initial commit

2020-08-17 11:48:37 +02:00
parent 06cb1b5acc
commit 01e4b0efa1
12 changed files with 488 additions and 1 deletions
--- a/tasks/asserts.yml
+++ b/tasks/asserts.yml
@ -0,0 +1,48 @@
+---
+- name: 'openvpn | validate | ensure Easy-RSA request Country is defined'
+  assert:
+    that: openvpn_easyrsa_req_country is defined
+    msg: '<openvpn_easyrsa_req_country> is mandatory and must be defined.'
+  when: 
+    - openvpn_server
+    - openvpn_client
+
+- name: 'openvpn | validate | ensure Easy-RSA request Province is defined'
+  assert:
+    that: openvpn_easyrsa_req_province is defined
+    msg: '<openvpn_easyrsa_req_province> is mandatory and must be defined'
+  when: 
+    - openvpn_server
+    - openvpn_client
+
+- name: 'openvpn | validate | ensure Easy-RSA request City is defined'
+  assert:
+    that: openvpn_easyrsa_req_city is defined
+    msg: '<openvpn_easyrsa_req_city> is mandatory and must be defined'
+  when: 
+    - openvpn_server
+    - openvpn_client
+
+- name: 'openvpn | validate | ensure Easy-RSA request Organization is defined'
+  assert:
+    that: openvpn_easyrsa_req_org is defined
+    msg: '<openvpn_easyrsa_req_org> is mandatory and must be defined'
+  when: 
+    - openvpn_server
+    - openvpn_client
+
+- name: 'openvpn | validate | ensure Easy-RSA request Email is defined'
+  assert:
+    that: openvpn_easyrsa_req_email is defined
+    msg: '<openvpn_easyrsa_req_email> is mandatory and must be defined'
+  when: 
+    - openvpn_server
+    - openvpn_client
+
+- name: 'openvpn | validate | ensure Easy-RSA request OU is defined'
+  assert:
+    that: openvpn_easyrsa_req_ou is defined
+    msg: '<openvpn_easyrsa_req_ou> is mandatory and must be defined'
+  when: 
+    - openvpn_server
+    - openvpn_client
--- a/tasks/client.yml
+++ b/tasks/client.yml
@ -0,0 +1,56 @@
+---
+- name: 'openvpn | create client directory'
+  file:
+    path: /etc/openvpn/client/{{ item.name }}/
+    state: directory
+    mode: '0755'
+  loop: "{{ openvpn_client }}"
+  tags: ['openvpn', 'openvpn_client']
+
+- name: 'openvpn | create client request'
+  command: ./easyrsa --batch --req-cn={{ item.name }} gen-req {{ item.name }} nopass
+  args:
+    chdir: /etc/openvpn/{{ ansible_hostname }}/easy-rsa
+  environment:
+    EASYRSA_BATCH: 1
+  loop: "{{ openvpn_client }}"
+  tags: ['openvpn', 'openvpn_client']
+
+- name: 'openvpn | create client certificates'
+  command: ./easyrsa sign-req client {{ item.name }}
+  args:
+    chdir: /etc/openvpn/{{ ansible_hostname }}/easy-rsa
+  environment:
+    EASYRSA_BATCH: 1
+  loop: "{{ openvpn_client }}"
+  tags: ['openvpn', 'openvpn_client']
+
+- name: 'openvpn | copy client certificate'
+  copy:
+    src: "/etc/openvpn/{{ ansible_hostname }}/easy-rsa/pki/issued/{{ item.name }}.crt"
+    dest: "/etc/openvpn/client/{{ item.name }}/{{ item.name }}.crt"
+    remote_src: yes
+  loop: "{{ openvpn_client }}"
+  tags: ['openvpn', 'openvpn_client']
+
+- name: 'openvpn | copy client private key'
+  copy:
+    src: "/etc/openvpn/{{ ansible_hostname }}/easy-rsa/pki/private/{{ item.name }}.key"
+    dest: "/etc/openvpn//client/{{ item.name }}/{{ item.name }}.key"
+    remote_src: yes
+  loop: "{{ openvpn_client }}"
+  tags: ['openvpn', 'openvpn_client']
+
+- name: 'openvpn | create client configuration file'
+  template:
+    src: "../data/openvpn/client.ovpn.j2"
+    dest: "/etc/openvpn/client/{{ item.name }}/{{ item.name }}.ovpn"
+  when: openvpn_client is defined
+  loop: "{{ openvpn_client }}"
+  vars:
+    loop_cert: "{{ lookup('file', '/etc/openvpn/client/' + item.name + '/' + item.name + '.crt') }}"
+    loop_key : "{{ lookup('file', '/etc/openvpn/client/' + item.name + '/' + item.name + '.key') }}"
+    loop_ca  : "{{ lookup('file', '/etc/openvpn/' + ansible_hostname + '/keys/ca.crt') }}"
+    loop_ta  : "{{ lookup('file', '/etc/openvpn/' + ansible_hostname + '/keys/ta.key') }}"
+  tags: ['openvpn', 'openvpn_client']
+
--- a/tasks/install.yml
+++ b/tasks/install.yml
@ -0,0 +1,39 @@
+---
+- name: 'openvpn | update APT Cache'
+  apt:
+    update_cache: yes
+    cache_valid_time: 3600
+  tags: ['openvpn', 'openvpn_install']
+
+- name: 'openvpn | install packages'
+  apt:
+    name:
+      - openvpn
+      - openssl
+      - easy-rsa
+    state: present
+  tags: ['openvpn', 'openvpn_install']
+
+- name: 'openvpn | create directories'
+  file:
+    path: /etc/openvpn/{{ ansible_hostname }}/keys
+    state: directory
+    mode: '0755'
+  tags: ['openvpn', 'openvpn_install']
+
+- name: 'openvpn | copy easy-rsa'
+  copy:
+    src: /usr/share/easy-rsa
+    dest: /etc/openvpn/{{ ansible_hostname }}
+    owner: root
+    group: root
+  tags: ['openvpn', 'openvpn_install']
+
+- name: 'openvpn | chmod +x easyrsa'
+  file:
+    path: /etc/openvpn/{{ ansible_hostname }}/easy-rsa/easyrsa
+    owner: root
+    group: root
+    mode: 0755
+  tags: ['openvpn', 'openvpn_install']
+
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,19 @@
+---
+- name: 'Check if ansible version >= 2.7.'
+  assert:
+    that: "ansible_version.full is version_compare(2.7, '>=')"
+    msg: "Une version Ansible 2.7 ou supérieur est nécessaire pour utiliser cette version du rôle."
+  tags: always
+
+- include_tasks: asserts.yml
+  when: openvpn_asserts
+  tags: always
+
+- include_tasks: install.yml
+  tags: ['openvpn','openvpn_install']
+
+- include_tasks: server.yml
+  tags: ['openvpn', 'openvpn_server']
+
+- include_tasks: client.yml
+  tags: ['openvpn', 'openvpn_client']
--- a/tasks/server.yml
+++ b/tasks/server.yml
@ -0,0 +1,69 @@
+---
+- name: 'openvpn | copy vars'
+  template:
+    src: "../data/openvpn/vars.j2"
+    dest: "/etc/openvpn/{{ ansible_hostname }}/easy-rsa/vars"
+  tags: ['openvpn', 'openvpn_server']
+
+- name: 'openvpn | cleanup everything'
+  command: "./easyrsa init-pki"
+  args:
+    chdir: /etc/openvpn/{{ ansible_hostname }}/easy-rsa
+  tags: ['openvpn', 'openvpn_server']
+
+- name: 'openvpn | create random file'
+  command: "dd if=/dev/urandom of=pki/.rnd bs=256 count=1"
+  args:
+    chdir: /etc/openvpn/{{ ansible_hostname }}/easy-rsa
+  tags: ['openvpn', 'openvpn_server']
+
+- name: 'openvpn | generate certificates'
+  command: "{{ item }}"
+  args:
+    chdir: /etc/openvpn/{{ ansible_hostname }}/easy-rsa
+  environment:
+    EASYRSA_BATCH: 1
+  with_items:
+    - ./easyrsa build-ca nopass
+    - ./easyrsa gen-dh
+    - ./easyrsa build-server-full {{ ansible_hostname }} nopass
+  tags: ['openvpn', 'openvpn_server']
+
+- name: 'openvpn | copy certificates'
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/openvpn/{{ ansible_hostname }}/keys"
+    remote_src: yes
+  with_items:
+    - /etc/openvpn/{{ ansible_hostname }}/easy-rsa/pki/dh.pem
+    - /etc/openvpn/{{ ansible_hostname }}/easy-rsa/pki/private/{{ ansible_hostname }}.key
+    - /etc/openvpn/{{ ansible_hostname }}/easy-rsa/pki/issued/{{ ansible_hostname }}.crt
+    - /etc/openvpn/{{ ansible_hostname }}/easy-rsa/pki/ca.crt
+  tags: ['openvpn', 'openvpn_server']
+
+- name: 'openvpn | generate ta.key'
+  command: "openvpn --genkey --secret /etc/openvpn/{{ ansible_hostname }}/keys/ta.key"
+  tags: ['openvpn', 'openvpn_server']
+
+- name: 'openvpn | chmod ta.key'
+  file:
+    path: "/etc/openvpn/{{ ansible_hostname }}/keys/ta.key"
+    owner: root
+    group: root
+    mode: 0644
+  tags: ['openvpn', 'openvpn_server']
+
+- name: 'openvpn | configure ifconfig-pool-persist'
+  template:
+    src: "../data/openvpn/ipp.txt.j2"
+    dest: "/etc/openvpn/{{ ansible_hostname }}/ipp.txt"
+  when: openvpn_client is defined
+  tags: ['openvpn', 'openvpn_server']
+
+- name: 'openvpn | copy server configuration'
+  template:
+    src: "../data/openvpn/server.conf.j2"
+    dest: "/etc/openvpn/{{ ansible_hostname }}.conf"
+  tags: ['openvpn', 'openvpn_server']
+  notify: openvpn-restart
+