From 8ad8c2c79823fdda46684207271d6f1d54c8ae17 Mon Sep 17 00:00:00 2001 From: Tristan PILAT Date: Tue, 24 Jul 2018 17:16:30 +0200 Subject: [PATCH] Add the first version of OpenVPN role --- openvpn/README.md | 13 ++++++ openvpn/defaults/main.yml | 3 ++ openvpn/files/shellpki | 1 + openvpn/files/sudo_shellpki | 1 + openvpn/handlers/main.yml | 11 +++++ openvpn/meta/main.yml | 19 ++++++++ openvpn/tasks/main.yml | 78 ++++++++++++++++++++++++++++++++ openvpn/templates/server.conf.j2 | 27 +++++++++++ 8 files changed, 153 insertions(+) create mode 100644 openvpn/README.md create mode 100644 openvpn/defaults/main.yml create mode 120000 openvpn/files/shellpki create mode 100644 openvpn/files/sudo_shellpki create mode 100644 openvpn/handlers/main.yml create mode 100644 openvpn/meta/main.yml create mode 100644 openvpn/tasks/main.yml create mode 100644 openvpn/templates/server.conf.j2 diff --git a/openvpn/README.md b/openvpn/README.md new file mode 100644 index 00000000..18b459ff --- /dev/null +++ b/openvpn/README.md @@ -0,0 +1,13 @@ +# OpenVPN + +Installation and custom configuration of OpenVPN server. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +The full list of variables (with default values) can be found in `defaults/main.yml`. + +NOTE: Make sure you have already cloned shellpki in ~/GIT/ diff --git a/openvpn/defaults/main.yml b/openvpn/defaults/main.yml new file mode 100644 index 00000000..dbf2f802 --- /dev/null +++ b/openvpn/defaults/main.yml @@ -0,0 +1,3 @@ +--- +openvpn_lan: "192.168.42.0" +openvpn_netmask: "255.255.255.0" diff --git a/openvpn/files/shellpki b/openvpn/files/shellpki new file mode 120000 index 00000000..3036d457 --- /dev/null +++ b/openvpn/files/shellpki @@ -0,0 +1 @@ +/home/tpilat/GIT/shellpki/ \ No newline at end of file diff --git a/openvpn/files/sudo_shellpki b/openvpn/files/sudo_shellpki new file mode 100644 index 00000000..08ca1ab0 --- /dev/null +++ b/openvpn/files/sudo_shellpki @@ -0,0 +1 @@ +%shellpki ALL = (root) /usr/local/sbin/shellpki diff --git a/openvpn/handlers/main.yml b/openvpn/handlers/main.yml new file mode 100644 index 00000000..c87985aa --- /dev/null +++ b/openvpn/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- name: restart openvpn + service: + name: openvpn + state: restarted + +- name: restart minifirewall + command: /etc/init.d/minifirewall restart + register: minifirewall_init_restart + failed_when: "'starting IPTables rules is now finish : OK' not in minifirewall_init_restart.stdout" + changed_when: "'starting IPTables rules is now finish : OK' in minifirewall_init_restart.stdout" diff --git a/openvpn/meta/main.yml b/openvpn/meta/main.yml new file mode 100644 index 00000000..7c4a6bd3 --- /dev/null +++ b/openvpn/meta/main.yml @@ -0,0 +1,19 @@ +galaxy_info: + author: Evolix + description: Installation and custom configuration of OpenVPN server. + + issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues + + license: GPLv2 + + min_ansible_version: 2.2 + + platforms: + - name: Debian + versions: + - stretch + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/openvpn/tasks/main.yml b/openvpn/tasks/main.yml new file mode 100644 index 00000000..6f553ba9 --- /dev/null +++ b/openvpn/tasks/main.yml @@ -0,0 +1,78 @@ +--- +- name: Install OpenVPN package + apt: + name: "openvpn" + tags: + - openvpn + +- name: Deploy OpenVPN configuration + template: + src: "server.conf.j2" + dest: "/etc/openvpn/server.conf" + mode: "0600" + notify: restart openvpn + tags: + - openvpn + +- set_fact: + minifirewall_tail_included: True + minifirewall_tail_file: /etc/default/minifirewall.tail + +- include_role: + name: minifirewall + tags: + - openvpn + +- name: Allow OpenVPN input + blockinfile: + dest: "{{ minifirewall_tail_file }}" + marker: "# {mark} INPUT OPENVPN" + block: | + /sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + notify: restart minifirewall + tags: + - openvpn + +- name: Create /etc/shellpki directory + file: + path: /etc/shellpki + state: directory + owner: "root" + group: "root" + mode: "0755" + tags: + - openvpn + +- name: Create shellpki user + user: + name: "shellpki" + system: yes + state: present + home: "/etc/shellpki/" + shell: "/usr/sbin/nologin" + tags: + - openvpn + +- name: Copy some shellpki files + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: "{{ item.mode }}" + force: yes + with_items: + - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' } + - { src: 'files/shellpki/shellpki.sh', dest: '/usr/local/sbin/shellpki', mode: '0755' } + tags: + - openvpn + +- name: Verify shellpki sudoers file presence + copy: + src: "sudo_shellpki" + dest: "/etc/sudoers.d/shellpki" + force: true + mode: "0440" + validate: '/usr/sbin/visudo -cf %s' + tags: + - openvpn diff --git a/openvpn/templates/server.conf.j2 b/openvpn/templates/server.conf.j2 new file mode 100644 index 00000000..356e88e8 --- /dev/null +++ b/openvpn/templates/server.conf.j2 @@ -0,0 +1,27 @@ +user nobody +group nogroup + +local {{ ansible_default_ipv4.address }} +port 1194 +proto udp +dev tun +mode server +keepalive 10 120 + +cipher AES-128-CBC # AES +#comp-lzo +# compress (à partir d'OpenVPN 2.4) + +persist-key +persist-tun + +status /var/log/openvpn/openvpn-status.log +log-append /var/log/openvpn/openvpn.log + +ca /etc/shellpki/cacert.pem +cert /etc/shellpki/certs/{{ ansible_fqdn }}.crt +key /etc/shellpki/private/{{ ansible_fqdn }}.key +dh /etc/shellpkca/dh2048.pem + +server {{ openvpn_lan }} {{ openvpn_netmask }} +