From 21ebcb8a23282d8435fa0ff614bfb958eaeaf1e1 Mon Sep 17 00:00:00 2001 From: Mikhail Doronin Date: Sun, 22 Dec 2024 18:33:55 +0100 Subject: [PATCH] Support freebsd (#176) * Support FreeBSD: no logrotate, no `wheel` group * Add FreeBSD to supported OS list --------- Co-authored-by: Kyle Lexmond --- defaults/main/role.yml | 5 +++++ meta/main.yml | 7 +++++++ tasks/client_keys.yml | 8 ++++---- tasks/config.yml | 26 +++++++++++++------------- tasks/server_keys.yml | 20 ++++++++++---------- vars/FreeBSD.yml | 9 +++++++++ vars/Solaris.yml | 1 + 7 files changed, 49 insertions(+), 27 deletions(-) create mode 100644 vars/FreeBSD.yml diff --git a/defaults/main/role.yml b/defaults/main/role.yml index 93ce419c..69605bf1 100644 --- a/defaults/main/role.yml +++ b/defaults/main/role.yml @@ -23,6 +23,10 @@ openvpn_no_nat: false # Misc ci_build: false +openvpn_conf_user: root +openvpn_conf_group: root +openvpn_script_user: root +openvpn_script_group: root openvpn_client_config_no_log: true openvpn_revoke_these_certs: [] openvpn_selinux_module: my-openvpn-server @@ -30,3 +34,4 @@ openvpn_service_name: openvpn openvpn_sync_certs: false openvpn_uninstall: false openvpn_use_ldap: false +openvpn_use_logrotate: true diff --git a/meta/main.yml b/meta/main.yml index e19b894f..923b5f50 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -18,6 +18,13 @@ galaxy_info: - "38" - "39" - "40" + - name: FreeBSD + versions: + - "12" + - "13" + - name: Ubuntu + versions: + - trusty galaxy_tags: - networking diff --git a/tasks/client_keys.yml b/tasks/client_keys.yml index 7aa6129c..1f47c462 100644 --- a/tasks/client_keys.yml +++ b/tasks/client_keys.yml @@ -9,8 +9,8 @@ ansible.builtin.copy: src: openssl-client.ext dest: "{{ openvpn_key_dir }}" - owner: root - group: root + owner: "{{ openvpn_conf_user }}" + group: "{{ openvpn_conf_group }}" mode: "0400" - name: Generate client key @@ -67,8 +67,8 @@ ansible.builtin.template: src: client.ovpn.j2 dest: "{{ openvpn_ovpn_dir }}/{{ item.0.item }}-{{ inventory_hostname }}.ovpn" - owner: root - group: root + owner: "{{ openvpn_conf_user }}" + group: "{{ openvpn_conf_group }}" mode: "0400" with_together: - "{{ client_certs.results }}" diff --git a/tasks/config.yml b/tasks/config.yml index 8f3bcacc..fba0aeb8 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -3,8 +3,8 @@ ansible.builtin.template: src: server.conf.j2 dest: "{{ openvpn_base_dir }}/{{ openvpn_config_file }}.conf" - owner: root - group: root + owner: "{{ openvpn_conf_user }}" + group: "{{ openvpn_conf_group }}" mode: "0644" notify: - Restart openvpn @@ -54,33 +54,33 @@ ansible.builtin.template: src: ldap.conf.j2 dest: "{{ openvpn_base_dir }}/auth/ldap.conf" - owner: root - group: root + owner: "{{ openvpn_conf_user }}" + group: "{{ openvpn_conf_group }}" mode: "0644" when: openvpn_use_ldap - name: Create log directory ansible.builtin.file: dest: "{{ openvpn_log_dir }}" - owner: root - group: root + owner: "{{ openvpn_conf_user }}" + group: "{{ openvpn_conf_group }}" mode: "0755" - name: Copy openvpn logrotate config file ansible.builtin.template: src: openvpn_logrotate.conf.j2 dest: /etc/logrotate.d/openvpn-{{ openvpn_config_file }}.conf - owner: root - group: root + owner: "{{ openvpn_conf_user }}" + group: "{{ openvpn_conf_group }}" mode: "0400" - when: ansible_os_family != 'Solaris' + when: openvpn_use_logrotate - name: Create client config directory ansible.builtin.file: state: directory path: "{{ openvpn_base_dir }}/{{ openvpn_client_config_dir }}" - owner: root - group: root + owner: "{{ openvpn_conf_user }}" + group: "{{ openvpn_conf_group }}" mode: "0755" when: openvpn_client_config @@ -88,8 +88,8 @@ ansible.builtin.template: src: client_ccd.j2 dest: "{{ openvpn_base_dir }}/{{ openvpn_client_config_dir }}/{{ item.key }}" - owner: root - group: root + owner: "{{ openvpn_conf_user }}" + group: "{{ openvpn_conf_group }}" mode: "0644" when: openvpn_client_config with_dict: "{{ openvpn_client_configs }}" diff --git a/tasks/server_keys.yml b/tasks/server_keys.yml index 767a88ba..8b69ed38 100644 --- a/tasks/server_keys.yml +++ b/tasks/server_keys.yml @@ -9,8 +9,8 @@ ansible.builtin.copy: src: "{{ item }}" dest: "{{ openvpn_key_dir }}" - owner: root - group: root + owner: "{{ openvpn_conf_user }}" + group: "{{ openvpn_conf_group }}" mode: "0400" with_items: - openssl-server.ext @@ -94,8 +94,8 @@ ansible.builtin.copy: src: dh.pem dest: "{{ openvpn_key_dir }}" - owner: root - group: root + owner: "{{ openvpn_conf_user }}" + group: "{{ openvpn_conf_group }}" mode: "0400" when: openvpn_use_pregenerated_dh_params|bool @@ -111,8 +111,8 @@ ansible.builtin.template: src: ca.conf.j2 dest: "{{ openvpn_key_dir }}/ca.conf" - owner: root - group: root + owner: "{{ openvpn_conf_user }}" + group: "{{ openvpn_conf_group }}" mode: "0744" - name: Create initial certificate revocation list squence number @@ -132,8 +132,8 @@ ansible.builtin.template: src: revoke.sh.j2 dest: "{{ openvpn_key_dir }}/revoke.sh" - owner: root - group: root + owner: "{{ openvpn_script_user }}" + group: "{{ openvpn_script_group }}" mode: "0744" - name: Check if certificate revocation list database exists @@ -158,8 +158,8 @@ ansible.builtin.template: src: crl-cron.sh.j2 dest: "{{ openvpn_base_dir }}/crl-cron.sh" - owner: root - group: root + owner: "{{ openvpn_script_user }}" + group: "{{ openvpn_script_group }}" mode: "0744" # This should eventually be switched to use a systemd timer diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml new file mode 100644 index 00000000..be9aa284 --- /dev/null +++ b/vars/FreeBSD.yml @@ -0,0 +1,9 @@ +--- +manage_firewall_rules: false +openvpn_config_file: "openvpn" +openvpn_base_dir: /usr/local/etc/openvpn +openvpn_key_dir: /usr/local/etc/openvpn/keys +openvpn_conf_user: root +openvpn_conf_group: wheel +openvpn_script_group: wheel +openvpn_use_logrotate: false diff --git a/vars/Solaris.yml b/vars/Solaris.yml index 2f7cca0d..4f9395d3 100644 --- a/vars/Solaris.yml +++ b/vars/Solaris.yml @@ -3,3 +3,4 @@ openvpn_config_file: "openvpn" openvpn_base_dir: /opt/local/etc/openvpn openvpn_key_dir: /opt/local/etc/openvpn/keys openvpn_use_ldap: false +openvpn_use_logrotate: false