usr en ro + port management pour check_openvpn + certificat dhparam

2018-07-26 11:48:14 +02:00 · 2018-07-26 11:48:14 +02:00 · 14e270b688
parent 8ad8c2c798
commit 14e270b688
3 changed files with 29 additions and 16 deletions
--- a/openvpn/tasks/main.yml
+++ b/openvpn/tasks/main.yml
@ -14,24 +14,16 @@
  tags:
  - openvpn

- set_fact:
-    minifirewall_tail_included: True
-    minifirewall_tail_file: /etc/default/minifirewall.tail
-
- include_role:
-    name: minifirewall
-  tags:
-  - openvpn
-
 - name: Allow OpenVPN input
-  blockinfile:
-    dest: "{{ minifirewall_tail_file }}"
-    marker: "# {mark} INPUT OPENVPN" 
-    block: |                   
-       /sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-  notify: restart minifirewall
+  lineinfile: 
+    dest: /etc/default/minifirewall
+    line: "/sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #OPENVPN"
+    regexp: '#OPENVPN$'
+    state: present
+  failed_when: False
  tags:
  - openvpn
+  - openvpn-minifirewall

 - name: Create /etc/shellpki directory
  file:
@ -53,6 +45,11 @@
  tags:
  - openvpn

+- include_role:
+    name: remount-usr
+  tags:
+  - openvpn
+
 - name: Copy some shellpki files
  copy: 
    src: "{{ item.src }}"      
@ -67,6 +64,12 @@
  tags:
    - openvpn

+- name: Deploy DH PARAMETERS
+  template:                    
+    src: "dh2048.pem.j2" 
+    dest: "/etc/shellpki/dh2048.pem"
+    mode: "0600"               
+
 - name: Verify shellpki sudoers file presence
  copy:
    src: "sudo_shellpki"
--- a/openvpn/templates/dh2048.pem.j2
+++ b/openvpn/templates/dh2048.pem.j2
@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP
+R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr
+TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv
+ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2
+Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ
+aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg==
+-----END DH PARAMETERS-----
--- a/openvpn/templates/server.conf.j2
+++ b/openvpn/templates/server.conf.j2
@ -21,7 +21,9 @@ log-append  /var/log/openvpn/openvpn.log
 ca   /etc/shellpki/cacert.pem
 cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
 key  /etc/shellpki/private/{{ ansible_fqdn }}.key
-dh   /etc/shellpkca/dh2048.pem
+dh   /etc/shellpki/dh2048.pem

 server {{ openvpn_lan }} {{ openvpn_netmask }}

+# Management interface (used by check_openvpn for Nagios)
+management 127.0.0.1 1195 /etc/openvpn/management-pwd