rotate vpn logs
[awsible] / roles / msca-openvpn / tasks / main.yml
1 ---
2 - assert:
3 that:
4 - vpn_mode|default() in ('user-server', 'vpc-server', 'vpc-client')
5 - vpn_subnet != ''
6 - ca_name != ''
7 - ca_cert != ''
8 - crl_pem != ''
9 - cert != ''
10 - key != ''
11 - ta_secret != ''
12
13 tags: ['check_vars']
14
15 - assert:
16 that:
17 - vpn_server_ip|default() != ''
18 when: vpn_mode|default() == 'vpc-client'
19 tags: ['check_vars']
20
21 - name: Install packages
22 with_items:
23 - openssl
24 - openvpn
25 yum:
26 name: "{{ item }}"
27 state: latest
28
29 - name: Install pip things
30 with_items:
31 - passlib
32 pip:
33 name: "{{ item }}"
34 state: present
35
36 - name: openvpn config directories
37 with_items:
38 - conf
39 - scripts
40 file:
41 state: directory
42 path: /etc/openvpn/{{ item }}
43 owner: openvpn
44 group: openvpn
45 mode: "0755"
46
47 - name: openvpn cert directory
48 file:
49 state: directory
50 path: /etc/openvpn/keys
51 owner: openvpn
52 group: openvpn
53 mode: "0700"
54
55 - name: openvpn log directory
56 file:
57 state: directory
58 path: /var/log/openvpn
59 owner: openvpn
60 group: openvpn
61 mode: "0755"
62
63 - name: openvpn log files
64 with_items:
65 - status.log
66 - openvpn.log
67 - connect.log
68 - disconnect.log
69 copy:
70 content: ""
71 force: no
72 dest: /var/log/openvpn/{{ item }}
73 owner: openvpn
74 group: openvpn
75 mode: "0644"
76
77 - name: rotate user logs
78 when: vpn_mode == 'user-server'
79 copy:
80 src: openvpn-user.logrotate
81 dest: /etc/logrotate.d/openvpn-user
82 owner: root
83 group: root
84 mode: "0644"
85
86 - name: rotate vpc logs
87 when: vpn_mode == 'vpc-server'
88 copy:
89 src: openvpn-vpc.logrotate
90 dest: /etc/logrotate.d/openvpn-vpc
91 owner: root
92 group: root
93 mode: "0644"
94
95 - name: install scripts
96 when: vpn_mode == 'user-server'
97 with_items:
98 - auth.py
99 - event-log.sh
100 copy:
101 src: "{{ item }}"
102 dest: /etc/openvpn/scripts/{{ item }}
103 owner: openvpn
104 group: openvpn
105 mode: "0755"
106
107 - name: generate dh parameters
108 command: /usr/bin/openssl dhparam -out /etc/openvpn/keys/dh.pem 4096
109 args:
110 creates: /etc/openvpn/keys/dh.pem
111
112 - name: install keys
113 with_items:
114 - file: ca.{{ ca_name|lower }}.crt
115 content: "{{ ca_cert }}"
116 mode: "0400"
117 - file: crl.{{ ca_name|lower }}.pem
118 content: "{{ crl_pem }}"
119 mode: "0400"
120 - file: "{{ vpc_region }}.{{ ca_name|lower }}.crt"
121 content: "{{ cert }}"
122 mode: "0400"
123 - file: "{{ vpc_region }}.{{ ca_name|lower }}.key"
124 content: "{{ key }}"
125 mode: "0400"
126 copy:
127 dest: /etc/openvpn/keys/{{ item.file }}
128 content: "{{ item.content }}"
129 mode: "{{ item.mode }}"
130 owner: openvpn
131 group: openvpn
132 notify:
133 - restart openvpn
134
135 - name: configure openvpn
136 template:
137 src: "{{ vpn_mode }}.conf.j2"
138 dest: /etc/openvpn/{{ vpc_region }}-{{ vpn_mode }}.conf
139 owner: openvpn
140 group: openvpn
141 mode: "0644"
142 notify:
143 - restart openvpn
144
145 - name: enable openvpn
146 service:
147 name: openvpn
148 enabled: yes
149 notify:
150 - restart openvpn
151
152 - name: configure log shipping
153 copy:
154 src: awslogs.openvpn.conf
155 dest: /etc/awslogs/config/openvpn.conf
156 owner: root
157 group: root
158 mode: "0644"
159 notify:
160 - restart awslogs