git.squeep.com Git - awsible/blob - roles/msca-openvpn/tasks/main.yml

   1 ---
   2 - assert:
   3     that:
   4     - vpn_mode|default() in ('user-server', 'vpc-server', 'vpc-client')
   5     - vpn_subnet != ''
   6     - ca_name != ''
   7     - ca_cert != ''
   8     - crl_pem != ''
   9     - cert != ''
  10     - key != ''
  11     - ta_secret != ''
  12
  13   tags: ['check_vars']
  14
  15 - assert:
  16     that:
  17     - vpn_server_ip|default() != ''
  18   when: vpn_mode|default() == 'vpc-client'
  19   tags: ['check_vars']
  20
  21 - name: Install packages
  22   with_items:
  23   - openssl
  24   - openvpn
  25   yum:
  26     name: "{{ item }}"
  27     state: latest
  28
  29 - name: Install pip things
  30   with_items:
  31   - passlib
  32   pip:
  33     name: "{{ item }}"
  34     state: present
  35
  36 - name: openvpn config directories
  37   with_items:
  38   - conf
  39   - scripts
  40   file:
  41     state: directory
  42     path: /etc/openvpn/{{ item }}
  43     owner: openvpn
  44     group: openvpn
  45     mode: "0755"
  46
  47 - name: openvpn cert directory
  48   file:
  49     state: directory
  50     path: /etc/openvpn/keys
  51     owner: openvpn
  52     group: openvpn
  53     mode: "0700"
  54
  55 - name: openvpn log directory
  56   file:
  57     state: directory
  58     path: /var/log/openvpn
  59     owner: openvpn
  60     group: openvpn
  61     mode: "0755"
  62
  63 - name: openvpn log files
  64   with_items:
  65   - status.log
  66   - openvpn.log
  67   - connect.log
  68   - disconnect.log
  69   file:
  70     state: touch
  71     path: /var/log/openvpn/{{ item }}
  72     owner: openvpn
  73     group: openvpn
  74     mode: "0644"
  75
  76 - name: install scripts
  77   when: vpn_mode == 'user-server'
  78   with_items:
  79   - auth.py
  80   - event-log.sh
  81   copy:
  82     src: "{{ item }}"
  83     dest: /etc/openvpn/scripts/{{ item }}
  84     owner: openvpn
  85     group: openvpn
  86     mode: "0755"
  87
  88 - name: generate dh parameters
  89   command: /usr/bin/openssl dhparam -out /etc/openvpn/keys/dh.pem 4096
  90   args:
  91     creates: /etc/openvpn/keys/dh.pem
  92
  93 - name: install keys
  94   with_items:
  95   - file: ca.{{ ca_name|lower }}.crt
  96     content: "{{ ca_cert }}"
  97     mode: "0400"
  98   - file: crl.{{ ca_name|lower }}.pem
  99     content: "{{ crl_pem }}"
 100     mode: "0400"
 101   - file: "{{ vpc_region }}.{{ ca_name|lower }}.crt"
 102     content: "{{ cert }}"
 103     mode: "0400"
 104   - file: "{{ vpc_region }}.{{ ca_name|lower }}.key"
 105     content: "{{ key }}"
 106     mode: "0400"
 107   copy:
 108     dest: /etc/openvpn/keys/{{ item.file }}
 109     content: "{{ item.content }}"
 110     mode: "{{ item.mode }}"
 111     owner: openvpn
 112     group: openvpn
 113   notify:
 114   - restart openvpn
 115
 116 - name: configure openvpn
 117   template:
 118     src: "{{ vpn_mode }}.conf.j2"
 119     dest: /etc/openvpn/{{ vpc_region }}-{{ vpn_mode }}.conf
 120     owner: openvpn
 121     group: openvpn
 122     mode: "0644"
 123   notify:
 124   - restart openvpn
 125
 126 - name: enable openvpn
 127   service:
 128     name: openvpn
 129     enabled: yes
 130   notify:
 131   - restart openvpn
 132
 133 - name: configure log shipping
 134   copy:
 135     src: awslogs.openvpn.conf
 136     dest: /etc/awslogs/config/openvpn.conf
 137     owner: root
 138     group: root
 139     mode: "0644"
 140   notify:
 141   - restart awslogs