| --- |
| - hosts: {{ instance_name }} |
| gather_facts: False |
| connection: ssh |
| user: ubuntu |
| sudo: yes |
| vars: |
| server_network: {{ server_network }} |
| is_persistent: {{ is_persistent }} |
| vpn_subnet: {{ vpn_subnet }} |
| clients_can_see_each_other: {{ clients_can_see_each_other }} |
| port_number: {{ port_number }} |
| protocol: {{ protocol }} |
| pki_dir: {{ pki_dir }} |
| |
| tasks: |
| - name: install openvpn |
| apt: name=openvpn state=present update_cache=yes |
| |
| - name: stop openvpn |
| shell: kill -9 $(cat {{ pki_dir }}/pid) || true |
| |
| - name: make sure /opt/openvpn exists |
| file: path=/opt/openvpn state=directory |
| |
| - name: make sure directory for this server exists |
| file: path={{ pki_dir }} state=directory |
| |
| - name: get server key |
| copy: src={{ pki_dir }}/private/server.key dest={{ pki_dir }}/server.key |
| |
| - name: get server crt |
| copy: src={{ pki_dir }}/issued/server.crt dest={{ pki_dir }}/server.crt |
| |
| - name: get ca crt |
| copy: src={{ pki_dir }}/ca.crt dest={{ pki_dir }}/ca.crt |
| |
| - name: get crl |
| copy: src={{ pki_dir }}/crl.pem dest={{ pki_dir }}/crl.pem |
| |
| - name: get dh |
| copy: src=/opt/openvpn/init_pki/dh.pem dest={{ pki_dir }}/dh.pem |
| |
| - name: erase config |
| shell: rm -f {{ pki_dir }}/server.conf |
| |
| - name: write base config |
| shell: |
| | |
| printf "script-security 3 system |
| port {{ port_number }} |
| proto {{ protocol }} |
| dev tun |
| writepid {{ pki_dir }}/pid |
| ca {{ pki_dir }}/ca.crt |
| cert {{ pki_dir }}/server.crt |
| key {{ pki_dir }}/server.key |
| dh {{ pki_dir }}/dh.pem |
| crl-verify {{ pki_dir }}/crl.pem |
| server {{ server_network }} {{ vpn_subnet }} |
| ifconfig-pool-persist {{ pki_dir }}/ipp.txt |
| status {{ pki_dir }}/openvpn-status.log |
| verb 3 |
| " > {{ pki_dir }}/server.conf |
| |
| - name: write persistent config |
| shell: |
| | |
| printf "keepalive 10 60 |
| persist-tun |
| persist-key |
| " >> {{ pki_dir }}/server.conf |
| when: {{ is_persistent }} |
| |
| - name: write client-to-client config |
| shell: printf "client-to-client\n" >> {{ pki_dir }}/server.conf |
| when: {{ clients_can_see_each_other }} |
| |
| - name: start openvpn |
| shell: openvpn {{ pki_dir }}/server.conf |