add openvpn role

2022-08-30 07:49:30 -05:00
parent 5b55cc1a16
commit d55f62893d
8 changed files with 180 additions and 0 deletions
--- a/roles/openvpn/defaults/main.yaml
+++ b/roles/openvpn/defaults/main.yaml
@@ -0,0 +1,17 @@
+---
+openvpn_package_name: openvpn
+openvpn_package_state: present
+
+openvpn_service_name: openvpn
+openvpn_service_state: started
+openvpn_service_enabled: true
+
+openvpn_etc_path: /etc/openvpn
+
+openvpn_config: {}
+openvpn_dh_params: {}
+openvpn_static_keys: {}
+openvpn_private_keys: {}
+openvpn_certificates: {}
+
+openvpn_ip_forward: 0
--- a/roles/openvpn/handlers/main.yaml
+++ b/roles/openvpn/handlers/main.yaml
@@ -0,0 +1,5 @@
+---
+- name: restart openvpn instance
+  service:
+    name: "{{ openvpn_service_name }}@{{ openvpn_instance }}"
+    state: restarted
--- a/roles/openvpn/tasks/default.yaml
+++ b/roles/openvpn/tasks/default.yaml
--- a/roles/openvpn/tasks/instances.yaml
+++ b/roles/openvpn/tasks/instances.yaml
@@ -0,0 +1,76 @@
+---
+- set_fact:
+    instance_path: "{{ openvpn_etc_path }}/{{ instance }}"
+    openvpn_instance: "{{ instance }}"
+
+- name: openvpn static keys
+  copy:
+    dest: "{{ instance_path }}/{{ item.key }}"
+    content: "{{ item.value }}"
+    owner: root
+    group: root
+    mode: "0600"
+  loop: "{{ openvpn_static_keys[instance] | dict2items }}"
+  no_log: true
+  notify: restart openvpn instance
+
+- name: openvpn dh params
+  copy:
+    dest: "{{ instance_path }}/{{ item.key }}"
+    content: "{{ item.value }}"
+    owner: root
+    group: root
+    mode: "0644"
+  loop: "{{ openvpn_dh_params[instance] | default({}) | dict2items }}"
+  notify: restart openvpn instance
+
+- name: openvpn private_keys
+  copy:
+    dest: "{{ instance_path }}/{{ item.key }}"
+    content: "{{ item.value }}"
+    owner: root
+    group: root
+    mode: "0600"
+  loop: "{{ openvpn_private_keys[instance] | dict2items }}"
+  no_log: true
+  notify: restart openvpn instance
+
+- name: openvpn certificates
+  copy:
+    dest: "{{ instance_path }}/{{ item.key }}"
+    content: "{{ item.value }}"
+    owner: root
+    group: root
+    mode: "0644"
+  loop: "{{ openvpn_certificates[instance] | dict2items }}"
+  notify: restart openvpn instance
+
+- name: configure openvpn
+  template:
+    src: openvpn.conf.j2
+    dest: "{{ instance_path }}.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart openvpn instance
+
+- name: mkdir ccd
+  file:
+    path: "{{ instance_path }}/ccd"
+    state: directory
+
+- name: configure ccd
+  template:
+    src: ccd.j2
+    dest: "{{ instance_path }}/ccd/{{ item.key }}"
+    owner: root
+    group: root
+    mode: "0644"
+  loop: "{{ openvpn_ccd[instance] | default({}) | dict2items }}"
+  notify: restart openvpn instance
+
+- name: "manage openvpn@{{ instance }} service"
+  service:
+    name: "{{ openvpn_service_name }}@{{ instance }}"
+    state: "{{ openvpn_service_state }}"
+    enabled: "{{ openvpn_service_enabled }}"
--- a/roles/openvpn/tasks/main.yaml
+++ b/roles/openvpn/tasks/main.yaml
@@ -0,0 +1,52 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- name: "install {{ openvpn_package_name }}"
+  package:
+    name: "{{ openvpn_package_name }}"
+    state: "{{ openvpn_package_state }}"
+
+
+- name: "manage instances {{ item }}"
+  include: instances.yaml
+  loop: "{{ openvpn_config.keys() | list }}"
+  loop_control:
+    loop_var: instance
+
+- name: configure IPv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "{{ openvpn_ip_forward | default(0) }}"
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- name: configure IPv6 forwarding
+  sysctl:
+    name: net.ipv6.conf.all.forwarding
+    value: "{{ openvpn_ip_forward | default(0) }}"
+    sysctl_set: yes
+    state: present
+    reload: yes
--- a/roles/openvpn/templates/ccd.j2
+++ b/roles/openvpn/templates/ccd.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+
+{% for k, v in item.value.items() %}
+{% if v is string %}
+{{ k }} {{ v }}
+{% elif v is sequence %}
+{% for vv in v %}
+{{ k }} {{ vv | quote if k == "push" else vv }}
+{% endfor %}
+{% elif v is not defined %}
+{{ k }}
+{% else %}
+{{ k }} {{ v }}
+{% endif %}
+{% endfor %}
--- a/roles/openvpn/templates/openvpn.conf.j2
+++ b/roles/openvpn/templates/openvpn.conf.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+
+{% for k, v in openvpn_config[instance].items() %}
+{% if v is string %}
+{{ k }} {{ v }}
+{% elif v is sequence %}
+{% for vv in v %}
+{{ k }} {{ vv | quote if k == "push" else vv }}
+{% endfor %}
+{% elif v is not defined %}
+{{ k }}
+{% else %}
+{{ k }} {{ v }}
+{% endif %}
+{% endfor %}
--- a/roles/openvpn/vars/default.yaml
+++ b/roles/openvpn/vars/default.yaml