--- /dev/null
+---
+- assert:
+ that:
+ - vpn_mode|default() in ('user-server', 'vpc-server', 'vpc-client')
+ - vpn_subnet != ''
+ - ca_name != ''
+ tags: ['check_vars']
+
+- assert:
+ that:
+ - vpn_server_ip|default() != ''
+ when: vpn_mode|default() == 'vpc-client'
+ tags: ['check_vars']
+
+- name: Install packages
+ with_items:
+ - openssl
+ - openvpn
+ yum:
+ name: "{{ item }}"
+ state: latest
+
+- name: Install pip things
+ with_items:
+ - passlib
+ pip:
+ name: "{{ item }}"
+ state: present
+
+- name: openvpn config directories
+ with_items:
+ - conf
+ - scripts
+ file:
+ state: directory
+ path: /etc/openvpn/{{ item }}
+ owner: openvpn
+ group: openvpn
+ mode: "0755"
+
+- name: openvpn cert directory
+ file:
+ state: directory
+ path: /etc/openvpn/keys
+ owner: openvpn
+ group: openvpn
+ mode: "0700"
+
+- name: openvpn log directory
+ file:
+ state: directory
+ path: /var/log/openvpn
+ owner: openvpn
+ group: openvpn
+ mode: "0755"
+
+- name: openvpn log files
+ with_items:
+ - status.log
+ - openvpn.log
+ - connect.log
+ - disconnect.log
+ file:
+ state: touch
+ path: /var/log/openvpn/{{ item }}
+ owner: openvpn
+ group: openvpn
+ mode: "0644"
+
+- name: install scripts
+ when: vpn_mode == 'user-server'
+ with_items:
+ - auth.py
+ - event-log.sh
+ copy:
+ src: "{{ item }}"
+ dest: /etc/openvpn/scripts/{{ item }}
+ owner: openvpn
+ group: openvpn
+ mode: "0755"
+
+- name: generate dh parameters
+ command: /usr/bin/openssl dhparam -out /etc/openvpn/keys/dh.pem 4096
+ args:
+ creates: /etc/openvpn/keys/dh.pem
+
+- name: configure openvpn
+ template:
+ src: "{{ vpn_mode }}.conf.j2"
+ dest: /etc/openvpn/{{ vpc_region }}-{{ vpn_mode }}.conf
+ owner: openvpn
+ group: openvpn
+ mode: "0644"
+ notify:
+ - restart openvpn
+
+- name: enable openvpn
+ service:
+ name: openvpn
+ enabled: yes
+ notify:
+ - restart openvpn
+
+- name: configure log shipping
+ copy:
+ src: awslogs.openvpn.conf
+ dest: /etc/awslogs/config/openvpn.conf
+ owner: root
+ group: root
+ mode: "0644"
+ notify:
+ - restart awslogs