git.squeep.com Git - awsible/blob - roles/msca-openvpn/tasks/main.yml

   1 ---
   2 - assert:
   3     that:
   4     - vpn_mode|default() in ('user-server', 'vpc-server', 'vpc-client')
   5     - vpn_subnet != ''
   6     - ca_name != ''
   7     - ca_cert != ''
   8     - crl_pem != ''
   9     - cert != ''
  10     - key != ''
  11     - ta_secret != ''
  12     - dhparam != ''
  13   tags: ['check_vars']
  14
  15 - assert:
  16     that:
  17     - vpn_server_ip|default() != ''
  18   when: vpn_mode|default() == 'vpc-client'
  19   tags: ['check_vars']
  20
  21 - name: Install packages
  22   with_items:
  23   - openssl
  24   - openvpn
  25   yum:
  26     name: "{{ item }}"
  27     state: latest
  28
  29 - name: Install pip things
  30   with_items:
  31   - passlib
  32   pip:
  33     name: "{{ item }}"
  34     state: present
  35
  36 - name: openvpn config directories
  37   with_items:
  38   - conf
  39   - scripts
  40   file:
  41     state: directory
  42     path: /etc/openvpn/{{ item }}
  43     owner: openvpn
  44     group: openvpn
  45     mode: "0755"
  46
  47 - name: openvpn cert directory
  48   file:
  49     state: directory
  50     path: /etc/openvpn/keys
  51     owner: openvpn
  52     group: openvpn
  53     mode: "0700"
  54
  55 - name: openvpn log directory
  56   file:
  57     state: directory
  58     path: /var/log/openvpn
  59     owner: openvpn
  60     group: openvpn
  61     mode: "0755"
  62
  63 - name: openvpn log files
  64   with_items:
  65   - status.log
  66   - openvpn.log
  67   - connect.log
  68   - disconnect.log
  69   copy:
  70     content: ""
  71     force: no
  72     dest: /var/log/openvpn/{{ item }}
  73     owner: openvpn
  74     group: openvpn
  75     mode: "0644"
  76
  77 - name: rotate user logs
  78   when: vpn_mode == 'user-server'
  79   copy:
  80     src: openvpn-user.logrotate
  81     dest: /etc/logrotate.d/openvpn-user
  82     owner: root
  83     group: root
  84     mode: "0644"
  85
  86 - name: rotate vpc logs
  87   when: vpn_mode == 'vpc-server'
  88   copy:
  89     src: openvpn-vpc.logrotate
  90     dest: /etc/logrotate.d/openvpn-vpc
  91     owner: root
  92     group: root
  93     mode: "0644"
  94
  95 - name: install scripts
  96   when: vpn_mode == 'user-server'
  97   with_items:
  98   - auth.py
  99   - event-log.sh
 100   copy:
 101     src: "{{ item }}"
 102     dest: /etc/openvpn/scripts/{{ item }}
 103     owner: openvpn
 104     group: openvpn
 105     mode: "0755"
 106
 107 - name: install keys
 108   with_items:
 109   - file: dh.pem
 110     content: "{{ dhparam }}"
 111     mode: "0444"
 112   - file: ca.{{ ca_name|lower }}.crt
 113     content: "{{ ca_cert }}"
 114     mode: "0400"
 115   - file: crl.{{ ca_name|lower }}.pem
 116     content: "{{ crl_pem }}"
 117     mode: "0400"
 118   - file: "{{ vpc_region }}.{{ ca_name|lower }}.crt"
 119     content: "{{ cert }}"
 120     mode: "0400"
 121   - file: "{{ vpc_region }}.{{ ca_name|lower }}.key"
 122     content: "{{ key }}"
 123     mode: "0400"
 124   copy:
 125     dest: /etc/openvpn/keys/{{ item.file }}
 126     content: "{{ item.content }}"
 127     mode: "{{ item.mode }}"
 128     owner: openvpn
 129     group: openvpn
 130   notify:
 131   - restart openvpn
 132
 133 - name: configure openvpn
 134   template:
 135     src: "{{ vpn_mode }}.conf.j2"
 136     dest: /etc/openvpn/{{ vpc_region }}-{{ vpn_mode }}.conf
 137     owner: openvpn
 138     group: openvpn
 139     mode: "0644"
 140   notify:
 141   - restart openvpn
 142
 143 - name: enable openvpn
 144   service:
 145     name: openvpn
 146     enabled: yes
 147   notify:
 148   - restart openvpn
 149
 150 - name: configure log shipping
 151   copy:
 152     src: awslogs.openvpn.conf
 153     dest: /etc/awslogs/config/openvpn.conf
 154     owner: root
 155     group: root
 156     mode: "0644"
 157   notify:
 158   - restart awslogs