---

- name: Install OpenVPN
  openbsd_pkg:
    name: openvpn--
  when: ansible_distribution == 'OpenBSD'

- name: Create /etc/openvpn
  file:
    dest: "/etc/openvpn"
    state: directory
    owner: root
    group: wheel
    mode: "0755"

- name: Clone shellpki repo
  git:
    repo: "https://gitea.evolix.org/evolix/shellpki.git"
    dest: /root/shellpki

- name: Create the shellpki user
  user:
    name: _shellpki
    system: yes
    create_home: no
    home: "/etc/shellpki"
    shell: "/sbin/nologin"

- name: Create /etc/shellpki
  file:
    dest: "/etc/shellpki"
    state: directory
    owner: _shellpki
    group: _shellpki
    mode: "0755"

- name: Copy shellpki files
  copy:
    src: "{{ item.source }}"
    dest: "{{ item.destination }}"
    remote_src: yes
  with_items:
     - { source: "/root/shellpki/openssl.cnf", destination: "/etc/shellpki/openssl.cnf" }
     - { source: "/root/shellpki/shellpki", destination: "/usr/local/sbin/shellpki" }

- name: Change files permissions
  file:
    dest: "{{ item.dest }}"
    mode: "{{ item.mode }}"
    owner: "{{ item.owner }}"
    group: "{{ item.group }}"
  with_items:
     - { dest: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "_shellpki", group: "_shellpki"}
     - { dest: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "wheel" }

- name: Delete local shellpki repo
  file:
    state: absent
    dest: "/root/shellpki"

- name: Add sudo rights
  lineinfile:
    dest: "/etc/sudoers"
    regexp: '/usr/local/sbin/shellpki'
    line: "%_shellpki ALL = (root) /usr/local/sbin/shellpki"
    validate: 'visudo -cf %s'

- name: Deploy OpenVPN client config template
  template:
    src: "ovpn.conf.j2"
    dest: "/etc/shellpki/ovpn.conf"
    mode: "0640"
    owner: _shellpki
    group: _shellpki

- name: Generate dhparam
  command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048"

- name: Fix CRL rights in shellpki command
  lineinfile:
    dest: "/usr/local/sbin/shellpki"
    regexp: '{{ item.regexp }}'
    insertafter: "{{ item.insertafter }}"
    line: "{{ item.line }}"
  with_items:
     - { regexp: '^    chmod 644 /etc/shellpki/crl.pem$', line: "    chmod 644 /etc/shellpki/crl.pem", insertafter: '^    chmod 640 "\${CACERT}"$' }
     - { regexp: '^    chmod 755 /etc/shellpki/$', line: "    chmod 755 /etc/shellpki/", insertafter: '^    chmod 644 /etc/shellpki/crl.pem$' }

- name: Deploy OpenVPN server config
  template:
    src: "server.conf.j2"
    dest: "/etc/openvpn/server.conf"
    mode: "0600"
    owner: root
    group: wheel

- name: Configure PacketFilter
  lineinfile:
    dest: "/etc/pf.conf"
    line: "{{ item }}"
    validate: 'pfctl -nf %s'
  notify: reload packetfilter
  with_items:
     - "# OpenVPN"
     - "pass in quick on $ext_if proto udp from any to self port 1194"

- name: Create a cron to rotate the logs
  cron:
    name: "OpenVPN logs rotation"
    weekday: "6"
    hour: "4"
    minute: "0"
    job: "cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo \"$(date +\\%F' '\\%R) - logfile turned over via cron\" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name \"openvpn.log.*\" -mtime +365 -exec rm {} \\+"

- name: Generate a password for the management interface
  set_fact:
    management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"

- name: Set the management password
  copy:
    dest: "/etc/openvpn/management-pwd"
    content: "{{ management_pwd }}"
    mode: "0600"
    owner: root
    group: wheel

- name: Enable openvpn service
  service:
    name: openvpn
    enabled: yes

- name: Set openvpn flags
  lineinfile:
    dest: /etc/rc.conf.local
    regexp: "^openvpn_flags="
    line: "openvpn_flags=--daemon --config /etc/openvpn/server.conf"
    create: yes

- name: Is NRPE installed ?
  stat:
    path: "/etc/nrpe.d/evolix.cfg"
  check_mode: no
  register: nrpe_evolix_config

- name: Install NRPE check dependencies
  openbsd_pkg:
    name: p5-Net-Telnet
  when: nrpe_evolix_config.stat.exists

- name: Install OpenVPN NRPE check
  copy:
    src: "files/check_openvpn_openbsd.pl"
    dest: "/usr/local/libexec/nagios/plugins/check_openvpn.pl"
    mode: "0755"
    owner: root
    group: wheel
  when: nrpe_evolix_config.stat.exists

- name: Configure NRPE OpenVPN check
  lineinfile:
    dest: "/etc/nrpe.d/zzz_evolix.cfg"
    regexp: '^command\[check_openvpn\]='
    line: "command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
    create: yes
    mode: "0644"
    owner: root
    group: wheel
  notify: restart nrpe
  when: nrpe_evolix_config.stat.exists

- name: Install OpenVPN certificates NRPE check
  copy:
    src: "files/check_openvpn_certificates.sh"
    dest: "/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh"
    mode: "0755"
    owner: root
    group: wheel
  when: nrpe_evolix_config.stat.exists

- name: Add doas rights for NRPE check
  lineinfile:
    dest: "/etc/doas.conf"
    regexp: 'check_openvpn_certificates.sh'
    line: "permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh"
    validate: 'doas -C %s'
  when: nrpe_evolix_config.stat.exists

- name: Configure NRPE certificates check
  lineinfile:
    dest: "/etc/nrpe.d/evolix.cfg"
    regexp: '^command\[check_openvpn_certificates\]='
    line: "command[check_openvpn_certificates]=doas /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh"
  notify: restart nrpe
  when: nrpe_evolix_config.stat.exists

# BEGIN TODO : Get this script from master branch when cloning it at the beginning when dev branch is merged with master (this script is currently not available on master branch)
- name: Clone dev branch of shellpki repo
  git:
    repo: "https://gitea.evolix.org/evolix/shellpki.git"
    dest: /root/shellpki-dev
    version: dev

- name: Copy shellpki script
  copy:
    src: "/root/shellpki-dev/cert-expirations.sh"
    dest: "/usr/share/scripts/cert-expirations.sh"
    mode: "0700"
    owner: root
    group: wheel
    remote_src: yes

- name: Delete local shellpki-dev repo
  file:
    state: absent
    dest: "/root/shellpki-dev"
# END TODO

- name: Install cron to warn about certificates expiration
  cron:
    name: "OpenVPN certificates expiration"
    special_time: monthly
    job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}'

- name: Warn the user about command to execute manually
  pause:
    prompt: |
      /!\ WARNING /!\
      You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times.
      You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked.
      You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}".
      You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed).
      Finally, you can (re)start the OpenVPN service with "rcctl restart openvpn".
      
      Press enter to exit when it's done.