From: Justin Wind <j.wind@partner.samsung.com>
Date: Thu, 16 Mar 2017 17:52:20 +0000 (-0700)
Subject: add msca-openvpn role
X-Git-Url: http://git.squeep.com/?p=awsible;a=commitdiff_plain;h=112e5102854af34c8efb88f2bd5a4f326752e378

add msca-openvpn role
---

diff --git a/roles/msca-openvpn/files/auth.py b/roles/msca-openvpn/files/auth.py
new file mode 100644
index 0000000..649661e
--- /dev/null
+++ b/roles/msca-openvpn/files/auth.py
@@ -0,0 +1,12 @@
+#!/usr/bin/env python
+
+import os, sys
+from boto.dynamodb2.table import Table
+from passlib.hash import sha512_crypt
+
+try:
+    if sha512_crypt.verify(os.environ['password'], Table('userManager').get_item(userName=os.environ['username'])['passwordHash']):
+        sys.exit(0)
+except:
+    pass
+sys.exit(1)
diff --git a/roles/msca-openvpn/files/awslogs.openvpn.conf b/roles/msca-openvpn/files/awslogs.openvpn.conf
new file mode 100644
index 0000000..c015a1e
--- /dev/null
+++ b/roles/msca-openvpn/files/awslogs.openvpn.conf
@@ -0,0 +1,15 @@
+[VPNConnect]
+file = /var/log/openvpn/connect.log
+datetime_format = %Y-%m-%dT%H:%M:%S%z
+buffer_duration = 5000
+log_stream_name = {instance_id}
+initial_position = start_of_file
+log_group_name = VPNConnect
+
+[VPNDisconnect]
+file = /var/log/openvpn/disconnect.log
+datetime_format = %Y-%m-%dT%H:%M:%S%z
+buffer_duration = 5000
+log_stream_name = {instance_id}
+initial_position = start_of_file
+log_group_name = VPNDisconnect
\ No newline at end of file
diff --git a/roles/msca-openvpn/files/event-log.sh b/roles/msca-openvpn/files/event-log.sh
new file mode 100644
index 0000000..d959710
--- /dev/null
+++ b/roles/msca-openvpn/files/event-log.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+LOGPATH=/var/log/openvpn
+NOW=$(date --iso-8601=sec)
+#NOW=$(date '+%Y-%m-%dT%T%z')
+
+case "${script_type}" in
+	client-connect)
+		extra=""
+		dst="connect.log"
+	;;
+	client-disconnect)
+		extra=" bytes sent/recv: ${bytes_sent}/${bytes_received} seconds: ${time_duration}"
+		dst="disconnect.log"
+	;;
+	up|down|ipchange|route-up|tls-verify|auth-user-pass-verify|learn-address|*)
+		exit 1
+	;;
+esac
+
+echo "${NOW} [${script_type}] ${common_name} from ${trusted_ip} assigned ${ifconfig_pool_remote_ip}${extra}" > "${LOGPATH}/${dst}"
diff --git a/roles/msca-openvpn/handlers/main.yml b/roles/msca-openvpn/handlers/main.yml
new file mode 100644
index 0000000..b22f340
--- /dev/null
+++ b/roles/msca-openvpn/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart openvpn
+  service:
+    name: openvpn
+    state: restarted
diff --git a/roles/msca-openvpn/meta/main.yml b/roles/msca-openvpn/meta/main.yml
new file mode 100644
index 0000000..8fe5097
--- /dev/null
+++ b/roles/msca-openvpn/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - { role: aws-vpc }
+  - { role: awslogs }
diff --git a/roles/msca-openvpn/tasks/main.yml b/roles/msca-openvpn/tasks/main.yml
new file mode 100644
index 0000000..e0420fd
--- /dev/null
+++ b/roles/msca-openvpn/tasks/main.yml
@@ -0,0 +1,112 @@
+---
+- assert:
+    that:
+    - vpn_mode|default() in ('user-server', 'vpc-server', 'vpc-client')
+    - vpn_subnet != ''
+    - ca_name != ''
+  tags: ['check_vars']
+
+- assert:
+    that:
+    - vpn_server_ip|default() != ''
+  when: vpn_mode|default() == 'vpc-client'
+  tags: ['check_vars']
+
+- name: Install packages
+  with_items:
+  - openssl
+  - openvpn
+  yum:
+    name: "{{ item }}"
+    state: latest
+
+- name: Install pip things
+  with_items:
+  - passlib
+  pip:
+    name: "{{ item }}"
+    state: present
+
+- name: openvpn config directories
+  with_items:
+  - conf
+  - scripts
+  file:
+    state: directory
+    path: /etc/openvpn/{{ item }}
+    owner: openvpn
+    group: openvpn
+    mode: "0755"
+
+- name: openvpn cert directory
+  file:
+    state: directory
+    path: /etc/openvpn/keys
+    owner: openvpn
+    group: openvpn
+    mode: "0700"
+
+- name: openvpn log directory
+  file:
+    state: directory
+    path: /var/log/openvpn
+    owner: openvpn
+    group: openvpn
+    mode: "0755"
+
+- name: openvpn log files
+  with_items:
+  - status.log
+  - openvpn.log
+  - connect.log
+  - disconnect.log
+  file:
+    state: touch
+    path: /var/log/openvpn/{{ item }}
+    owner: openvpn
+    group: openvpn
+    mode: "0644"
+
+- name: install scripts
+  when: vpn_mode == 'user-server'
+  with_items:
+  - auth.py
+  - event-log.sh
+  copy:
+    src: "{{ item }}"
+    dest: /etc/openvpn/scripts/{{ item }}
+    owner: openvpn
+    group: openvpn
+    mode: "0755"
+
+- name: generate dh parameters
+  command: /usr/bin/openssl dhparam -out /etc/openvpn/keys/dh.pem 4096
+  args:
+    creates: /etc/openvpn/keys/dh.pem
+
+- name: configure openvpn
+  template:
+    src: "{{ vpn_mode }}.conf.j2"
+    dest: /etc/openvpn/{{ vpc_region }}-{{ vpn_mode }}.conf
+    owner: openvpn
+    group: openvpn
+    mode: "0644"
+  notify:
+  - restart openvpn
+
+- name: enable openvpn
+  service:
+    name: openvpn
+    enabled: yes
+  notify:
+  - restart openvpn
+
+- name: configure log shipping
+  copy:
+    src: awslogs.openvpn.conf
+    dest: /etc/awslogs/config/openvpn.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify:
+  - restart awslogs
diff --git a/roles/msca-openvpn/templates/user-server.conf.j2 b/roles/msca-openvpn/templates/user-server.conf.j2
new file mode 100644
index 0000000..35d5861
--- /dev/null
+++ b/roles/msca-openvpn/templates/user-server.conf.j2
@@ -0,0 +1,66 @@
+{{ ansible_managed|comment }}
+# Mode: {{ vpn_mode }}
+# Subnet: {{ vpn_subnet }}
+# L3
+daemon
+port 1195
+dev tun
+proto tcp-server
+user openvpn
+group openvpn
+tcp-nodelay
+persist-tun
+persist-key
+cipher AES-256-CBC
+keepalive 30 90
+management 127.0.0.1 31339
+
+server {{ vpn_subnet }} 255.255.255.0
+topology subnet
+
+max-clients 64
+
+verb 3
+log /var/log/openvpn/openvpn.log
+status-version 3
+status /var/log/openvpn/status.log
+client-connect /etc/openvpn/scripts/event-log.sh
+
+tmp-dir /dev/shm
+{% if phase|default() == 'prod' %}
+auth-user-pass-verify /etc/openvpn/scripts/auth.py via-env
+{% endif %}
+
+tls-server
+tls-version-min 1.2
+key-direction 0
+dh /etc/openvpn/keys/dh.pem
+ca /etc/openvpn/keys/ca.{{ ca_name|lower }}.crt
+crl-verify /etc/openvpn/keys/crl.{{ ca_name|lower }}.pem
+cert /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.crt
+key /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.key
+<tls-auth>
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+07b7f906a252a8b304d2b9e055b05299
+f199db480ce9da121fdbed99b2b18747
+f24fd2b4b95f1dbbe2a480b9eb761413
+03bc6848ec6181bb78078043306e2fcd
+ad992ee1a5c02ded40c289209eb77587
+36ac2a15fba4eb0cfc721c2c70a3fb83
+7af9e5423e8cf81c5904a989d114fae8
+b0c9ffd27bac60718d7231ab7cf4871f
+79d0cc9e37935afea8b67f1a2c396707
+8a586e78a1ba340e9c5bcce41de9ade7
+5ca23c436c65c30bcb7e2854ed576b93
+a955fe3b4d408444d5afaa8cc23dc9a5
+f613242847be6cd33cb939b94658dd89
+e02c3629fa9d8ff99d415b7041bd9df6
+15d3744bd648f2ab1ba2db0c64737308
+aca2fbab7c9b7114e4d8b646ca430c19
+-----END OpenVPN Static key V1-----
+</tls-auth>
+
+script-security 2
diff --git a/roles/msca-openvpn/templates/vpc-client.conf.j2 b/roles/msca-openvpn/templates/vpc-client.conf.j2
new file mode 100644
index 0000000..e881e96
--- /dev/null
+++ b/roles/msca-openvpn/templates/vpc-client.conf.j2
@@ -0,0 +1,20 @@
+{{ ansible_managed|comment }}
+# Mode: {{ vpn_mode }}
+# Subnet: {{ vpn_subnet }}
+client
+dev tap
+<connection>
+	remote {{ vpn_server_ip }} 1194 udp
+</connection>
+resolv-retry infinite
+persist-key
+persist-tun
+nobind
+float
+mssfix
+keepalive 30 90
+daemon
+
+ca /etc/openvpn/keys/ca.{{ ca_name|lower }}.crt
+cert /etc/openvpn/keys/{{ vpc_region }}-client.{{ ca_name|lower }}.crt
+key /etc/openvpn/keys/{{ vpc_region }}-client.{{ ca_name|lower }}.key
diff --git a/roles/msca-openvpn/templates/vpc-server.conf.j2 b/roles/msca-openvpn/templates/vpc-server.conf.j2
new file mode 100644
index 0000000..e07289f
--- /dev/null
+++ b/roles/msca-openvpn/templates/vpc-server.conf.j2
@@ -0,0 +1,63 @@
+{{ ansible_managed|comment }}
+# Mode: {{ vpn_mode }}
+# Subnet: {{ vpn_subnet }}
+# L3
+daemon
+port 1194
+dev tap
+proto udp
+user openvpn
+group openvpn
+tcp-nodelay
+persist-tun
+persist-key
+cipher AES-256-CBC
+keepalive 30 90
+management 127.0.0.1 31337
+
+server {{ vpn_subnet }} 255.255.255.0
+topology subnet
+
+max-clients 64
+
+verb 3
+log /var/log/openvpn/openvpn.log
+status-version 3
+status /var/log/openvpn/status.log
+client-connect /etc/openvpn/scripts/event-log.sh
+
+tmp-dir /dev/shm
+
+tls-server
+tls-version-min 1.2
+key-direction 0
+dh /etc/openvpn/keys/dh.pem
+ca /etc/openvpn/keys/ca.{{ ca_name|lower }}.crt
+crl-verify /etc/openvpn/keys/crl.{{ ca_name|lower }}.pem
+cert /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.crt
+key /etc/openvpn/keys/{{ vpc_region }}.{{ ca_name|lower }}.key
+<tls-auth>
+#
+# 2048 bit OpenVPN static key
+#
+-----BEGIN OpenVPN Static key V1-----
+07b7f906a252a8b304d2b9e055b05299
+f199db480ce9da121fdbed99b2b18747
+f24fd2b4b95f1dbbe2a480b9eb761413
+03bc6848ec6181bb78078043306e2fcd
+ad992ee1a5c02ded40c289209eb77587
+36ac2a15fba4eb0cfc721c2c70a3fb83
+7af9e5423e8cf81c5904a989d114fae8
+b0c9ffd27bac60718d7231ab7cf4871f
+79d0cc9e37935afea8b67f1a2c396707
+8a586e78a1ba340e9c5bcce41de9ade7
+5ca23c436c65c30bcb7e2854ed576b93
+a955fe3b4d408444d5afaa8cc23dc9a5
+f613242847be6cd33cb939b94658dd89
+e02c3629fa9d8ff99d415b7041bd9df6
+15d3744bd648f2ab1ba2db0c64737308
+aca2fbab7c9b7114e4d8b646ca430c19
+-----END OpenVPN Static key V1-----
+</tls-auth>
+
+script-security 2