--- - name: Install OpenVPN apt: name: openvpn - name: Delete unwanted OpenVPN folders file: state: absent dest: "/etc/openvpn/{{ item }}" with_items: - client - server - name: Create the _openvpn user user: name: _openvpn system: yes create_home: no home: "/nonexistent" shell: "/usr/sbin/nologin" - name: Create the shellpki user user: name: shellpki system: yes create_home: no home: "/etc/shellpki" shell: "/usr/sbin/nologin" - name: Create /etc/shellpki file: dest: "/etc/shellpki" mode: "0755" owner: shellpki group: shellpki state: directory - include_role: name: evolix/remount-usr - name: Copy shellpki files copy: src: "shellpki/{{ item.source }}" dest: "{{ item.destination }}" mode: "{{ item.mode }}" owner: "{{ item.owner }}" group: "{{ item.group }}" with_items: - { source: "openssl.cnf", destination: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "shellpki", group: "shellpki" } - { source: "shellpki", destination: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "root" } - name: Add sudo rights lineinfile: dest: "/etc/sudoers.d/shellpki" regexp: '/usr/local/sbin/shellpki' line: "%shellpki ALL = (root) /usr/local/sbin/shellpki" create: yes mode: "0400" owner: root group: root validate: 'visudo -cf %s' - name: Deploy OpenVPN client config template template: src: "ovpn.conf.j2" dest: "/etc/shellpki/ovpn.conf" mode: "0600" owner: shellpki group: shellpki - name: Generate dhparam openssl_dhparam: path: /etc/shellpki/dh2048.pem size: 2048 - include_role: name: evolix/remount-usr - name: Fix CRL rights in shellpki command lineinfile: dest: "/usr/local/sbin/shellpki" regexp: '{{ item.regexp }}' insertafter: "{{ item.insertafter }}" line: "{{ item.line }}" with_items: - { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' } - name: Deploy OpenVPN server config template: src: "server.conf.j2" dest: "/etc/openvpn/server.conf" mode: "0600" owner: root group: root - name: Is minifirewall installed ? stat: path: "/etc/default/minifirewall" check_mode: no changed_when: false register: minifirewall_config - name: Retrieve the default interface shell: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2" check_mode: no changed_when: false register: minifirewall_int when: minifirewall_config.stat.exists - name: Add minifirewall rule in config file lineinfile: dest: "/etc/default/minifirewall" line: "{{ item }}" with_items: - "# OpenVPN" - "/sbin/iptables -t nat -A POSTROUTING -s {{ openvpn_lan }}/{{ openvpn_netmask_cidr }} -o $INT -j MASQUERADE" when: minifirewall_config.stat.exists - name: Activate minifirewall rule iptables: table: nat chain: POSTROUTING source: "{{ openvpn_lan }}/{{ openvpn_netmask_cidr }}" out_interface: "{{ minifirewall_int.stdout }}" jump: MASQUERADE when: minifirewall_config.stat.exists - name: Add 1194/udp OpenVPN port to public services in minifirewall replace: dest: "/etc/default/minifirewall" regexp: "^SERVICESUDP1='(.*)?'$" replace: "SERVICESUDP1='\\1 1194'" backup: yes when: minifirewall_config.stat.exists - name: Activate minifirewall rule for IPv4 iptables: chain: INPUT protocol: udp destination_port: "1194" jump: ACCEPT ip_version: ipv4 when: minifirewall_config.stat.exists - name: Activate minifirewall rule for IPv6 iptables: chain: INPUT protocol: udp destination_port: "1194" jump: ACCEPT ip_version: ipv6 when: minifirewall_config.stat.exists - name: Enable forwarding sysctl: name: net.ipv4.ip_forward value: "1" sysctl_file: "/etc/sysctl.d/openvpn.conf" - name: Configure logrotate for OpenVPN copy: src: logrotate_openvpn dest: /etc/logrotate.d/openvpn force: no - name: Generate a password for the management interface set_fact: management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}" - name: Set the management password copy: dest: "/etc/openvpn/management-pwd" content: "{{ management_pwd }}" mode: "0600" owner: root group: root - name: Enable openvpn service systemd: name: "openvpn@server.service" enabled: yes - name: Is NRPE installed ? stat: path: "/etc/nagios/nrpe.d/evolix.cfg" check_mode: no changed_when: false register: nrpe_evolix_config - name: Install NRPE check dependencies apt: name: libnet-telnet-perl when: nrpe_evolix_config.stat.exists - include_role: name: evolix/remount-usr - name: Install OpenVPN NRPE check copy: src: "files/check_openvpn_debian.pl" dest: "/usr/local/lib/nagios/plugins/check_openvpn" mode: "0755" owner: root group: nagios when: nrpe_evolix_config.stat.exists - name: Configure NRPE OpenVPN check lineinfile: dest: "/etc/nagios/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn\]=' line: "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}" notify: restart nagios-nrpe-server when: nrpe_evolix_config.stat.exists - include_role: name: evolix/remount-usr - name: Install OpenVPN certificates NRPE check copy: src: "files/check_openvpn_certificates.sh" dest: "/usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" mode: "0755" owner: root group: nagios when: nrpe_evolix_config.stat.exists - name: Add sudo rights for NRPE check lineinfile: dest: "/etc/sudoers.d/openvpn" regexp: 'check_openvpn_certificates.sh' line: "nagios ALL=NOPASSWD: /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" create: yes mode: "0400" owner: root group: root validate: 'visudo -cf %s' when: nrpe_evolix_config.stat.exists - name: Configure NRPE certificates check lineinfile: dest: "/etc/nagios/nrpe.d/evolix.cfg" regexp: '^command\[check_openvpn_certificates\]=' line: "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh" notify: restart nagios-nrpe-server when: nrpe_evolix_config.stat.exists - include_role: name: evolix/remount-usr - name: Copy script to check expirations copy: src: "shellpki/cert-expirations.sh" dest: "/usr/share/scripts/cert-expirations.sh" mode: "0700" owner: root group: root - name: Install cron to warn about certificates expiration cron: name: "OpenVPN certificates expiration" special_time: monthly job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}' - name: Generate the CA password set_fact: ca_pwd: "{{ lookup('password', '/dev/null length=25 chars=ascii_letters,digits') }}" check_mode: no changed_when: no - name: Initialization of the CA shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki init --non-interactive {{ ansible_fqdn }}' - name: Creation of the server's certificate shell: 'CA_PASSWORD="{{ ca_pwd }}" shellpki create --days 3650 --non-interactive {{ ansible_fqdn }}' - name: Get the server key shell: 'ls -tr /etc/shellpki/private/ | tail -1' register: ca_key check_mode: no changed_when: no - name: Configure the server key replace: path: /etc/openvpn/server.conf regexp: 'key /etc/shellpki/private/TO_COMPLETE' replace: 'key /etc/shellpki/private/{{ ca_key.stdout }}' - name: Restart OpenVPN systemd: name: "openvpn@server.service" state: restarted - name: Warn the user about manual checks pause: prompt: | /!\ WARNING /!\ You must check and adjust if necessary the configuration file "/etc/openvpn/server.conf", and then restart the OpenVPN service with "systemctl restart openvpn@server.service". The "push" parameter may be needed to push a route to the client, so that the client can access that route through OpenVPN. Take note of the generated CA password and store it in your password manager : {{ ca_pwd }} Press enter to exit when it's done.