- vpn_mode|default() in ('user-server', 'vpc-server', 'vpc-client')
- vpn_subnet != ''
- ca_name != ''
+ - ca_cert != ''
+ - crl_pem != ''
+ - cert != ''
+ - key != ''
+ - ta_secret != ''
+ - dhparam != ''
tags: ['check_vars']
- assert:
- openvpn.log
- connect.log
- disconnect.log
- file:
- state: touch
- path: /var/log/openvpn/{{ item }}
+ copy:
+ content: ""
+ force: no
+ dest: /var/log/openvpn/{{ item }}
owner: openvpn
group: openvpn
mode: "0644"
+- name: rotate user logs
+ when: vpn_mode == 'user-server'
+ copy:
+ src: openvpn-user.logrotate
+ dest: /etc/logrotate.d/openvpn-user
+ owner: root
+ group: root
+ mode: "0644"
+
+- name: rotate vpc logs
+ when: vpn_mode == 'vpc-server'
+ copy:
+ src: openvpn-vpc.logrotate
+ dest: /etc/logrotate.d/openvpn-vpc
+ owner: root
+ group: root
+ mode: "0644"
+
- name: install scripts
when: vpn_mode == 'user-server'
with_items:
group: openvpn
mode: "0755"
-- name: generate dh parameters
- command: /usr/bin/openssl dhparam -out /etc/openvpn/keys/dh.pem 4096
- args:
- creates: /etc/openvpn/keys/dh.pem
+- name: install keys
+ with_items:
+ - file: dh.pem
+ content: "{{ dhparam }}"
+ mode: "0444"
+ - file: ca.{{ ca_name|lower }}.crt
+ content: "{{ ca_cert }}"
+ mode: "0400"
+ - file: crl.{{ ca_name|lower }}.pem
+ content: "{{ crl_pem }}"
+ mode: "0400"
+ - file: "{{ vpc_region }}.{{ ca_name|lower }}.crt"
+ content: "{{ cert }}"
+ mode: "0400"
+ - file: "{{ vpc_region }}.{{ ca_name|lower }}.key"
+ content: "{{ key }}"
+ mode: "0400"
+ copy:
+ dest: /etc/openvpn/keys/{{ item.file }}
+ content: "{{ item.content }}"
+ mode: "{{ item.mode }}"
+ owner: openvpn
+ group: openvpn
+ notify:
+ - restart openvpn
- name: configure openvpn
template: