--- - name: Install OpenVPN apt: name: openvpn - name: Delete unwanted OpenVPN folders file: state: absent dest: "/etc/openvpn/{{ item }}" with_items: - client - server - name: Clone shellpki repo git: repo: "https://gitea.evolix.org/evolix/shellpki.git" dest: /root/shellpki - name: Create the shellpki user user: name: shellpki system: yes create_home: no home: "/etc/shellpki" shell: "/usr/sbin/nologin" - name: Create /etc/shellpki file: dest: "/etc/shellpki" mode: "0755" owner: shellpki group: shellpki state: directory - include_role: name: evolix/remount-usr - name: Copy shellpki files copy: src: "{{ item.source }}" dest: "{{ item.destination }}" remote_src: yes with_items: - { source: "/root/shellpki/openssl.cnf", destination: "/etc/shellpki/openssl.cnf" } - { source: "/root/shellpki/shellpki", destination: "/usr/local/sbin/shellpki" } - include_role: name: evolix/remount-usr - name: Change files permissions file: dest: "{{ item.dest }}" mode: "{{ item.mode }}" owner: "{{ item.owner }}" group: "{{ item.group }}" with_items: - { dest: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "shellpki", group: "shellpki" } - { dest: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "root" } - name: Delete local shellpki repo file: state: absent dest: "/root/shellpki" - name: Add sudo rights lineinfile: dest: "/etc/sudoers.d/shellpki" regexp: '/usr/local/sbin/shellpki' line: "%shellpki ALL = (root) /usr/local/sbin/shellpki" create: yes mode: "0400" owner: root group: root validate: 'visudo -cf %s' - name: Deploy OpenVPN client config template template: src: "ovpn.conf.j2" dest: "/etc/shellpki/ovpn.conf" mode: "0600" owner: shellpki group: shellpki - name: Generate dhparam command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048" - include_role: name: evolix/remount-usr - name: Fix CRL rights in shellpki command lineinfile: dest: "/usr/local/sbin/shellpki" regexp: '{{ item.regexp }}' insertafter: "{{ item.insertafter }}" line: "{{ item.line }}" with_items: - { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' } - name: Deploy OpenVPN server config template: src: "server.conf.j2" dest: "/etc/openvpn/server.conf" mode: "0600" owner: root group: root - name: Is minifirewall installed ? stat: path: "/etc/default/minifirewall" check_mode: no changed_when: false register: minifirewall_config - name: Retrieve the default interface shell: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2" check_mode: no changed_when: false register: minifirewall_int when: minifirewall_config.stat.exists - name: Add minifirewall rule in config file lineinfile: dest: "/etc/default/minifirewall" line: "{{ item }}" with_items: - "# OpenVPN" - "/sbin/iptables -t nat -A POSTROUTING -s {{ openvpn_lan }}/{{ openvpn_netmask_cidr }} -o $INT -j MASQUERADE" when: minifirewall_config.stat.exists - name: Activate minifirewall rule iptables: table: nat chain: POSTROUTING source: "{{ openvpn_lan }}/{{ openvpn_netmask_cidr }}" out_interface: "{{ minifirewall_int.stdout }}" jump: MASQUERADE when: minifirewall_config.stat.exists - name: Add 1194/udp OpenVPN port to public services in minifirewall replace: dest: "/etc/default/minifirewall" regexp: "^SERVICESUDP1='(.*)?'$" replace: "SERVICESUDP1='\\1 1194'" backup: yes when: minifirewall_config.stat.exists - name: Activate minifirewall rule for IPv4 iptables: chain: INPUT protocol: udp destination_port: "1194" jump: ACCEPT ip_version: ipv4 when: minifirewall_config.stat.exists - name: Activate minifirewall rule for IPv6 iptables: chain: INPUT protocol: udp destination_port: "1194" jump: ACCEPT ip_version: ipv6 when: minifirewall_config.stat.exists - name: Enable forwarding sysctl: name: net.ipv4.ip_forward value: "1" sysctl_file: "/etc/sysctl.d/openvpn.conf" - name: Generate a password for the management interface set_fact: management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}" - name: Set the management password copy: dest: "/etc/openvpn/management-pwd" content: "{{ management_pwd }}" mode: "0600" owner: root group: root - name: Enable openvpn service systemd: name: "openvpn@server.service" enabled: yes - name: Is NRPE installed ? stat: path: "/etc/nagios/nrpe.d/evolix.cfg" check_mode: no changed_when: false register: nrpe_evolix_config - name: Install NRPE check dependencies apt: name: libnet-telnet-perl when: nrpe_evolix_config.stat.exists - include_role: name: evolix/remount-usr - name: Install OpenVPN NRPE check copy: src: "files/check_openvpn_debian.pl" dest: "/usr/local/lib/nagios/plugins/check_openvpn" mode: "0755" owner: root group: nagios when: nrpe_evolix_config.stat.exists - name: Configure NRPE OpenVPN check lineinfile: dest: "/etc/nagios/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn\]=' line: "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}" notify: restart nagios-nrpe-server when: nrpe_evolix_config.stat.exists - include_role: name: evolix/remount-usr - name: Install OpenVPN certificates NRPE check copy: src: "files/check_openvpn_certificates.sh" dest: "/usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" mode: "0755" owner: root group: nagios when: nrpe_evolix_config.stat.exists - name: Add sudo rights for NRPE check lineinfile: dest: "/etc/sudoers.d/openvpn" regexp: 'check_openvpn_certificates.sh' line: "nagios ALL=NOPASSWD: /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" create: yes mode: "0400" owner: root group: root validate: 'visudo -cf %s' when: nrpe_evolix_config.stat.exists - name: Configure NRPE certificates check lineinfile: dest: "/etc/nagios/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn_certificates\]=' line: "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" notify: restart nagios-nrpe-server when: nrpe_evolix_config.stat.exists # BEGIN TODO : Get this script from master branch when cloning it at the beginning when dev branch is merged with master (this script is currently not available on master branch) - name: Clone dev branch of shellpki repo git: repo: "https://gitea.evolix.org/evolix/shellpki.git" dest: /root/shellpki-dev version: dev - include_role: name: evolix/remount-usr - name: Copy shellpki script copy: src: "/root/shellpki-dev/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" mode: "0700" owner: root group: root remote_src: yes - name: Delete local shellpki-dev repo file: state: absent dest: "/root/shellpki-dev" # END TODO - name: Install cron to warn about certificates expiration cron: name: "OpenVPN certificates expiration" special_time: monthly job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' - name: Warn the user about command to execute manually pause: prompt: | /!\ WARNING /!\ You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times. You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked. You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}". You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed). Finally, you can (re)start the OpenVPN service with "systemctl restart openvpn@server.service". Press enter to exit when it's done.