git.squeep.com Git - awsible/blob - roles/msca-openvpn/tasks/main.yml

   1 ---
   2 - assert:
   3     that:
   4     - vpn_mode|default() in ('user-server', 'vpc-server', 'vpc-client')
   5     - vpn_subnet != ''
   6     - ca_name != ''
   7   tags: ['check_vars']
   8
   9 - assert:
  10     that:
  11     - vpn_server_ip|default() != ''
  12   when: vpn_mode|default() == 'vpc-client'
  13   tags: ['check_vars']
  14
  15 - name: Install packages
  16   with_items:
  17   - openssl
  18   - openvpn
  19   yum:
  20     name: "{{ item }}"
  21     state: latest
  22
  23 - name: Install pip things
  24   with_items:
  25   - passlib
  26   pip:
  27     name: "{{ item }}"
  28     state: present
  29
  30 - name: openvpn config directories
  31   with_items:
  32   - conf
  33   - scripts
  34   file:
  35     state: directory
  36     path: /etc/openvpn/{{ item }}
  37     owner: openvpn
  38     group: openvpn
  39     mode: "0755"
  40
  41 - name: openvpn cert directory
  42   file:
  43     state: directory
  44     path: /etc/openvpn/keys
  45     owner: openvpn
  46     group: openvpn
  47     mode: "0700"
  48
  49 - name: openvpn log directory
  50   file:
  51     state: directory
  52     path: /var/log/openvpn
  53     owner: openvpn
  54     group: openvpn
  55     mode: "0755"
  56
  57 - name: openvpn log files
  58   with_items:
  59   - status.log
  60   - openvpn.log
  61   - connect.log
  62   - disconnect.log
  63   file:
  64     state: touch
  65     path: /var/log/openvpn/{{ item }}
  66     owner: openvpn
  67     group: openvpn
  68     mode: "0644"
  69
  70 - name: install scripts
  71   when: vpn_mode == 'user-server'
  72   with_items:
  73   - auth.py
  74   - event-log.sh
  75   copy:
  76     src: "{{ item }}"
  77     dest: /etc/openvpn/scripts/{{ item }}
  78     owner: openvpn
  79     group: openvpn
  80     mode: "0755"
  81
  82 - name: generate dh parameters
  83   command: /usr/bin/openssl dhparam -out /etc/openvpn/keys/dh.pem 4096
  84   args:
  85     creates: /etc/openvpn/keys/dh.pem
  86
  87 - name: configure openvpn
  88   template:
  89     src: "{{ vpn_mode }}.conf.j2"
  90     dest: /etc/openvpn/{{ vpc_region }}-{{ vpn_mode }}.conf
  91     owner: openvpn
  92     group: openvpn
  93     mode: "0644"
  94   notify:
  95   - restart openvpn
  96
  97 - name: enable openvpn
  98   service:
  99     name: openvpn
 100     enabled: yes
 101   notify:
 102   - restart openvpn
 103
 104 - name: configure log shipping
 105   copy:
 106     src: awslogs.openvpn.conf
 107     dest: /etc/awslogs/config/openvpn.conf
 108     owner: root
 109     group: root
 110     mode: "0644"
 111   notify:
 112   - restart awslogs