--- # openbsd_pkg is broken since OpenBSD 7.4 with the version of Ansible we currently use #- name: Install OpenVPN # community.general.openbsd_pkg: # name: openvpn-- - name: Check if OpenVPN is already installed ansible.builtin.command: cmd: pkg_info -Iq inst:openvpn register: is_installed ignore_errors: true changed_when: false - name: Install OpenVPN ansible.builtin.command: cmd: pkg_add openvpn-- when: "'Can\\'t find inst:' in is_installed.stderr" - name: Create /etc/openvpn ansible.builtin.file: dest: "/etc/openvpn" state: directory owner: root group: wheel mode: "0755" - name: Create the shellpki user ansible.builtin.user: name: _shellpki system: yes create_home: no home: "/etc/shellpki" shell: "/sbin/nologin" - name: Create /etc/shellpki ansible.builtin.file: dest: "/etc/shellpki" state: directory owner: _shellpki group: _shellpki mode: "0755" - name: Copy shellpki files ansible.builtin.copy: src: "shellpki/{{ item.source }}" dest: "{{ item.destination }}" mode: "{{ item.mode }}" owner: "{{ item.owner }}" group: "{{ item.group }}" with_items: - { source: "openssl.cnf", destination: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "_shellpki", group: "_shellpki" } - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0750", owner: "root", group: "wheel" } - name: Add sudo rights ansible.builtin.lineinfile: dest: "/etc/sudoers" regexp: '/usr/local/sbin/shellpki' line: "%_shellpki ALL = (root) /usr/local/sbin/shellpki" validate: 'visudo -cf %s' - name: Deploy OpenVPN client config template ansible.builtin.template: src: "ovpn.conf.j2" dest: "/etc/shellpki/ovpn.conf" mode: "0640" owner: _shellpki group: _shellpki - name: Generate dhparam community.crypto.openssl_dhparam: path: /etc/shellpki/dh2048.pem size: 2048 - name: Deploy OpenVPN server config ansible.builtin.template: src: "server.conf.j2" dest: "/etc/openvpn/server.conf" mode: "0600" owner: root group: wheel - name: Configure PacketFilter ansible.builtin.lineinfile: dest: "/etc/pf.conf" line: "{{ item }}" validate: 'pfctl -nf %s' notify: reload packetfilter with_items: - "# OpenVPN" - "pass in quick on $ext_if proto udp from any to self port 1194" - name: Create a cron to rotate the logs ansible.builtin.cron: name: "OpenVPN logs rotation" weekday: "6" hour: "4" minute: "0" job: "cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo \"$(date +\\%F' '\\%R) - logfile turned over via cron\" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name \"openvpn.log.*\" -mtime +365 -exec rm {} \\+" - name: Generate a password for the management interface ansible.builtin.set_fact: management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}" - name: Set the management password ansible.builtin.copy: dest: "/etc/openvpn/management-pwd" content: "{{ management_pwd }}" mode: "0600" owner: root group: wheel - name: Enable openvpn service ansible.builtin.service: name: openvpn enabled: yes - name: Set openvpn flags ansible.builtin.lineinfile: dest: /etc/rc.conf.local regexp: "^openvpn_flags=" line: "openvpn_flags=--daemon --config /etc/openvpn/server.conf" create: yes - name: Is NRPE installed ? ansible.builtin.stat: path: "/etc/nrpe.d/evolix.cfg" check_mode: no register: nrpe_evolix_config # openbsd_pkg is broken since OpenBSD 7.4 with the version of Ansible we currently use #- name: Install NRPE check dependency # community.general.openbsd_pkg: # name: p5-Net-Telnet # when: nrpe_evolix_config.stat.exists - name: Check if NRPE check dependency is already installed ansible.builtin.command: cmd: pkg_info -Iq inst:p5-Net-Telnet register: is_installed ignore_errors: true changed_when: false - name: Install NRPE check dependency ansible.builtin.command: cmd: pkg_add p5-Net-Telnet when: - "'Can\\'t find inst:' in is_installed.stderr" - nrpe_evolix_config.stat.exists - name: Install OpenVPN NRPE check ansible.builtin.copy: src: "files/check_openvpn_openbsd.pl" dest: "/usr/local/libexec/nagios/plugins/check_openvpn.pl" mode: "0755" owner: root group: wheel when: nrpe_evolix_config.stat.exists - name: Configure NRPE OpenVPN check ansible.builtin.lineinfile: dest: "/etc/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn\]=' line: "command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P {{ management_pwd }}" create: yes mode: "0644" owner: root group: wheel notify: restart nrpe when: nrpe_evolix_config.stat.exists - name: Install OpenVPN certificates NRPE check ansible.builtin.copy: src: "files/check_openvpn_certificates.sh" dest: "/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh" mode: "0755" owner: root group: wheel when: nrpe_evolix_config.stat.exists - name: Add doas rights for NRPE check ansible.builtin.lineinfile: dest: "/etc/doas.conf" regexp: 'check_openvpn_certificates.sh' line: "permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh" validate: 'doas -C %s' when: nrpe_evolix_config.stat.exists - name: Configure NRPE certificates check ansible.builtin.lineinfile: dest: "/etc/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn_certificates\]=' line: "command[check_openvpn_certificates]=doas /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh" notify: restart nrpe when: nrpe_evolix_config.stat.exists - name: Copy script to check expirations ansible.builtin.copy: src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" mode: "0700" owner: root group: wheel - name: Install cron to warn about certificates expiration ansible.builtin.cron: name: "OpenVPN certificates expiration" special_time: monthly job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI OpenVPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' - name: Generate the CA password ansible.builtin.set_fact: ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}" check_mode: no changed_when: no - name: Initialization of the CA ansible.builtin.shell: cmd: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' - name: Creation of the server's certificate ansible.builtin.shell: cmd: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' - name: Get the server key ansible.builtin.shell: cmd: 'ls -tr /etc/shellpki/private/ | tail -1' register: ca_key check_mode: no changed_when: no - name: Configure the server key ansible.builtin.replace: path: /etc/openvpn/server.conf regexp: 'key /etc/shellpki/private/TO_COMPLETE' replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}' - name: Restart OpenVPN ansible.builtin.service: name: openvpn state: restarted - name: Warn the user about manual checks ansible.builtin.pause: prompt: | /!\ WARNING /!\ You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "rcctl restart openvpn". The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN. Take note of the generated CA password and store it in your password manager : {{ ca_pwd }} Press enter to exit when it's done.