Ajout verification minifirewall + /usr en ro + port management pour check_openvpn + certificat dhparam
This commit is contained in:
parent
8ad8c2c798
commit
14e270b688
|
@ -14,24 +14,16 @@
|
||||||
tags:
|
tags:
|
||||||
- openvpn
|
- openvpn
|
||||||
|
|
||||||
- set_fact:
|
|
||||||
minifirewall_tail_included: True
|
|
||||||
minifirewall_tail_file: /etc/default/minifirewall.tail
|
|
||||||
|
|
||||||
- include_role:
|
|
||||||
name: minifirewall
|
|
||||||
tags:
|
|
||||||
- openvpn
|
|
||||||
|
|
||||||
- name: Allow OpenVPN input
|
- name: Allow OpenVPN input
|
||||||
blockinfile:
|
lineinfile:
|
||||||
dest: "{{ minifirewall_tail_file }}"
|
dest: /etc/default/minifirewall
|
||||||
marker: "# {mark} INPUT OPENVPN"
|
line: "/sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #OPENVPN"
|
||||||
block: |
|
regexp: '#OPENVPN$'
|
||||||
/sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
state: present
|
||||||
notify: restart minifirewall
|
failed_when: False
|
||||||
tags:
|
tags:
|
||||||
- openvpn
|
- openvpn
|
||||||
|
- openvpn-minifirewall
|
||||||
|
|
||||||
- name: Create /etc/shellpki directory
|
- name: Create /etc/shellpki directory
|
||||||
file:
|
file:
|
||||||
|
@ -53,6 +45,11 @@
|
||||||
tags:
|
tags:
|
||||||
- openvpn
|
- openvpn
|
||||||
|
|
||||||
|
- include_role:
|
||||||
|
name: remount-usr
|
||||||
|
tags:
|
||||||
|
- openvpn
|
||||||
|
|
||||||
- name: Copy some shellpki files
|
- name: Copy some shellpki files
|
||||||
copy:
|
copy:
|
||||||
src: "{{ item.src }}"
|
src: "{{ item.src }}"
|
||||||
|
@ -67,6 +64,12 @@
|
||||||
tags:
|
tags:
|
||||||
- openvpn
|
- openvpn
|
||||||
|
|
||||||
|
- name: Deploy DH PARAMETERS
|
||||||
|
template:
|
||||||
|
src: "dh2048.pem.j2"
|
||||||
|
dest: "/etc/shellpki/dh2048.pem"
|
||||||
|
mode: "0600"
|
||||||
|
|
||||||
- name: Verify shellpki sudoers file presence
|
- name: Verify shellpki sudoers file presence
|
||||||
copy:
|
copy:
|
||||||
src: "sudo_shellpki"
|
src: "sudo_shellpki"
|
||||||
|
|
8
openvpn/templates/dh2048.pem.j2
Normal file
8
openvpn/templates/dh2048.pem.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN DH PARAMETERS-----
|
||||||
|
MIIBCAKCAQEAuimweC/f5W/AIIFhLX256Bi5IU+AkN9sKZ9sxGx0xc3J8NwIBnEP
|
||||||
|
R/2RgclJqJ8OodY70zeDHNLDyc01crGvihuupiWVlvQxS4osdhfdM+GoV9pcmCVr
|
||||||
|
TRTybsUPkkm4rQ/SC7I2MxiYnXwDrrYnpMvBDaRZjoHlgTKjOGoYSd+DIDZSFKkv
|
||||||
|
ASkXQkIC9FpvjnxfW5gtzzm6NheqgYUI2Y2QiqM6BmGVZiPcqyUpbWvRCcZLoPa2
|
||||||
|
Z+FV9LxE4J7CX0ilTJXXhs3RaMlG8qZha3l0hEL4SAZp5xn74Ej/9hA5cWqnKEOQ
|
||||||
|
aLfwADI4rPe9uTu9Qnw87DgM2tQeETBlmwIBAg==
|
||||||
|
-----END DH PARAMETERS-----
|
|
@ -21,7 +21,9 @@ log-append /var/log/openvpn/openvpn.log
|
||||||
ca /etc/shellpki/cacert.pem
|
ca /etc/shellpki/cacert.pem
|
||||||
cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
|
cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
|
||||||
key /etc/shellpki/private/{{ ansible_fqdn }}.key
|
key /etc/shellpki/private/{{ ansible_fqdn }}.key
|
||||||
dh /etc/shellpkca/dh2048.pem
|
dh /etc/shellpki/dh2048.pem
|
||||||
|
|
||||||
server {{ openvpn_lan }} {{ openvpn_netmask }}
|
server {{ openvpn_lan }} {{ openvpn_netmask }}
|
||||||
|
|
||||||
|
# Management interface (used by check_openvpn for Nagios)
|
||||||
|
management 127.0.0.1 1195 /etc/openvpn/management-pwd
|
||||||
|
|
Loading…
Reference in a new issue