adrien/ansible-role-openvpn
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Externalize role

Browse source
This commit is contained in:
Adrien Reslinger 2018-10-08 19:35:16 +02:00
commit dbd8ed5949
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
9 changed files with 272 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

101
tasks/main.yml Normal file
View file

@ -0,0 +1,101 @@
---
- name: Include vars for {{ ansible_os_family }}
include_vars: "{{ ansible_os_family }}.yml"
- name: Install packages for openvpn
package: name="{{ openvpn_packages }}" state=latest update_cache=yes
- name: Install OpenVSwitch
include_role:
name: openvswitch
when:
- openvpn_bridge_type == "ovs"
#- openvswitch_bridge:
# bridge: "{{ openvpn_bridge }}"
# parent: "{{ openvpn_bridgemaster }}"
# vlan: "{{ openvpn_vlan }}"
# state: present
# when:
# - openvpn_bridge_type == "ovs"
# Doesn't work !!
#- name: try nmcli add bridge - conn_name only & ip4 gw4 mode
# nmcli:
# type: bridge
# conn_name: '{{ openvpn_bridge }}'
# ip4: '{{ openvpn_bridge_ip }}/24'
# state: present
# when:
# - openvpn_bridge_type == "bridge"
- name: Make server config directory
file: path=/etc/openvpn/server state=directory owner=root group=root mode=0750
- name: Install vpn-up.sh script
template: src=etc/openvpn/server/vpn-up-down.sh.j2 dest=/etc/openvpn/server/vpn-up.sh owner=root group=root mode=0755
- name: Install vpn-down.sh link
file: src=vpn-up.sh dest=/etc/openvpn/server/vpn-down.sh state=link force=yes
# setsebool openvpn_run_unconfined on
- name: Set boolean selinux flag for scripts
seboolean:
name: openvpn_run_unconfined
state: yes
persistent: yes
# chcon -t openvpn_unconfined_script_exec_t vpn-up.sh
- name: Set selinux context to vpn-up.sh script
sefcontext:
target: '/etc/openvpn/server/vpn-up.sh'
setype: openvpn_unconfined_script_exec_t
state: present
# openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem
# openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem
# openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem
# openssl dhparam -out dh2048.pem 2048
# source vars
# ./pkitool Client1
# Need more step to generate certificat files
- name: Install Certificat files
copy: src=etc/openvpn/server/easy-rsa/2.0/keys/{{ item }} dest=/etc/openvpn/server/{{ item }} owner=root group=root mode=0600
with_items:
- ca.crt
- dh2048.pem
- server.crt
- server.key
- ta.key
- name: Install openvpn configuration files
template: src=etc/openvpn/server/config.conf.j2 dest=/etc/openvpn/server/{{ openvpn_vpn_name }}.{{ item.proto }}.conf owner=root group=root mode=0644
with_items:
- '{{ openvpn_subnets }}'
notify: Restart openvpn-server-{{ item.proto }}
- name: Enable openvpn services
service: name="openvpn-server@{{ openvpn_vpn_name }}.{{ item.proto }}" enabled=yes
with_items:
- '{{ openvpn_subnets }}'
- name: Install Personnal OpenVPN config file for firewalld
template: src=etc/firewalld/services/openvpn.xml dest=/etc/firewalld/services/openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }}.xml owner=root group=root mode=0644
register: result
- name: reload firewalld to refresh service list
command: firewall-cmd --reload
when: result is changed
- name: Open Firewalld
firewalld:
service: openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }}
permanent: true
state: enabled
immediate: true
# firewall-cmd --reload
# firewall-cmd --add-service openvpn --permanent
# firewall-cmd --add-service openvpn-tcp --permanent
# firewall-cmd --zone=external --change-interface=eth0
# firewall-cmd --add-service=openvpn --zone=external --permanent
# firewall-cmd --add-service=openvpn-tcp --zone=external --permanent