Merge branch 'master' into master

.github/workflows/ci.yml

@@ -1,22 +1,20 @@
 ---
 name: CI
 
-on:  # yamllint disable-line rule:truthy
+on: # yamllint disable-line rule:truthy
   push:
     branches:
       - master
   pull_request:
     branches:
       - master
 
-  workflow_dispatch:
-
 jobs:
   check-syntax:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     name: check-syntax
     container:
-      image: diodonfrost/ansible-fedora:35
+      image: diodonfrost/ansible-fedora:40
       env:
         container: docker
       volumes:
@@ -33,21 +31,23 @@ jobs:
       - name: Check syntax of ansible playbook
         run: ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml --syntax-check
 
-  build-fedora:
-    runs-on: ubuntu-20.04
-    name: fedora-${{ matrix.version }}
+  build-rhel-like:
+    runs-on: ubuntu-latest
+    name: rhel-like-${{ matrix.version }}
     needs:
       - check-syntax
     strategy:
       fail-fast: false
       matrix:
         version:
-          - "33"
-          - "34"
-          - "35"
+          - "centos:stream9"
+          - "fedora:38"
+          - "fedora:39"
+          - "almalinux:9"
+          - "rockylinux:9"
 
     container:
-      image: diodonfrost/ansible-fedora:${{ matrix.version }}
+      image: diodonfrost/ansible-${{ matrix.version }}
       env:
         container: docker
       volumes:
@@ -71,25 +71,25 @@ jobs:
         continue-on-error: true
         run: |
           ls -lR /etc/openvpn
-          echo "cat /etc/openvpn/**/openvpn_udp_1194.conf"
-          cat /etc/openvpn/**/openvpn_udp_1194.conf
-          echo "cat /etc/openvpn/**/alpha-*.ovpn"
-          cat /etc/openvpn/**/alpha-*.ovpn
+          echo "cat openvpn_udp_1194.conf"
+          find /etc/openvpn/ -maxdepth 3 -name openvpn_udp_1194.conf -type f -exec cat {} \;
+          echo "cat alpha-*.ovpn"
+          find /etc/openvpn/ -maxdepth 3 -name "alpha-*.ovpn" -type f -exec cat {} \;
 
-  build-centos:
-    runs-on: ubuntu-20.04
-    name: centos-${{ matrix.version }}
+  build-rhel-legacy:
+    runs-on: ubuntu-latest
+    name: rhel-legacy-${{ matrix.version }}
     needs:
       - check-syntax
     strategy:
       fail-fast: false
       matrix:
         version:
-          - "7"
-          - "8"
+          - "almalinux:8"
+          - "rockylinux:8"
 
     container:
-      image: diodonfrost/ansible-centos:${{ matrix.version }}
+      image: diodonfrost/ansible-${{ matrix.version }}
       env:
         container: docker
       volumes:
@@ -99,6 +99,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+      - name: Update ansible
+        run: dnf install -y python39 && pip3.9 install -U ansible
       - name: Setup ansible.posix collection for firewalld
         run: ansible-galaxy collection install ansible.posix
       - name: Setup community.general collection for ufw
@@ -118,19 +120,19 @@ jobs:
           echo "cat alpha-*.ovpn"
           find /etc/openvpn/ -maxdepth 3 -name "alpha-*.ovpn" -type f -exec cat {} \;
 
-  build-rocky:
-    runs-on: ubuntu-20.04
-    name: rocky-${{ matrix.version }}
+  # diodonfrost's images are broken for fedora 40 (thinks it's rawhide) and fedora 41 doesn't exist, so I built my own
+  build-broken-fedora:
+    runs-on: ubuntu-latest
+    name: fedora-${{ matrix.version }}
     needs:
       - check-syntax
     strategy:
       fail-fast: false
       matrix:
         version:
-          - "8"
-
+          - "fedora:40"
     container:
-      image: diodonfrost/ansible-rockylinux:${{ matrix.version }}
+      image: ghcr.io/kyl191/ansible-${{ matrix.version }}
       env:
         container: docker
       volumes:

README.md

@@ -136,13 +136,13 @@ These options change how OpenVPN itself works.
 | openvpn_client_config_dir | string  |         | ccd     | Path of `client-config-dir`                          |
 | openvpn_client_configs    | dict    |         | {}      | Dict of settings custom client configs               |
 
-## Logrotate
+## Logrotate/Syslog
 Set your own custom logrotate options
-| Variable                 | Type   | Choices | Default                                                                                                     | Comment                                                                                          |
-|--------------------------|--------|---------|-------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------|
-| openvpn_log_dir          | string |         | /var/log                                                                                                    | Set location of openvpn log files. This parameter is a part of `log-append` configuration value. |
-| openvpn_log_file         | string |         | openvpn.log                                                                                                 | Set log filename. This parameter is a part of `log-append` configuration value.                  |
-| openvpn_logrotate_config | string |         | rotate 4<br />weekly<br />missingok<br />notifempty<br />sharedscripts<br />copytruncate<br />delaycompress | Configure logrotate script.                                                                      |
+| Variable                 | Type   | Choices | Default                                                                                                     | Comment                                                                                                   |
+|--------------------------|--------|---------|-------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------|
+| openvpn_log_dir          | string |         | /var/log                                                                                                    | Set location of openvpn log files. This parameter is a part of `log-append` configuration value.          |
+| openvpn_log_file         | string |         | openvpn.log                                                                                                 | Set log filename. This parameter is a part of `log-append` configuration value. If empty, syslog is used. |
+| openvpn_logrotate_config | string |         | rotate 4<br />weekly<br />missingok<br />notifempty<br />sharedscripts<br />copytruncate<br />delaycompress | Configure logrotate script.                                                                               |
 
 ## Packaging
 This role pulls in a bunch of different packages. Override the names as necessary.

defaults/main/ldap.yml

@@ -1,3 +1,4 @@
+---
 ldap:
   url: ldap://host.example.com
   anonymous_bind: false

defaults/main/logrotate.yml

@@ -1,3 +1,4 @@
+---
 # Logrotate configuration
 openvpn_log_dir: /var/log
 openvpn_log_file: openvpn.log

defaults/main/openvpn.yml

@@ -1,10 +1,10 @@
+---
 # Defaults for openvpn
 
 # Networking
 openvpn_client_register_dns: true
 openvpn_client_to_client: false
 openvpn_custom_dns: []
-openvpn_dns_servers: []
 openvpn_dualstack: true
 openvpn_keepalive_ping: 5
 openvpn_keepalive_timeout: 30
@@ -17,6 +17,7 @@ openvpn_server_netmask: 255.255.255.0
 openvpn_server_network: 10.9.0.0
 openvpn_set_dns: true
 openvpn_tun_mtu:
+openvpn_lan_source_ip: "{{ ansible_default_ipv4.address }}"
 
 # Security
 openvpn_auth_alg: SHA256
@@ -44,7 +45,6 @@ openvpn_service_group: nogroup
 openvpn_service_user: nobody
 openvpn_status_version: 1
 
-
 # Client config - settings the server will push
 openvpn_client_config: false
 openvpn_client_config_dir: ccd
@@ -65,4 +65,3 @@ openvpn_client_configs: {}
 #     - push "route 192.168.1.0 255.255.255.0"
 #     - iroute 192.168.2.0 255.255.255.0
 #     - iroute 192.168.4.0 255.255.255.0
-

defaults/main/packaging.yml

@@ -1,3 +1,4 @@
+---
 # Packaging defaults for kyl191.openvpn
 epel_package_name: epel-release
 iptables_persistent_package_name: iptables-persistent

defaults/main/role.yml

@@ -1,3 +1,4 @@
+---
 # Defaults for the role operation
 
 clients: []
@@ -18,6 +19,7 @@ iptables_service: iptables
 manage_firewall_rules: true
 openvpn_firewall: auto
 openvpn_masquerade_not_snat: false
+openvpn_no_nat: false
 
 # Misc
 ci_build: false

handlers/main.yml

@@ -1,36 +1,39 @@
 ---
-- name: restart openvpn
-  service:
+- name: Restart openvpn
+  ansible.builtin.service:
     name: "{{ openvpn_service_name }}"
     state: restarted
   # Github Actions doesn't allow entrypoints, so PID 1 isn't an init system
   when: ansible_service_mgr != "tail"
 
-- name: restart iptables
-  service:
+- name: Restart iptables
+  ansible.builtin.service:
     name: iptables
     state: restarted
 
-- name: restart firewalld
-  service:
+- name: Restart firewalld
+  ansible.builtin.service:
     name: firewalld
     state: restarted
 
-- name: restart ufw
-  service:
+- name: Restart ufw
+  ansible.builtin.service:
     name: ufw
     state: restarted
 
-- name: save iptables rules (Debian/Ubuntu and CentOS/RHEL/Fedora)
-  shell: "{{ iptables_save_command }}"  # noqa command-instead-of-shell
+- name: Save iptables rules (Debian/Ubuntu and CentOS/RHEL/Fedora)
+  ansible.builtin.shell: "{{ iptables_save_command }}" # noqa command-instead-of-shell could have shell redirection
   when: ansible_os_family == 'Debian' or ansible_os_family == 'RedHat'
   listen: "save iptables"
+  changed_when: true # always save iptables rules
 
-- name: build and install policy
-  command: "{{ item }}"
+- name: Build and install policy
+  ansible.builtin.command: "{{ item }}"
   args:
     chdir: /var/lib/selinux
   with_items:
     - "checkmodule -M -m -o {{ openvpn_selinux_module }}.mod {{ openvpn_selinux_module }}.te"
     - "semodule_package -o {{ openvpn_selinux_module }}.pp -m {{ openvpn_selinux_module }}.mod"
     - "semodule -i {{ openvpn_selinux_module }}.pp"
+  changed_when: true
+  when: ansible_selinux.status == 'enabled'

meta/main.yml

@@ -6,21 +6,18 @@ galaxy_info:
   description: OpenVPN playbook for CentOS/Fedora/RHEL/RHEL clones & Ubuntu/Debian
 
   license: MIT
-  min_ansible_version: 2.9
+  min_ansible_version: "2.9"
 
   platforms:
     - name: EL
       versions:
-        - 7
-        - 8
+        - "8"
+        - "9"
     - name: Fedora
       versions:
-        - 32
-        - 33
-        - 34
-    - name: Ubuntu
-      versions:
-        - trusty
+        - "38"
+        - "39"
+        - "40"
   galaxy_tags:
     - networking
 

tasks/cert_sync_detection.yml

@@ -1,6 +1,6 @@
 ---
 - name: "[cert sync] Get existing certs"
-  find:
+  ansible.builtin.find:
     paths: "{{ openvpn_key_dir }}"
     patterns: "*.csr"
     excludes: "server.csr"
@@ -11,16 +11,16 @@
 # 3. Keep only basename
 # 4. Remove extension
 - name: "[cert sync] Create list of existing client with  existing certs"
-  set_fact:
+  ansible.builtin.set_fact:
     openvpn_existing_client: "{{ openvpn_existing_cert.files | map(attribute='path') | map('basename') | map('replace', '.csr', '') | sort }}"
   when: (openvpn_existing_cert.files | length) > 0
 
 # Make difference between 2 list to have only cert to revoke
 - name: "[cert sync] Create list of cert to revoke"
-  set_fact:
-    openvpn_cert_sync_revoke: "{{ (openvpn_existing_client | default([])) | difference(clients | sort ) }}"
+  ansible.builtin.set_fact:
+    openvpn_cert_sync_revoke: "{{ (openvpn_existing_client | default([])) | difference(clients | sort) }}"
 
 - name: "[cert sync] Debug: Certs to revoke (skipped if none)"
-  debug:
+  ansible.builtin.debug:
     msg: "Will revoke additional certs: {{ openvpn_cert_sync_revoke | join(', ') }}"
   when: openvpn_cert_sync_revoke | length > 0