add msca-openvpn role

[awsible] / roles / msca-openvpn / tasks / main.yml

diff --git a/roles/msca-openvpn/tasks/main.yml b/roles/msca-openvpn/tasks/main.yml
new file mode 100644 (file)
index 0000000..e0420fd
--- /dev/null
+++ b/roles/msca-openvpn/tasks/main.yml
@@ -0,0 +1,112 @@
+---
+- assert:
+    that:
+    - vpn_mode|default() in ('user-server', 'vpc-server', 'vpc-client')
+    - vpn_subnet != ''
+    - ca_name != ''
+  tags: ['check_vars']
+
+- assert:
+    that:
+    - vpn_server_ip|default() != ''
+  when: vpn_mode|default() == 'vpc-client'
+  tags: ['check_vars']
+
+- name: Install packages
+  with_items:
+  - openssl
+  - openvpn
+  yum:
+    name: "{{ item }}"
+    state: latest
+
+- name: Install pip things
+  with_items:
+  - passlib
+  pip:
+    name: "{{ item }}"
+    state: present
+
+- name: openvpn config directories
+  with_items:
+  - conf
+  - scripts
+  file:
+    state: directory
+    path: /etc/openvpn/{{ item }}
+    owner: openvpn
+    group: openvpn
+    mode: "0755"
+
+- name: openvpn cert directory
+  file:
+    state: directory
+    path: /etc/openvpn/keys
+    owner: openvpn
+    group: openvpn
+    mode: "0700"
+
+- name: openvpn log directory
+  file:
+    state: directory
+    path: /var/log/openvpn
+    owner: openvpn
+    group: openvpn
+    mode: "0755"
+
+- name: openvpn log files
+  with_items:
+  - status.log
+  - openvpn.log
+  - connect.log
+  - disconnect.log
+  file:
+    state: touch
+    path: /var/log/openvpn/{{ item }}
+    owner: openvpn
+    group: openvpn
+    mode: "0644"
+
+- name: install scripts
+  when: vpn_mode == 'user-server'
+  with_items:
+  - auth.py
+  - event-log.sh
+  copy:
+    src: "{{ item }}"
+    dest: /etc/openvpn/scripts/{{ item }}
+    owner: openvpn
+    group: openvpn
+    mode: "0755"
+
+- name: generate dh parameters
+  command: /usr/bin/openssl dhparam -out /etc/openvpn/keys/dh.pem 4096
+  args:
+    creates: /etc/openvpn/keys/dh.pem
+
+- name: configure openvpn
+  template:
+    src: "{{ vpn_mode }}.conf.j2"
+    dest: /etc/openvpn/{{ vpc_region }}-{{ vpn_mode }}.conf
+    owner: openvpn
+    group: openvpn
+    mode: "0644"
+  notify:
+  - restart openvpn
+
+- name: enable openvpn
+  service:
+    name: openvpn
+    enabled: yes
+  notify:
+  - restart openvpn
+
+- name: configure log shipping
+  copy:
+    src: awslogs.openvpn.conf
+    dest: /etc/awslogs/config/openvpn.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+  - restart awslogs