236 lines
7.3 KiB
YAML
236 lines
7.3 KiB
YAML
---
|
|
|
|
- name: Install OpenVPN
|
|
openbsd_pkg:
|
|
name: openvpn--
|
|
when: ansible_distribution == 'OpenBSD'
|
|
|
|
- name: Create /etc/openvpn
|
|
file:
|
|
dest: "/etc/openvpn"
|
|
state: directory
|
|
owner: root
|
|
group: wheel
|
|
mode: "0755"
|
|
|
|
- name: Clone shellpki repo
|
|
git:
|
|
repo: "https://gitea.evolix.org/evolix/shellpki.git"
|
|
dest: /root/shellpki
|
|
|
|
- name: Create the shellpki user
|
|
user:
|
|
name: _shellpki
|
|
system: yes
|
|
create_home: no
|
|
home: "/etc/shellpki"
|
|
shell: "/sbin/nologin"
|
|
|
|
- name: Create /etc/shellpki
|
|
file:
|
|
dest: "/etc/shellpki"
|
|
state: directory
|
|
owner: _shellpki
|
|
group: _shellpki
|
|
mode: "0755"
|
|
|
|
- name: Copy shellpki files
|
|
copy:
|
|
src: "{{ item.source }}"
|
|
dest: "{{ item.destination }}"
|
|
remote_src: yes
|
|
with_items:
|
|
- { source: "/root/shellpki/openssl.cnf", destination: "/etc/shellpki/openssl.cnf" }
|
|
- { source: "/root/shellpki/shellpki", destination: "/usr/local/sbin/shellpki" }
|
|
|
|
- name: Change files permissions
|
|
file:
|
|
dest: "{{ item.dest }}"
|
|
mode: "{{ item.mode }}"
|
|
owner: "{{ item.owner }}"
|
|
group: "{{ item.group }}"
|
|
with_items:
|
|
- { dest: "/etc/shellpki/openssl.cnf", mode: "0640", owner: "_shellpki", group: "_shellpki"}
|
|
- { dest: "/usr/local/sbin/shellpki", mode: "0755", owner: "root", group: "wheel" }
|
|
|
|
- name: Delete local shellpki repo
|
|
file:
|
|
state: absent
|
|
dest: "/root/shellpki"
|
|
|
|
- name: Add sudo rights
|
|
lineinfile:
|
|
dest: "/etc/sudoers"
|
|
regexp: '/usr/local/sbin/shellpki'
|
|
line: "%_shellpki ALL = (root) /usr/local/sbin/shellpki"
|
|
validate: 'visudo -cf %s'
|
|
|
|
- name: Deploy OpenVPN client config template
|
|
template:
|
|
src: "ovpn.conf.j2"
|
|
dest: "/etc/shellpki/ovpn.conf"
|
|
mode: "0640"
|
|
owner: _shellpki
|
|
group: _shellpki
|
|
|
|
- name: Generate dhparam
|
|
command: "openssl dhparam -out /etc/shellpki/dh2048.pem 2048"
|
|
|
|
- name: Fix CRL rights in shellpki command
|
|
lineinfile:
|
|
dest: "/usr/local/sbin/shellpki"
|
|
regexp: '{{ item.regexp }}'
|
|
insertafter: "{{ item.insertafter }}"
|
|
line: "{{ item.line }}"
|
|
with_items:
|
|
- { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' }
|
|
- { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' }
|
|
|
|
- name: Deploy OpenVPN server config
|
|
template:
|
|
src: "server.conf.j2"
|
|
dest: "/etc/openvpn/server.conf"
|
|
mode: "0600"
|
|
owner: root
|
|
group: wheel
|
|
|
|
- name: Configure PacketFilter
|
|
lineinfile:
|
|
dest: "/etc/pf.conf"
|
|
line: "{{ item }}"
|
|
validate: 'pfctl -nf %s'
|
|
notify: reload packetfilter
|
|
with_items:
|
|
- "# OpenVPN"
|
|
- "pass in quick on $ext_if proto udp from any to self port 1194"
|
|
|
|
- name: Create a cron to rotate the logs
|
|
cron:
|
|
name: "OpenVPN logs rotation"
|
|
weekday: "6"
|
|
hour: "4"
|
|
minute: "0"
|
|
job: "cp /var/log/openvpn.log /var/log/openvpn.log.$(date +\\%F) && echo \"$(date +\\%F' '\\%R) - logfile turned over via cron\" > /var/log/openvpn.log && gzip /var/log/openvpn.log.$(date +\\%F) && find /var/log/ -type f -name \"openvpn.log.*\" -mtime +365 -exec rm {} \\+"
|
|
|
|
- name: Generate a password for the management interface
|
|
set_fact:
|
|
management_pwd: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits') }}"
|
|
|
|
- name: Set the management password
|
|
copy:
|
|
dest: "/etc/openvpn/management-pwd"
|
|
content: "{{ management_pwd }}"
|
|
mode: "0600"
|
|
owner: root
|
|
group: wheel
|
|
|
|
- name: Enable openvpn service
|
|
service:
|
|
name: openvpn
|
|
enabled: yes
|
|
|
|
- name: Set openvpn flags
|
|
lineinfile:
|
|
dest: /etc/rc.conf.local
|
|
regexp: "^openvpn_flags="
|
|
line: "openvpn_flags=--daemon --config /etc/openvpn/server.conf"
|
|
create: yes
|
|
|
|
- name: Is NRPE installed ?
|
|
stat:
|
|
path: "/etc/nrpe.d/evolix.cfg"
|
|
check_mode: no
|
|
register: nrpe_evolix_config
|
|
|
|
- name: Install NRPE check dependencies
|
|
openbsd_pkg:
|
|
name: p5-Net-Telnet
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
- name: Install OpenVPN NRPE check
|
|
copy:
|
|
src: "files/check_openvpn_openbsd.pl"
|
|
dest: "/usr/local/libexec/nagios/plugins/check_openvpn.pl"
|
|
mode: "0755"
|
|
owner: root
|
|
group: wheel
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
- name: Configure NRPE OpenVPN check
|
|
lineinfile:
|
|
dest: "/etc/nrpe.d/zzz_evolix.cfg"
|
|
regexp: '^command\[check_openvpn\]='
|
|
line: "command[check_openvpn]=/usr/local/libexec/nagios/plugins/check_openvpn.pl -H 127.0.0.1 -p 1195 -P {{ management_pwd }}"
|
|
create: yes
|
|
mode: "0644"
|
|
owner: root
|
|
group: wheel
|
|
notify: restart nrpe
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
- name: Install OpenVPN certificates NRPE check
|
|
copy:
|
|
src: "files/check_openvpn_certificates.sh"
|
|
dest: "/usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh"
|
|
mode: "0755"
|
|
owner: root
|
|
group: wheel
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
- name: Add doas rights for NRPE check
|
|
lineinfile:
|
|
dest: "/etc/doas.conf"
|
|
regexp: 'check_openvpn_certificates.sh'
|
|
line: "permit nopass _nrpe as root cmd /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh"
|
|
validate: 'doas -C %s'
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
- name: Configure NRPE certificates check
|
|
lineinfile:
|
|
dest: "/etc/nrpe.d/evolix.cfg"
|
|
regexp: '^command\[check_openvpn_certificates\]='
|
|
line: "command[check_openvpn_certificates]=doas /usr/local/libexec/nagios/plugins/check_openvpn_certificates.sh"
|
|
notify: restart nrpe
|
|
when: nrpe_evolix_config.stat.exists
|
|
|
|
# BEGIN TODO : Get this script from master branch when cloning it at the beginning when dev branch is merged with master (this script is currently not available on master branch)
|
|
- name: Clone dev branch of shellpki repo
|
|
git:
|
|
repo: "https://gitea.evolix.org/evolix/shellpki.git"
|
|
dest: /root/shellpki-dev
|
|
version: dev
|
|
|
|
- name: Copy shellpki script
|
|
copy:
|
|
src: "/root/shellpki-dev/cert-expirations.sh"
|
|
dest: "/usr/share/scripts/cert-expirations.sh"
|
|
mode: "0700"
|
|
owner: root
|
|
group: wheel
|
|
remote_src: yes
|
|
|
|
- name: Delete local shellpki-dev repo
|
|
file:
|
|
state: absent
|
|
dest: "/root/shellpki-dev"
|
|
# END TODO
|
|
|
|
- name: Install cron to warn about certificates expiration
|
|
cron:
|
|
name: "OpenVPN certificates expiration"
|
|
special_time: monthly
|
|
job: '/usr/share/scripts/cert-expirations.sh | mail -E -s "PKI VPN {{ ansible_hostname }} : recapitulatif expirations" {{ client_email }}'
|
|
|
|
- name: Warn the user about command to execute manually
|
|
pause:
|
|
prompt: |
|
|
/!\ WARNING /!\
|
|
You have to manually create the CA on the server with "shellpki init {{ ansible_fqdn }}". The command will ask you to create a password, and will ask you again to give the same one several times.
|
|
You have to manually generate the CRL on the server with "openssl ca -gencrl -keyfile /etc/shellpki/cakey.key -cert /etc/shellpki/cacert.pem -out /etc/shellpki/crl.pem -config /etc/shellpki/openssl.cnf". The previously created password will be asked.
|
|
You have to manually create the server's certificate with "shellpki create {{ ansible_fqdn }}".
|
|
You have to adjust the config file "/etc/openvpn/server.conf" for the following parameters : local (to check), cert (to check), key (to add), server (to check), push (to complete if needed).
|
|
Finally, you can (re)start the OpenVPN service with "rcctl restart openvpn".
|
|
|
|
Press enter to exit when it's done.
|
|
|