From c3be57410dcbd80b969934bf4c9c9a03c610e796 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Dubois?= <jdubois@evolix.fr>
Date: Tue, 6 Sep 2022 11:26:19 +0200
Subject: [PATCH] openvpn: Run OpenVPN with the \_openvpn user and group
 instead of nobody which is originally for NFS

---
 CHANGELOG.md                     | 1 +
 openvpn/tasks/debian.yml         | 8 ++++++++
 openvpn/templates/server.conf.j2 | 4 ++--
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5042ef48..4dcaa63d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * openvpn: automate the initialization of the CA and the creation of the server certificate ; use openssl_dhparam module instead of a command
 * nagios-nrpe: Add check_domains
 * generate-ldif: support any version of MariaDB (instead of only 10.0, 10.1 and 10.3) 
+* openvpn: Run OpenVPN with the \_openvpn user and group instead of nobody which is originally for NFS
 
 ### Fixed
 
diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml
index d6b03ac9..55ca2f8e 100644
--- a/openvpn/tasks/debian.yml
+++ b/openvpn/tasks/debian.yml
@@ -12,6 +12,14 @@
     - client
     - server
 
+- name: Create the _openvpn user
+  user:
+    name: _openvpn
+    system: yes
+    create_home: no
+    home: "/nonexistent"
+    shell: "/usr/sbin/nologin"
+
 - name: Create the shellpki user
   user:
     name: shellpki
diff --git a/openvpn/templates/server.conf.j2 b/openvpn/templates/server.conf.j2
index 23ce3e2b..a41b9b22 100644
--- a/openvpn/templates/server.conf.j2
+++ b/openvpn/templates/server.conf.j2
@@ -1,5 +1,5 @@
-user  nobody
-group nogroup
+user  _openvpn
+group _openvpn
 
 local {{ ansible_default_ipv4.address }}
 port 1194