WIP for CentOS 8

2020-07-13 01:14:43 +02:00 · 2020-07-13 01:14:43 +02:00 · b1a1cd76c0
commit b1a1cd76c0
parent 0053d6e2b3
2 changed files with 129 additions and 118 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,135 +1,140 @@
 ---
- name: Include vars for {{ ansible_os_family }}
+- name: Openvpn Server setup
-  include_vars: "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
+  block:
  - name: Include vars for {{ ansible_os_family }}
    include_vars: "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"
- name: Install packages for openvpn
+  - name: Install packages for openvpn
-  package:
+    package:
-    name: "{{ openvpn_packages }}"
+      name: "{{ openvpn_packages }}"
-    state: present
+      state: present
-    update_cache: yes
+      update_cache: yes
- name: Install OpenVSwitch
+  - name: Install OpenVSwitch
-  include_role:
+    include_role:
-    name: openvswitch
+      name: openvswitch
-  when:
+    when:
-    - openvpn_bridge_type == "ovs"
+      - openvpn_bridge_type == "ovs"
-#- openvswitch_bridge:
+#  - openvswitch_bridge:
-#    bridge: "{{ openvpn_bridge }}"
+#      bridge: "{{ openvpn_bridge }}"
-#    parent: "{{ openvpn_bridgemaster }}"
+#      parent: "{{ openvpn_bridgemaster }}"
-#    vlan: "{{ openvpn_vlan }}"
+#      vlan: "{{ openvpn_vlan }}"
-#    state: present
+#      state: present
-#  when:
+#    when:
-#    - openvpn_bridge_type == "ovs"
+#      - openvpn_bridge_type == "ovs"
 # Doesn't work !!
-#- name: try nmcli add bridge - conn_name only & ip4 gw4 mode
+#  - name: try nmcli add bridge - conn_name only & ip4 gw4 mode
-#  nmcli:
+#    nmcli:
-#    type: bridge
+#      type: bridge
-#    conn_name: '{{ openvpn_bridge }}'
+#      conn_name: '{{ openvpn_bridge }}'
-#    ip4: '{{ openvpn_bridge_ip }}/24'
+#      ip4: '{{ openvpn_bridge_ip }}/24'
-#    state: present
+#      state: present
-#  when:
+#    when:
-#    - openvpn_bridge_type == "bridge"
+#      - openvpn_bridge_type == "bridge"
- name: Make server config directory
+  - name: Make server config directory
-  file:
+    file:
-    path: /etc/openvpn/server
+      path: /etc/openvpn/server
-    state: directory
+      state: directory
-    owner: root
+      owner: root
-    group: root
+      group: root
-    mode: 0750
+      mode: 0750
- name: Install vpn-up.sh script
+  - name: Install vpn-up.sh script
-  template:
+    template:
-    src: etc/openvpn/server/vpn-up-down.sh.j2
+      src: etc/openvpn/server/vpn-up-down.sh.j2
-    dest: /etc/openvpn/server/vpn-up.sh
+      dest: /etc/openvpn/server/vpn-up.sh
-    owner: root
+      owner: root
-    group: root
+      group: root
-    mode: 0755
+      mode: 0755
- name: Install vpn-down.sh link
+  - name: Install vpn-down.sh link
-  file:
+    file:
-    src: vpn-up.sh
+      src: vpn-up.sh
-    dest: /etc/openvpn/server/vpn-down.sh
+      dest: /etc/openvpn/server/vpn-down.sh
-    state: link
+      state: link
-    force: yes
+      force: yes
-# setsebool openvpn_run_unconfined on
+  # setsebool openvpn_run_unconfined on
- name: Set boolean selinux flag for scripts
+  - name: Set boolean selinux flag for scripts
-  seboolean:
+    seboolean:
-    name: openvpn_run_unconfined
+      name: openvpn_run_unconfined
-    state: yes
+      state: yes
-    persistent: yes
+      persistent: yes
-# chcon -t openvpn_unconfined_script_exec_t vpn-up.sh
+  # chcon -t openvpn_unconfined_script_exec_t vpn-up.sh
- name: Set selinux context to vpn-up.sh script
+  - name: Set selinux context to vpn-up.sh script
-  sefcontext:
+    sefcontext:
-    target: '/etc/openvpn/server/vpn-up.sh'
+      target: '/etc/openvpn/server/vpn-up.sh'
-    setype: openvpn_unconfined_script_exec_t
+      setype: openvpn_unconfined_script_exec_t
-    state: present
+      state: present
-# openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem
+  # openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem
-# openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem
+  # openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem
-# openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem
+  # openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem
-# openssl dhparam -out dh2048.pem 2048
+  # openssl dhparam -out dh2048.pem 2048
-# source vars
+  # source vars
-# ./pkitool Client1
+  # ./pkitool Client1
-# Need more step to generate certificat files
+  # Need more step to generate certificat files
- name: Install Certificat files
+  - name: Install Certificat files
-  copy:
+    copy:
-    src: etc/openvpn/server/easy-rsa/2.0/keys/{{ item }}
+      src: etc/openvpn/server/easy-rsa/2.0/keys/{{ item }}
-    dest: /etc/openvpn/server/{{ item }}
+      dest: /etc/openvpn/server/{{ item }}
-    owner: root
+      owner: root
-    group: root
+      group: root
-    mode: 0600
+      mode: 0600
-  with_items:
+    with_items:
-    - ca.crt
+      - ca.crt
-    - dh2048.pem
+      - dh2048.pem
-    - server.crt
+      - server.crt
-    - server.key
+      - server.key
-    - ta.key
+      - ta.key
- name: Install openvpn configuration files
+  - name: Install openvpn configuration files
-  template:
+    template:
-    src: etc/openvpn/server/config.conf.j2
+      src: etc/openvpn/server/config.conf.j2
-    dest: /etc/openvpn/server/{{ openvpn_vpn_name }}.{{ item.proto }}.conf
+      dest: /etc/openvpn/server/{{ openvpn_vpn_name }}.{{ item.proto }}.conf
-    owner: root
+      owner: root
-    group: root
+      group: root
-    mode: 0644
+      mode: 0644
-  with_items:
+    with_items:
-    - '{{ openvpn_subnets }}'
+      - '{{ openvpn_subnets }}'
-  notify: Restart openvpn-server-{{ item.proto }}
+    notify: Restart openvpn-server-{{ item.proto }}
- name: Enable openvpn services
+  - name: Enable openvpn services
-  service:
+    service:
-    name: "openvpn-server@{{ openvpn_vpn_name }}.{{ item.proto }}"
+      name: "openvpn-server@{{ openvpn_vpn_name }}.{{ item.proto }}"
-    enabled: yes
+      enabled: yes
-  with_items:
+    with_items:
-    - '{{ openvpn_subnets }}'
+      - '{{ openvpn_subnets }}'
- name: Install Personnal OpenVPN config file for firewalld
+  - name: Install Personnal OpenVPN config file for firewalld
-  template:
+    template:
-    src: etc/firewalld/services/openvpn.xml
+      src: etc/firewalld/services/openvpn.xml
-    dest: /etc/firewalld/services/openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }}.xml
+      dest: /etc/firewalld/services/openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }}.xml
-    owner: root
+      owner: root
-    group: root
+      group: root
-    mode: 0644
+      mode: 0644
-  register: result
+    register: result
- name: reload firewalld to refresh service list
+  - name: reload firewalld to refresh service list
-  command: firewall-cmd --reload
+    command: firewall-cmd --reload
-  when: result is changed
+    when: result is changed
- name: Open Firewalld
+  - name: Open Firewalld
-  firewalld:
+    firewalld:
-    service: openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }}
+      service: openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }}
-    permanent: true
+      permanent: true
-    state: enabled
+      state: enabled
-    immediate: true
+      immediate: true
-# firewall-cmd --reload
+  # firewall-cmd --reload
-# firewall-cmd --add-service openvpn --permanent
+  # firewall-cmd --add-service openvpn --permanent
-# firewall-cmd --add-service openvpn-tcp --permanent
+  # firewall-cmd --add-service openvpn-tcp --permanent
-# firewall-cmd --zone=external --change-interface=eth0
+  # firewall-cmd --zone=external --change-interface=eth0
-# firewall-cmd --add-service=openvpn --zone=external --permanent
+  # firewall-cmd --add-service=openvpn --zone=external --permanent
-# firewall-cmd --add-service=openvpn-tcp --zone=external --permanent
+  # firewall-cmd --add-service=openvpn-tcp --zone=external --permanent
  tags:
    - openvpn
    - openvpn-server
--- a/vars/RedHat_8.yml
+++ b/vars/RedHat_8.yml
@ -0,0 +1,6 @@
 ---
 openvpn_packages:
  - openvpn
  - python3-libsemanage
  - python3-policycoreutils
 #  - NetworkManager-libnm