diff --git a/roles/openvpn/defaults/main.yaml b/roles/openvpn/defaults/main.yaml new file mode 100644 index 0000000..4ea76c7 --- /dev/null +++ b/roles/openvpn/defaults/main.yaml @@ -0,0 +1,17 @@ +--- +openvpn_package_name: openvpn +openvpn_package_state: present + +openvpn_service_name: openvpn +openvpn_service_state: started +openvpn_service_enabled: true + +openvpn_etc_path: /etc/openvpn + +openvpn_config: {} +openvpn_dh_params: {} +openvpn_static_keys: {} +openvpn_private_keys: {} +openvpn_certificates: {} + +openvpn_ip_forward: 0 diff --git a/roles/openvpn/handlers/main.yaml b/roles/openvpn/handlers/main.yaml new file mode 100644 index 0000000..17eb188 --- /dev/null +++ b/roles/openvpn/handlers/main.yaml @@ -0,0 +1,5 @@ +--- +- name: restart openvpn instance + service: + name: "{{ openvpn_service_name }}@{{ openvpn_instance }}" + state: restarted diff --git a/roles/openvpn/tasks/default.yaml b/roles/openvpn/tasks/default.yaml new file mode 100644 index 0000000..e69de29 diff --git a/roles/openvpn/tasks/instances.yaml b/roles/openvpn/tasks/instances.yaml new file mode 100644 index 0000000..3ccf61f --- /dev/null +++ b/roles/openvpn/tasks/instances.yaml @@ -0,0 +1,76 @@ +--- +- set_fact: + instance_path: "{{ openvpn_etc_path }}/{{ instance }}" + openvpn_instance: "{{ instance }}" + +- name: openvpn static keys + copy: + dest: "{{ instance_path }}/{{ item.key }}" + content: "{{ item.value }}" + owner: root + group: root + mode: "0600" + loop: "{{ openvpn_static_keys[instance] | dict2items }}" + no_log: true + notify: restart openvpn instance + +- name: openvpn dh params + copy: + dest: "{{ instance_path }}/{{ item.key }}" + content: "{{ item.value }}" + owner: root + group: root + mode: "0644" + loop: "{{ openvpn_dh_params[instance] | default({}) | dict2items }}" + notify: restart openvpn instance + +- name: openvpn private_keys + copy: + dest: "{{ instance_path }}/{{ item.key }}" + content: "{{ item.value }}" + owner: root + group: root + mode: "0600" + loop: "{{ openvpn_private_keys[instance] | dict2items }}" + no_log: true + notify: restart openvpn instance + +- name: openvpn certificates + copy: + dest: "{{ instance_path }}/{{ item.key }}" + content: "{{ item.value }}" + owner: root + group: root + mode: "0644" + loop: "{{ openvpn_certificates[instance] | dict2items }}" + notify: restart openvpn instance + +- name: configure openvpn + template: + src: openvpn.conf.j2 + dest: "{{ instance_path }}.conf" + owner: root + group: root + mode: "0644" + notify: restart openvpn instance + +- name: mkdir ccd + file: + path: "{{ instance_path }}/ccd" + state: directory + +- name: configure ccd + template: + src: ccd.j2 + dest: "{{ instance_path }}/ccd/{{ item.key }}" + owner: root + group: root + mode: "0644" + loop: "{{ openvpn_ccd[instance] | default({}) | dict2items }}" + notify: restart openvpn instance + +- name: "manage openvpn@{{ instance }} service" + service: + name: "{{ openvpn_service_name }}@{{ instance }}" + state: "{{ openvpn_service_state }}" + enabled: "{{ openvpn_service_enabled }}" diff --git a/roles/openvpn/tasks/main.yaml b/roles/openvpn/tasks/main.yaml new file mode 100644 index 0000000..6e8cf29 --- /dev/null +++ b/roles/openvpn/tasks/main.yaml @@ -0,0 +1,52 @@ +--- +- name: gather os specific variables + include_vars: "{{ lookup('first_found', possible_files) }}" + vars: + possible_files: + files: + - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml" + - "{{ ansible_distribution }}.yaml" + - "{{ ansible_os_family }}.yaml" + - "default.yaml" + paths: + - vars + +- name: include os specific tasks + include_tasks: "{{ lookup('first_found', possible_files) }}" + vars: + possible_files: + files: + - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml" + - "{{ ansible_distribution }}.yaml" + - "{{ ansible_os_family }}.yaml" + - "default.yaml" + paths: + - tasks + +- name: "install {{ openvpn_package_name }}" + package: + name: "{{ openvpn_package_name }}" + state: "{{ openvpn_package_state }}" + + +- name: "manage instances {{ item }}" + include: instances.yaml + loop: "{{ openvpn_config.keys() | list }}" + loop_control: + loop_var: instance + +- name: configure IPv4 forwarding + sysctl: + name: net.ipv4.ip_forward + value: "{{ openvpn_ip_forward | default(0) }}" + sysctl_set: yes + state: present + reload: yes + +- name: configure IPv6 forwarding + sysctl: + name: net.ipv6.conf.all.forwarding + value: "{{ openvpn_ip_forward | default(0) }}" + sysctl_set: yes + state: present + reload: yes diff --git a/roles/openvpn/templates/ccd.j2 b/roles/openvpn/templates/ccd.j2 new file mode 100644 index 0000000..c8060a8 --- /dev/null +++ b/roles/openvpn/templates/ccd.j2 @@ -0,0 +1,15 @@ +# {{ ansible_managed }} + +{% for k, v in item.value.items() %} +{% if v is string %} +{{ k }} {{ v }} +{% elif v is sequence %} +{% for vv in v %} +{{ k }} {{ vv | quote if k == "push" else vv }} +{% endfor %} +{% elif v is not defined %} +{{ k }} +{% else %} +{{ k }} {{ v }} +{% endif %} +{% endfor %} diff --git a/roles/openvpn/templates/openvpn.conf.j2 b/roles/openvpn/templates/openvpn.conf.j2 new file mode 100644 index 0000000..d0297d3 --- /dev/null +++ b/roles/openvpn/templates/openvpn.conf.j2 @@ -0,0 +1,15 @@ +# {{ ansible_managed }} + +{% for k, v in openvpn_config[instance].items() %} +{% if v is string %} +{{ k }} {{ v }} +{% elif v is sequence %} +{% for vv in v %} +{{ k }} {{ vv | quote if k == "push" else vv }} +{% endfor %} +{% elif v is not defined %} +{{ k }} +{% else %} +{{ k }} {{ v }} +{% endif %} +{% endfor %} diff --git a/roles/openvpn/vars/default.yaml b/roles/openvpn/vars/default.yaml new file mode 100644 index 0000000..e69de29