-
Notifications
You must be signed in to change notification settings - Fork 199
Expand file tree
/
Copy pathconfigure.yml
More file actions
108 lines (88 loc) · 3.56 KB
/
configure.yml
File metadata and controls
108 lines (88 loc) · 3.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
---
- name: Extract easy-rsa files
unarchive: src=easy-rsa.tar.gz dest={{openvpn_etcdir}}
when: not openvpn_use_system_easyrsa
- name: Check if easy-rsa 2.x is available from the system
stat: path=/usr/share/easy-rsa/build-ca
register: openvpn_easyrsa_check
when: openvpn_use_system_easyrsa
- fail:
msg: >
EasyRSA 2.x is not present in /usr/share/easy-rsa.
Ensure the easy-rsa package is installed or disable the `openvpn_use_system_easyrsa` option.
when:
- not ansible_check_mode|d(False)
- openvpn_use_system_easyrsa
- not openvpn_easyrsa_check.stat.exists
- name: Generate scripts
template: src={{item}}.j2 dest={{openvpn_etcdir}}/{{item}} mode=0700
with_items: [vars, build-server.sh, build-client.sh, revoke-client.sh]
- name: Generate Server keys
command: "{{openvpn_etcdir}}/build-server.sh"
args: { creates: "{{ openvpn_keydir }}" }
- name: Generate tls-auth key
command: openvpn --genkey --secret {{ openvpn_tls_key }}
chdir="{{ openvpn_keydir }}"
creates="{{ openvpn_tls_key }}"
args: { creates: "{{ openvpn_keydir }}/{{ openvpn_tls_key }}" }
when: openvpn_tls_auth
- name: Generate Clients keys
command: "{{openvpn_etcdir}}/build-client.sh {{item}}"
args: { creates: "{{ openvpn_keydir }}/{{item}}.crt" }
with_items: "{{ openvpn_clients }}"
- name: Revoke Clients keys
command: "{{openvpn_etcdir}}/revoke-client.sh {{item}}"
args: { removes: "{{ openvpn_keydir }}/{{item}}.crt" }
with_items: "{{ openvpn_clients_revoke }}"
- include: read-client-files.yml
when: openvpn_unified_client_profiles
- name: Create client configuration directory if requested
file: >
path={{openvpn_client_config_dir}}
mode=755
state=directory
when: openvpn_client_config_dir is defined
- name: Check if crl.pem exists
stat: path={{openvpn_keydir}}/crl.pem
register: crl_pem_file
- name: Generate Clients configurations
template: src=client.conf.j2 dest={{openvpn_keydir}}/{{item}}.ovpn
with_items: "{{ openvpn_clients }}"
notify: openvpn pack clients
register: openvpn_clients_changed
- name: Setup PAM
template: src=openvpn.pam.j2 dest=/etc/pam.d/openvpn
when: openvpn_use_pam
- name: Configure users
htpasswd: path={{openvpn_etcdir}}/users name={{item.name}} password={{item.password}} crypt_scheme=des_crypt
with_items: "{{ openvpn_use_pam_users }}"
- name: Setup LDAP
template: src=auth-ldap.conf.j2 dest=/etc/openvpn/auth-ldap.conf
when: openvpn_use_ldap
- name: Setup simple authentication
template:
src: auth-client.sh.j2
dest: "{{openvpn_etcdir}}/auth-client.sh"
mode: 0755
when: openvpn_simple_auth and openvpn_simple_auth_password
notify: [openvpn restart]
- name: Configure server
template: src=server.conf.j2 dest={{openvpn_etcdir}}/server.conf
notify: [openvpn restart]
- name: Ensure openvpn key dir has the right permission
file: path={{openvpn_keydir}} state=directory mode=0700 owner={{openvpn_user}}
- name: Set ip forwarding in the sysctl file and reload if necessary
sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes state=present reload=yes
- name: Test if interface is created
command: "ip link show {{ openvpn_dev }}0"
register: dev_created
changed_when: false
failed_when: false
- block:
- name: Enable tun0
command: "modprobe {{ openvpn_dev }} --first-time"
register: modprobe
changed_when: not modprobe.stdout.find("Module already in kernel") or modprobe.rc == 0
failed_when: not (modprobe.stdout.find("Module already in kernel") or modprobe.rc == 0)
notify: openvpn restart
when: dev_created.stdout.find("does not exist") != -1