git.squeep.com Git - awsible/blob - roles/msca-openvpn/tasks/main.yml

   1 ---
   2 - assert:
   3     that:
   4     - vpn_mode|default() in ('user-server', 'vpc-server', 'vpc-client')
   5     - vpn_subnet != ''
   6     - ca_name != ''
   7     - ca_cert != ''
   8     - crl_pem != ''
   9     - cert != ''
  10     - key != ''
  11     - ta_secret != ''
  12
  13   tags: ['check_vars']
  14
  15 - assert:
  16     that:
  17     - vpn_server_ip|default() != ''
  18   when: vpn_mode|default() == 'vpc-client'
  19   tags: ['check_vars']
  20
  21 - name: Install packages
  22   with_items:
  23   - openssl
  24   - openvpn
  25   yum:
  26     name: "{{ item }}"
  27     state: latest
  28
  29 - name: Install pip things
  30   with_items:
  31   - passlib
  32   pip:
  33     name: "{{ item }}"
  34     state: present
  35
  36 - name: openvpn config directories
  37   with_items:
  38   - conf
  39   - scripts
  40   file:
  41     state: directory
  42     path: /etc/openvpn/{{ item }}
  43     owner: openvpn
  44     group: openvpn
  45     mode: "0755"
  46
  47 - name: openvpn cert directory
  48   file:
  49     state: directory
  50     path: /etc/openvpn/keys
  51     owner: openvpn
  52     group: openvpn
  53     mode: "0700"
  54
  55 - name: openvpn log directory
  56   file:
  57     state: directory
  58     path: /var/log/openvpn
  59     owner: openvpn
  60     group: openvpn
  61     mode: "0755"
  62
  63 - name: openvpn log files
  64   with_items:
  65   - status.log
  66   - openvpn.log
  67   - connect.log
  68   - disconnect.log
  69   copy:
  70     content: ""
  71     force: no
  72     dest: /var/log/openvpn/{{ item }}
  73     owner: openvpn
  74     group: openvpn
  75     mode: "0644"
  76
  77 - name: rotate user logs
  78   when: vpn_mode == 'user-server'
  79   copy:
  80     src: openvpn-user.logrotate
  81     dest: /etc/logrotate.d/openvpn-user
  82     owner: root
  83     group: root
  84     mode: "0644"
  85
  86 - name: rotate vpc logs
  87   when: vpn_mode == 'vpc-server'
  88   copy:
  89     src: openvpn-vpc.logrotate
  90     dest: /etc/logrotate.d/openvpn-vpc
  91     owner: root
  92     group: root
  93     mode: "0644"
  94
  95 - name: install scripts
  96   when: vpn_mode == 'user-server'
  97   with_items:
  98   - auth.py
  99   - event-log.sh
 100   copy:
 101     src: "{{ item }}"
 102     dest: /etc/openvpn/scripts/{{ item }}
 103     owner: openvpn
 104     group: openvpn
 105     mode: "0755"
 106
 107 - name: generate dh parameters
 108   command: /usr/bin/openssl dhparam -out /etc/openvpn/keys/dh.pem 4096
 109   args:
 110     creates: /etc/openvpn/keys/dh.pem
 111
 112 - name: install keys
 113   with_items:
 114   - file: ca.{{ ca_name|lower }}.crt
 115     content: "{{ ca_cert }}"
 116     mode: "0400"
 117   - file: crl.{{ ca_name|lower }}.pem
 118     content: "{{ crl_pem }}"
 119     mode: "0400"
 120   - file: "{{ vpc_region }}.{{ ca_name|lower }}.crt"
 121     content: "{{ cert }}"
 122     mode: "0400"
 123   - file: "{{ vpc_region }}.{{ ca_name|lower }}.key"
 124     content: "{{ key }}"
 125     mode: "0400"
 126   copy:
 127     dest: /etc/openvpn/keys/{{ item.file }}
 128     content: "{{ item.content }}"
 129     mode: "{{ item.mode }}"
 130     owner: openvpn
 131     group: openvpn
 132   notify:
 133   - restart openvpn
 134
 135 - name: configure openvpn
 136   template:
 137     src: "{{ vpn_mode }}.conf.j2"
 138     dest: /etc/openvpn/{{ vpc_region }}-{{ vpn_mode }}.conf
 139     owner: openvpn
 140     group: openvpn
 141     mode: "0644"
 142   notify:
 143   - restart openvpn
 144
 145 - name: enable openvpn
 146   service:
 147     name: openvpn
 148     enabled: yes
 149   notify:
 150   - restart openvpn
 151
 152 - name: configure log shipping
 153   copy:
 154     src: awslogs.openvpn.conf
 155     dest: /etc/awslogs/config/openvpn.conf
 156     owner: root
 157     group: root
 158     mode: "0644"
 159   notify:
 160   - restart awslogs