ansible-roles/openvpn/tasks/debian.yml

297 lines
8.5 KiB
YAML

---
- name: Install OpenVPN
apt:
name: openvpn
- name: Delete unwanted OpenVPN folders
file:
state: absent
dest: "/etc/openvpn/{{ item }}"
with_items:
- client
- server
- name: Clone shellpki repo
git:
repo: "https://gitea.evolix.org/evolix/shellpki.git"
dest: /root/shellpki
- name: Create the shellpki user
user:
name: shellpki
system: yes
create_home: no
home: "/etc/shellpki"
shell: "/usr/sbin/nologin"
- name: Create /etc/shellpki
file:
dest: "/etc/shellpki"
mode: "0755"
owner: shellpki
group: shellpki
state: directory
- include_role:
name: evolix/remount-usr
- name: Copy shellpki files
copy:
src: "{{ item.source }}"
dest: "{{ item.destination }}"
remote_src: yes
with_items:
- { source: "/root/shellpki/openssl.cnf", destination: "/etc/shellpki/openssl.cnf" }
- { source: "/root/shellpki/shellpki", destination: "/usr/local/sbin/shellpki" }
- include_role:
name: evolix/remount-usr
- name: Change files permissions
file:
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
owner: "{{ item.owner }}"
group: "{{ item.group }}"
with_items:
- { dest: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "shellpki", group: "shellpki" }
- { dest: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "root" }
- name: Delete local shellpki repo
file:
state: absent
dest: "/root/shellpki"
- name: Add sudo rights
lineinfile:
dest: "/etc/sudoers.d/shellpki"
regexp: '/usr/local/sbin/shellpki'
line: "%shellpki ALL = (root) /usr/local/sbin/shellpki"
create: yes
mode: "0400"
owner: root
group: root
validate: 'visudo -cf %s'
- name: Deploy OpenVPN client config template
template:
src: "ovpn.conf.j2"
dest: "/etc/shellpki/ovpn.conf"
mode: "0600"
owner: shellpki
group: shellpki
- name: Generate dhparam
command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048"
- include_role:
name: evolix/remount-usr
- name: Fix CRL rights in shellpki command
lineinfile:
dest: "/usr/local/sbin/shellpki"
regexp: '{{ item.regexp }}'
insertafter: "{{ item.insertafter }}"
line: "{{ item.line }}"
with_items:
- { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
- { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' }
- name: Deploy OpenVPN server config
template:
src: "server.conf.j2"
dest: "/etc/openvpn/server.conf"
mode: "0600"
owner: root
group: root
- name: Is minifirewall installed ?
stat:
path: "/etc/default/minifirewall"
check_mode: no
changed_when: false
register: minifirewall_config
- name: Retrieve the default interface
shell: "grep '^INT=' /etc/default/minifirewall | cut -d\\' -f 2"
check_mode: no
changed_when: false
register: minifirewall_int
when: minifirewall_config.stat.exists
- name: Add minifirewall rule in config file
lineinfile:
dest: "/etc/default/minifirewall"
line: "{{ item }}"
with_items:
- "# OpenVPN"
- "/sbin/iptables -t nat -A POSTROUTING -s {{ openvpn_lan }}/{{ openvpn_netmask_cidr }} -o $INT -j MASQUERADE"
when: minifirewall_config.stat.exists
- name: Activate minifirewall rule
iptables:
table: nat
chain: POSTROUTING
source: "{{ openvpn_lan }}/{{ openvpn_netmask_cidr }}"
out_interface: "{{ minifirewall_int.stdout }}"
jump: MASQUERADE
when: minifirewall_config.stat.exists
- name: Add 1194/udp OpenVPN port to public services in minifirewall
replace:
dest: "/etc/default/minifirewall"
regexp: "^SERVICESUDP1='(.*)?'$"
replace: "SERVICESUDP1='\\1 1194'"
backup: yes
when: minifirewall_config.stat.exists
- name: Activate minifirewall rule for IPv4
iptables:
chain: INPUT
protocol: udp
destination_port: "1194"
jump: ACCEPT
ip_version: ipv4
when: minifirewall_config.stat.exists
- name: Activate minifirewall rule for IPv6
iptables:
chain: INPUT
protocol: udp
destination_port: "1194"
jump: ACCEPT
ip_version: ipv6
when: minifirewall_config.stat.exists
- name: Enable forwarding
sysctl:
name: net.ipv4.ip_forward
value: "1"
sysctl_file: "/etc/sysctl.d/openvpn.conf"
- name: Generate a password for the management interface
set_fact:
management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"
- name: Set the management password
copy:
dest: "/etc/openvpn/management-pwd"
content: "{{ management_pwd }}"
mode: "0600"
owner: root
group: root
- name: Enable openvpn service
systemd:
name: "openvpn@server.service"
enabled: yes
- name: Is NRPE installed ?
stat:
path: "/etc/nagios/nrpe.d/evolix.cfg"
check_mode: no
changed_when: false
register: nrpe_evolix_config
- name: Install NRPE check dependencies
apt:
name: libnet-telnet-perl
when: nrpe_evolix_config.stat.exists
- include_role:
name: evolix/remount-usr
- name: Install OpenVPN NRPE check
copy:
src: "files/check_openvpn_debian.pl"
dest: "/usr/local/lib/nagios/plugins/check_openvpn"
mode: "0755"
owner: root
group: nagios
when: nrpe_evolix_config.stat.exists
- name: Configure NRPE OpenVPN check
lineinfile:
dest: "/etc/nagios/nrpe.d/evolix.cfg"
regexp: '^command\[check_openvpn\]='
line: "command[check_openvpn]=/usr/local/lib/nagios/plugins/check_openvpn -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
notify: restart nagios-nrpe-server
when: nrpe_evolix_config.stat.exists
- include_role:
name: evolix/remount-usr
- name: Install OpenVPN certificates NRPE check
copy:
src: "files/check_openvpn_certificates.sh"
dest: "/usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
mode: "0755"
owner: root
group: nagios
when: nrpe_evolix_config.stat.exists
- name: Add sudo rights for NRPE check
lineinfile:
dest: "/etc/sudoers.d/openvpn"
regexp: 'check_openvpn_certificates.sh'
line: "nagios ALL=NOPASSWD: /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
create: yes
mode: "0400"
owner: root
group: root
validate: 'visudo -cf %s'
when: nrpe_evolix_config.stat.exists
- name: Configure NRPE certificates check
lineinfile:
dest: "/etc/nagios/nrpe.d/evolix.cfg"
regexp: '^command\[check_openvpn_certificates\]='
line: "command[check_openvpn_certificates]=sudo /usr/local/lib/nagios/plugins/check_openvpn_certificates.sh"
notify: restart nagios-nrpe-server
when: nrpe_evolix_config.stat.exists
# BEGIN TODO : Get this script from master branch when cloning it at the beginning when dev branch is merged with master (this script is currently not available on master branch)
- name: Clone dev branch of shellpki repo
git:
repo: "https://gitea.evolix.org/evolix/shellpki.git"
dest: /root/shellpki-dev
version: dev
- include_role:
name: evolix/remount-usr
- name: Copy shellpki script
copy:
src: "/root/shellpki-dev/cert-expirations.sh"
dest: "/usr/share/scripts/cert-expirations.sh"
mode: "0700"
owner: root
group: root
remote_src: yes
- name: Delete local shellpki-dev repo
file:
state: absent
dest: "/root/shellpki-dev"
# END TODO
- name: Install cron to warn about certificates expiration
cron:
name: "OpenVPN certificates expiration"
special_time: monthly
job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}'
- name: Warn the user about command to execute manually
pause:
prompt: |
/!\ WARNING /!\
You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times.
You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked.
You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}".
You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed).
Finally, you can (re)start the OpenVPN service with "systemctl restart openvpn@server.service".
Press enter to exit when it's done.