Add the first version of OpenVPN role

This commit is contained in:
Tristan PILAT 2018-07-24 17:16:30 +02:00
parent db683ea9c3
commit 8ad8c2c798
8 changed files with 153 additions and 0 deletions

13
openvpn/README.md Normal file
View File

@ -0,0 +1,13 @@
# OpenVPN
Installation and custom configuration of OpenVPN server.
## Tasks
Everything is in the `tasks/main.yml` file.
## Available variables
The full list of variables (with default values) can be found in `defaults/main.yml`.
NOTE: Make sure you have already cloned shellpki in ~/GIT/

View File

@ -0,0 +1,3 @@
---
openvpn_lan: "192.168.42.0"
openvpn_netmask: "255.255.255.0"

1
openvpn/files/shellpki Symbolic link
View File

@ -0,0 +1 @@
/home/tpilat/GIT/shellpki/

View File

@ -0,0 +1 @@
%shellpki ALL = (root) /usr/local/sbin/shellpki

11
openvpn/handlers/main.yml Normal file
View File

@ -0,0 +1,11 @@
---
- name: restart openvpn
service:
name: openvpn
state: restarted
- name: restart minifirewall
command: /etc/init.d/minifirewall restart
register: minifirewall_init_restart
failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout"
changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout"

19
openvpn/meta/main.yml Normal file
View File

@ -0,0 +1,19 @@
galaxy_info:
author: Evolix
description: Installation and custom configuration of OpenVPN server.
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
license: GPLv2
min_ansible_version: 2.2
platforms:
- name: Debian
versions:
- stretch
dependencies: []
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.

78
openvpn/tasks/main.yml Normal file
View File

@ -0,0 +1,78 @@
---
- name: Install OpenVPN package
apt:
name: "openvpn"
tags:
- openvpn
- name: Deploy OpenVPN configuration
template:
src: "server.conf.j2"
dest: "/etc/openvpn/server.conf"
mode: "0600"
notify: restart openvpn
tags:
- openvpn
- set_fact:
minifirewall_tail_included: True
minifirewall_tail_file: /etc/default/minifirewall.tail
- include_role:
name: minifirewall
tags:
- openvpn
- name: Allow OpenVPN input
blockinfile:
dest: "{{ minifirewall_tail_file }}"
marker: "# {mark} INPUT OPENVPN"
block: |
/sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
notify: restart minifirewall
tags:
- openvpn
- name: Create /etc/shellpki directory
file:
path: /etc/shellpki
state: directory
owner: "root"
group: "root"
mode: "0755"
tags:
- openvpn
- name: Create shellpki user
user:
name: "shellpki"
system: yes
state: present
home: "/etc/shellpki/"
shell: "/usr/sbin/nologin"
tags:
- openvpn
- name: Copy some shellpki files
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: root
mode: "{{ item.mode }}"
force: yes
with_items:
- { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
- { src: 'files/shellpki/shellpki.sh', dest: '/usr/local/sbin/shellpki', mode: '0755' }
tags:
- openvpn
- name: Verify shellpki sudoers file presence
copy:
src: "sudo_shellpki"
dest: "/etc/sudoers.d/shellpki"
force: true
mode: "0440"
validate: '/usr/sbin/visudo -cf %s'
tags:
- openvpn

View File

@ -0,0 +1,27 @@
user nobody
group nogroup
local {{ ansible_default_ipv4.address }}
port 1194
proto udp
dev tun
mode server
keepalive 10 120
cipher AES-128-CBC # AES
#comp-lzo
# compress (à partir d'OpenVPN 2.4)
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
ca /etc/shellpki/cacert.pem
cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt
key /etc/shellpki/private/{{ ansible_fqdn }}.key
dh /etc/shellpkca/dh2048.pem
server {{ openvpn_lan }} {{ openvpn_netmask }}