---
- name: Install OpenVPN package
  apt:
    name: "openvpn"
  tags:
  - openvpn

- name: Deploy OpenVPN configuration
  template:                    
    src: "server.conf.j2" 
    dest: "/etc/openvpn/server.conf"
    mode: "0600"               
  notify: restart openvpn
  tags:
  - openvpn

- set_fact:
    minifirewall_tail_included: True
    minifirewall_tail_file: /etc/default/minifirewall.tail

- include_role:
    name: minifirewall
  tags:
  - openvpn

- name: Allow OpenVPN input
  blockinfile:
    dest: "{{ minifirewall_tail_file }}"
    marker: "# {mark} INPUT OPENVPN" 
    block: |                   
       /sbin/iptables -A INPUT -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  notify: restart minifirewall
  tags:
  - openvpn

- name: Create /etc/shellpki directory
  file:
    path: /etc/shellpki
    state: directory
    owner: "root"
    group: "root"
    mode: "0755"
  tags:
  - openvpn

- name: Create shellpki user
  user:
    name: "shellpki"
    system: yes
    state: present    
    home: "/etc/shellpki/"
    shell: "/usr/sbin/nologin"
  tags:
  - openvpn

- name: Copy some shellpki files
  copy: 
    src: "{{ item.src }}"      
    dest: "{{ item.dest }}"    
    owner: root                
    group: root
    mode: "{{ item.mode }}"
    force: yes                 
  with_items:
          - { src: 'files/shellpki/openssl.cnf', dest: '/etc/shellpki/openssl.cnf', mode: '0640' }
          - { src: 'files/shellpki/shellpki.sh', dest: '/usr/local/sbin/shellpki', mode: '0755' }
  tags:
    - openvpn

- name: Verify shellpki sudoers file presence
  copy:
    src: "sudo_shellpki"
    dest: "/etc/sudoers.d/shellpki"
    force: true
    mode: "0440"               
    validate: '/usr/sbin/visudo -cf %s'
  tags:
  - openvpn