From c87e7c44c1f466a32694eba427dd02b5d899acce Mon Sep 17 00:00:00 2001 From: Tomasz Durda Date: Mon, 14 Mar 2022 04:13:23 +0100 Subject: [PATCH 01/18] Added AlmaLinux --- tasks/install.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/install.yml b/tasks/install.yml index 2665147d..ed1872ef 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -3,7 +3,7 @@ package: name: "{{ epel_package_name }}" state: present - when: ansible_distribution == "CentOS" or ansible_distribution=="Rocky" + when: ansible_distribution == "CentOS" or ansible_distribution=="Rocky" or ansible_distribution=="AlmaLinux" - name: Install EPEL for RHEL yum: From 0b80f5bf86d46c9ad6722aa0ad81a505f9dc9cf4 Mon Sep 17 00:00:00 2001 From: Kyle Lexmond Date: Sun, 22 Dec 2024 02:07:35 +0000 Subject: [PATCH 02/18] Run ansible-lint --fix --- defaults/main/ldap.yml | 1 + defaults/main/logrotate.yml | 1 + defaults/main/openvpn.yml | 4 +- defaults/main/packaging.yml | 1 + defaults/main/role.yml | 1 + handlers/main.yml | 24 ++++++------ tasks/cert_sync_detection.yml | 10 ++--- tasks/client_keys.yml | 30 +++++++-------- tasks/compile_ldap_plugin.yml | 43 +++++++++++---------- tasks/config.yml | 42 ++++++++++----------- tasks/firewall.yml | 22 +++++------ tasks/firewalld.yml | 8 ++-- tasks/install.yml | 22 +++++------ tasks/iptables.yml | 24 ++++++------ tasks/main.yml | 27 +++++++------- tasks/revocation.yml | 24 ++++++------ tasks/selinux.yml | 8 ++-- tasks/server_keys.yml | 70 +++++++++++++++++------------------ tasks/set_facts.yml | 8 ++-- tasks/ufw.yml | 8 ++-- tasks/uninstall.yml | 12 +++--- 21 files changed, 195 insertions(+), 195 deletions(-) diff --git a/defaults/main/ldap.yml b/defaults/main/ldap.yml index d5e380c8..649cc5a0 100644 --- a/defaults/main/ldap.yml +++ b/defaults/main/ldap.yml @@ -1,3 +1,4 @@ +--- ldap: url: ldap://host.example.com anonymous_bind: false diff --git a/defaults/main/logrotate.yml b/defaults/main/logrotate.yml index 1b351688..50712705 100644 --- a/defaults/main/logrotate.yml +++ b/defaults/main/logrotate.yml @@ -1,3 +1,4 @@ +--- # Logrotate configuration openvpn_log_dir: /var/log openvpn_log_file: openvpn.log diff --git a/defaults/main/openvpn.yml b/defaults/main/openvpn.yml index 673380bd..8e62bc9f 100644 --- a/defaults/main/openvpn.yml +++ b/defaults/main/openvpn.yml @@ -1,3 +1,4 @@ +--- # Defaults for openvpn # Networking @@ -17,7 +18,6 @@ openvpn_server_netmask: 255.255.255.0 openvpn_server_network: 10.9.0.0 openvpn_set_dns: true openvpn_tun_mtu: - # Security openvpn_auth_alg: SHA256 openvpn_cipher: AES-256-CBC @@ -44,7 +44,6 @@ openvpn_service_group: nogroup openvpn_service_user: nobody openvpn_status_version: 1 - # Client config - settings the server will push openvpn_client_config: false openvpn_client_config_dir: ccd @@ -65,4 +64,3 @@ openvpn_client_configs: {} # - push "route 192.168.1.0 255.255.255.0" # - iroute 192.168.2.0 255.255.255.0 # - iroute 192.168.4.0 255.255.255.0 - diff --git a/defaults/main/packaging.yml b/defaults/main/packaging.yml index 15ff676a..4115add9 100644 --- a/defaults/main/packaging.yml +++ b/defaults/main/packaging.yml @@ -1,3 +1,4 @@ +--- # Packaging defaults for kyl191.openvpn epel_package_name: epel-release iptables_persistent_package_name: iptables-persistent diff --git a/defaults/main/role.yml b/defaults/main/role.yml index bd00e1e9..dafcfcc3 100644 --- a/defaults/main/role.yml +++ b/defaults/main/role.yml @@ -1,3 +1,4 @@ +--- # Defaults for the role operation clients: [] diff --git a/handlers/main.yml b/handlers/main.yml index 4bfa27d8..f2b2be1c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,33 +1,33 @@ --- -- name: restart openvpn - service: +- name: Restart openvpn + ansible.builtin.service: name: "{{ openvpn_service_name }}" state: restarted # Github Actions doesn't allow entrypoints, so PID 1 isn't an init system when: ansible_service_mgr != "tail" -- name: restart iptables - service: +- name: Restart iptables + ansible.builtin.service: name: iptables state: restarted -- name: restart firewalld - service: +- name: Restart firewalld + ansible.builtin.service: name: firewalld state: restarted -- name: restart ufw - service: +- name: Restart ufw + ansible.builtin.service: name: ufw state: restarted -- name: save iptables rules (Debian/Ubuntu and CentOS/RHEL/Fedora) - shell: "{{ iptables_save_command }}" # noqa command-instead-of-shell +- name: Save iptables rules (Debian/Ubuntu and CentOS/RHEL/Fedora) + ansible.builtin.shell: "{{ iptables_save_command }}" when: ansible_os_family == 'Debian' or ansible_os_family == 'RedHat' listen: "save iptables" -- name: build and install policy - command: "{{ item }}" +- name: Build and install policy + ansible.builtin.command: "{{ item }}" args: chdir: /var/lib/selinux with_items: diff --git a/tasks/cert_sync_detection.yml b/tasks/cert_sync_detection.yml index 6432463c..14a457fb 100644 --- a/tasks/cert_sync_detection.yml +++ b/tasks/cert_sync_detection.yml @@ -1,6 +1,6 @@ --- - name: "[cert sync] Get existing certs" - find: + ansible.builtin.find: paths: "{{ openvpn_key_dir }}" patterns: "*.csr" excludes: "server.csr" @@ -11,16 +11,16 @@ # 3. Keep only basename # 4. Remove extension - name: "[cert sync] Create list of existing client with existing certs" - set_fact: + ansible.builtin.set_fact: openvpn_existing_client: "{{ openvpn_existing_cert.files | map(attribute='path') | map('basename') | map('replace', '.csr', '') | sort }}" when: (openvpn_existing_cert.files | length) > 0 # Make difference between 2 list to have only cert to revoke - name: "[cert sync] Create list of cert to revoke" - set_fact: - openvpn_cert_sync_revoke: "{{ (openvpn_existing_client | default([])) | difference(clients | sort ) }}" + ansible.builtin.set_fact: + openvpn_cert_sync_revoke: "{{ (openvpn_existing_client | default([])) | difference(clients | sort) }}" - name: "[cert sync] Debug: Certs to revoke (skipped if none)" - debug: + ansible.builtin.debug: msg: "Will revoke additional certs: {{ openvpn_cert_sync_revoke | join(', ') }}" when: openvpn_cert_sync_revoke | length > 0 diff --git a/tasks/client_keys.yml b/tasks/client_keys.yml index 19d52841..7aa6129c 100644 --- a/tasks/client_keys.yml +++ b/tasks/client_keys.yml @@ -1,20 +1,20 @@ --- - name: Create openvpn ovpn file directory - file: + ansible.builtin.file: path: "{{ openvpn_ovpn_dir }}" state: directory - mode: 0755 + mode: "0755" - name: Copy openssl client extensions - copy: + ansible.builtin.copy: src: openssl-client.ext dest: "{{ openvpn_key_dir }}" owner: root group: root - mode: 0400 + mode: "0400" - name: Generate client key - command: >- + ansible.builtin.command: >- openssl req -nodes -newkey rsa:{{ openvpn_rsa_bits }} -keyout {{ item }}.key -out {{ item }}.csr -days 3650 -subj /CN=OpenVPN-Client-{{ inventory_hostname[:24] }}-{{ item[:24] }}/ args: @@ -24,14 +24,14 @@ - "{{ clients }}" - name: Protect client keys - file: + ansible.builtin.file: path: "{{ openvpn_key_dir }}/{{ item }}.key" - mode: 0400 + mode: "0400" with_items: - "{{ clients }}" - name: Sign client key - command: openssl x509 -req -in {{ item }}.csr -out {{ item }}.crt -CA ca.crt -CAkey ca-key.pem -sha256 -days 3650 -extfile openssl-client.ext + ansible.builtin.command: openssl x509 -req -in {{ item }}.csr -out {{ item }}.crt -CA ca.crt -CAkey ca-key.pem -sha256 -days 3650 -extfile openssl-client.ext args: chdir: "{{ openvpn_key_dir }}" creates: "{{ item }}.crt" @@ -39,24 +39,24 @@ - "{{ clients }}" - name: Register server ca key - slurp: + ansible.builtin.slurp: src: "{{ openvpn_key_dir }}/ca.crt" register: ca_cert - name: Register tls-auth key - slurp: + ansible.builtin.slurp: src: "{{ openvpn_key_dir }}/ta.key" register: tls_auth - name: Register client certs - slurp: + ansible.builtin.slurp: src: "{{ openvpn_key_dir }}/{{ item }}.crt" with_items: - "{{ clients }}" register: client_certs - name: Register client keys - slurp: + ansible.builtin.slurp: src: "{{ openvpn_key_dir }}/{{ item }}.key" with_items: - "{{ clients }}" @@ -64,18 +64,18 @@ - name: Generate client config no_log: "{{ openvpn_client_config_no_log }}" - template: + ansible.builtin.template: src: client.ovpn.j2 dest: "{{ openvpn_ovpn_dir }}/{{ item.0.item }}-{{ inventory_hostname }}.ovpn" owner: root group: root - mode: 0400 + mode: "0400" with_together: - "{{ client_certs.results }}" - "{{ client_keys.results }}" - name: Fetch client config - fetch: + ansible.builtin.fetch: src: "{{ openvpn_ovpn_dir }}/{{ item }}-{{ inventory_hostname }}.ovpn" dest: "{{ openvpn_fetch_client_configs_dir }}/{{ item }}/{{ inventory_hostname }}{{ openvpn_fetch_client_configs_suffix }}.ovpn" flat: true diff --git a/tasks/compile_ldap_plugin.yml b/tasks/compile_ldap_plugin.yml index 251a19d4..f9315702 100644 --- a/tasks/compile_ldap_plugin.yml +++ b/tasks/compile_ldap_plugin.yml @@ -1,23 +1,24 @@ --- - name: Gather specific variables - include_vars: "../vars/compile_ldap_plugin.yml" - + ansible.builtin.include_vars: "../vars/compile_ldap_plugin.yml" - name: Check package re2c already exists become: true - stat: + ansible.builtin.stat: path: "{{ re2c_bin_path }}" register: re2c_bin - name: Check package openvpn-auth-ldap already exists become: true - stat: + ansible.builtin.stat: path: "{{ openvpn_auth_ldap_bin_path }}" register: openvpn_auth_ldap_bin -- block: +- when: + - not openvpn_auth_ldap_bin.stat.exists or not re2c_bin.stat.exists + block: - name: Install gcc objc repo become: true - yum_repository: + ansible.builtin.yum_repository: name: csi-gcc description: gcc compiler suite, with Objective-C which is removed from official Red Hat EL8 releases. baseurl: "{{ gcc_objc_repo.base_url }}" @@ -27,15 +28,18 @@ - name: Install dev packages become: true - package: + ansible.builtin.package: name: "{{ compile_develop_packages }}" state: present - name: Install re2c + when: + - not re2c_bin.stat.exists + block: - name: Download and unpack re2c become: true - unarchive: + ansible.builtin.unarchive: src: "https://github.com/skvadrik/re2c/archive/{{ re2c_version }}.tar.gz" dest: "{{ compile_source_dir }}" creates: "{{ compile_source_dir }}/re2c-{{ re2c_version }}" @@ -43,7 +47,7 @@ - name: Compile re2c become: true - shell: | + ansible.builtin.shell: | autoreconf -i -W all ./configure make @@ -51,14 +55,14 @@ args: chdir: "{{ compile_source_dir }}/re2c-{{ re2c_version }}" creates: "{{ re2c_bin_path }}" + - name: Install openvpn-auth-ldap when: - - not re2c_bin.stat.exists + - not openvpn_auth_ldap_bin.stat.exists - - name: Install openvpn-auth-ldap block: - name: Download and unpack openvpn-auth-ldap become: true - unarchive: + ansible.builtin.unarchive: src: "https://github.com/threerings/openvpn-auth-ldap/archive/auth-ldap-{{ openvpn_auth_ldap_version }}.tar.gz" dest: "{{ compile_source_dir }}" creates: "{{ compile_source_dir }}/openvpn-auth-ldap-auth-ldap-{{ openvpn_auth_ldap_version }}" @@ -66,18 +70,18 @@ - name: Create module directory become: true - file: + ansible.builtin.file: path: "{{ openvpn_auth_ldap_bin_path | dirname }}" owner: root group: root - mode: 0750 + mode: "0750" state: directory - name: Compile become: true environment: PATH: "{{ re2c_bin_path | dirname }}:{{ lookup('env', 'PATH') }}" - shell: | + ansible.builtin.shell: | autoconf autoheader ./configure --prefix={{ openvpn_auth_ldap_plugin_dir_path }} --with-openvpn=/sbin/openvpn CFLAGS="-fPIC" OBJCFLAGS="-std=gnu11" @@ -86,12 +90,9 @@ args: chdir: "{{ compile_source_dir }}/openvpn-auth-ldap-auth-ldap-{{ openvpn_auth_ldap_version }}" creates: "{{ openvpn_auth_ldap_bin_path }}" - when: - - not openvpn_auth_ldap_bin.stat.exists - - name: Cleanup dev packages become: true - package: + ansible.builtin.package: name: "{{ compile_develop_packages }}" state: absent when: @@ -99,10 +100,8 @@ - name: Remove gcc objc repo become: true - yum_repository: + ansible.builtin.yum_repository: name: csi-gcc state: absent when: - compile_cleanup_dev_packages - when: - - not openvpn_auth_ldap_bin.stat.exists or not re2c_bin.stat.exists diff --git a/tasks/config.yml b/tasks/config.yml index 095e2f64..98ea11f0 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -1,6 +1,6 @@ --- - name: Create openvpn config file - template: + ansible.builtin.template: src: server.conf.j2 dest: "{{ openvpn_base_dir }}/{{ openvpn_config_file }}.conf" owner: root @@ -10,48 +10,48 @@ - restart openvpn - name: Copy up script if defined - copy: + ansible.builtin.copy: src: "{{ openvpn_script_up }}" dest: "{{ openvpn_base_dir }}/up.sh" mode: a+x when: openvpn_script_up is defined - name: Copy down script if defined - copy: + ansible.builtin.copy: src: "{{ openvpn_script_down }}" dest: "{{ openvpn_base_dir }}/down.sh" mode: a+x when: openvpn_script_down is defined - name: Copy client-connect script if defined - copy: + ansible.builtin.copy: src: "{{ openvpn_script_client_connect }}" dest: "{{ openvpn_base_dir }}/client_connect.sh" mode: a+x when: openvpn_script_client_connect is defined - name: Copy client-disconnect script if defined - copy: + ansible.builtin.copy: src: "{{ openvpn_script_client_disconnect }}" dest: "{{ openvpn_base_dir }}/client_disconnect.sh" mode: a+x when: openvpn_script_client_disconnect is defined - name: Ensure auth folder exist in openvpn dir - file: + ansible.builtin.file: path: "{{ openvpn_base_dir }}/auth" state: directory - mode: 0755 + mode: "0755" when: openvpn_use_ldap - name: Delete auth folder in openvpn dir - file: + ansible.builtin.file: path: "{{ openvpn_base_dir }}/auth" state: absent when: not openvpn_use_ldap - name: Install LDAP config - template: + ansible.builtin.template: src: ldap.conf.j2 dest: "{{ openvpn_base_dir }}/auth/ldap.conf" owner: root @@ -60,48 +60,48 @@ when: openvpn_use_ldap - name: Create log directory - file: + ansible.builtin.file: dest: "{{ openvpn_log_dir }}" owner: root group: root - mode: 0755 + mode: "0755" - name: Copy openvpn logrotate config file - template: + ansible.builtin.template: src: openvpn_logrotate.conf.j2 dest: /etc/logrotate.d/openvpn-{{ openvpn_config_file }}.conf owner: root group: root - mode: 0400 + mode: "0400" when: ansible_os_family != 'Solaris' - name: Create client config directory - file: + ansible.builtin.file: state: directory path: "{{ openvpn_base_dir }}/{{ openvpn_client_config_dir }}" owner: root group: root - mode: 0755 + mode: "0755" when: openvpn_client_config - name: Create client configs - template: + ansible.builtin.template: src: client_ccd.j2 dest: "{{ openvpn_base_dir }}/{{ openvpn_client_config_dir }}/{{ item.key }}" owner: root group: root - mode: 0644 + mode: "0644" when: openvpn_client_config with_dict: "{{ openvpn_client_configs }}" - name: List client config directory - shell: "ls -1 {{ openvpn_base_dir }}/{{ openvpn_client_config_dir }}" + ansible.builtin.command: "ls -1 {{ openvpn_base_dir }}/{{ openvpn_client_config_dir }}" register: __ccd_contents changed_when: false when: openvpn_client_config - name: Delete undeclared configs in client config directory - file: + ansible.builtin.file: path: "{{ openvpn_base_dir }}/{{ openvpn_client_config_dir }}/{{ item }}" state: absent when: @@ -110,13 +110,13 @@ with_items: "{{ __ccd_contents.stdout_lines | default([]) }}" - name: Delete client config directory - file: + ansible.builtin.file: path: "{{ openvpn_base_dir }}/{{ openvpn_client_config_dir }}" state: absent when: not openvpn_client_config - name: Setup openvpn auto-start & start - service: + ansible.builtin.service: name: "{{ openvpn_service_name }}" enabled: true state: started diff --git a/tasks/firewall.yml b/tasks/firewall.yml index 7a998ec7..b41a8f31 100644 --- a/tasks/firewall.yml +++ b/tasks/firewall.yml @@ -1,51 +1,51 @@ --- - name: Check for firewalld - command: which firewall-cmd + ansible.builtin.command: which firewall-cmd register: firewalld check_mode: false - changed_when: false # Never report as changed + changed_when: false # Never report as changed failed_when: false - name: Check for ufw - command: which ufw + ansible.builtin.command: which ufw register: ufw check_mode: false - changed_when: false # Never report as changed + changed_when: false # Never report as changed failed_when: false - name: Check for iptables - command: which iptables + ansible.builtin.command: which iptables register: iptables check_mode: false - changed_when: false # Never report as changed + changed_when: false # Never report as changed failed_when: false - name: Fail on both firewalld & ufw - fail: + ansible.builtin.fail: msg: "Both FirewallD and UFW are detected, firewall situation is unknown" when: openvpn_firewall == 'auto' and firewalld.rc == 0 and ufw.rc == 0 - name: Fail on no firewall detected - fail: + ansible.builtin.fail: msg: "No firewall detected, install one before proceeding (firewalld||ufw||iptables)" when: firewalld.rc != 0 and ufw.rc != 0 and iptables.rc != 0 - name: Add port rules (iptables) - include_tasks: iptables.yml + ansible.builtin.include_tasks: iptables.yml when: >- (openvpn_firewall == 'iptables') or (openvpn_firewall == 'auto' and firewalld.rc != 0 and ufw.rc != 0 and iptables.rc == 0) - name: Add port rules (firewalld) - include_tasks: firewalld.yml + ansible.builtin.include_tasks: firewalld.yml when: >- (openvpn_firewall == 'firewalld') or (openvpn_firewall == 'auto' and firewalld.rc == 0 and ufw.rc != 0) - name: Add port rules (ufw) - include_tasks: ufw.yml + ansible.builtin.include_tasks: ufw.yml when: >- (openvpn_firewall == 'ufw') or diff --git a/tasks/firewalld.yml b/tasks/firewalld.yml index e19a257f..01221eca 100644 --- a/tasks/firewalld.yml +++ b/tasks/firewalld.yml @@ -1,13 +1,13 @@ --- - name: Enable firewalld - service: + ansible.builtin.service: name: firewalld enabled: true masked: false state: started - name: Install python2-firewall (Fedora) - package: + ansible.builtin.package: name: "{{ python_firewall_package_name }}" state: present when: @@ -52,12 +52,12 @@ # workaround for --permanent not working on non-NetworkManager managed ifaces # https://bugzilla.redhat.com/show_bug.cgi?id=1112742 - name: Check if ifcfg-{{ ansible_default_ipv4.interface }} exists - stat: + ansible.builtin.stat: path: "/etc/sysconfig/network-scripts/ifcfg-{{ ansible_default_ipv4.interface }}" register: ifcfg - name: Persist default interface in ifcfg file - lineinfile: + ansible.builtin.lineinfile: dest: /etc/sysconfig/network-scripts/ifcfg-{{ ansible_default_ipv4.interface }} regexp: "^ZONE=" line: "ZONE={{ firewalld_default_interface_zone }}" diff --git a/tasks/install.yml b/tasks/install.yml index ed1872ef..ca3e13db 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -1,25 +1,25 @@ --- - name: Install EPEL for CentOS - package: + ansible.builtin.package: name: "{{ epel_package_name }}" state: present when: ansible_distribution == "CentOS" or ansible_distribution=="Rocky" or ansible_distribution=="AlmaLinux" - name: Install EPEL for RHEL - yum: - name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ansible_distribution_major_version}}.noarch.rpm + ansible.builtin.dnf: + name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm state: present - disable_gpg_check: yes + disable_gpg_check: true when: ansible_distribution=="RedHat" and ansible_distribution_major_version == "8" - name: Enable extra repos for RHEL 8 - rhsm_repository: + community.general.rhsm_repository: name: "codeready-builder-for-rhel-8-{{ ansible_architecture }}-rpms" state: enabled when: ansible_distribution=="RedHat" and ansible_distribution_major_version == "8" - name: Enable extra repos for RHEL 7 - rhsm_repository: + community.general.rhsm_repository: name: "{{ item }}" state: enabled with_items: @@ -29,7 +29,7 @@ when: ansible_distribution=="RedHat" and ansible_distribution_major_version == "7" - name: Install python2-dnf for Fedora dnf support - raw: dnf install -y python2-dnf + ansible.builtin.raw: dnf install -y python2-dnf when: - ansible_distribution == "Fedora" - ansible_python.version.major == 2 @@ -37,7 +37,7 @@ changed_when: '"Nothing to do." not in fedora_dnf.stdout' - name: Install openvpn - package: + ansible.builtin.package: name: "{{ item }}" state: present with_items: @@ -46,7 +46,7 @@ - name: Install LDAP plugin become: true - package: + ansible.builtin.package: name: "{{ openvpn_ldap_plugin_package_name }}" state: present when: @@ -54,7 +54,7 @@ - ansible_distribution == "CentOS" and ansible_distribution_major_version != "8" or ansible_distribution != "CentOS" - name: Compile LDAP plugin - include_tasks: compile_ldap_plugin.yml + ansible.builtin.include_tasks: compile_ldap_plugin.yml when: - openvpn_use_ldap - ansible_distribution == "CentOS" and ansible_distribution_major_version == "8" @@ -62,7 +62,7 @@ # RHEL has the group 'nobody', 'Debian/Ubuntu' have 'nogroup' # standardize on 'nogroup' - name: Ensure group 'nogroup' is present - group: + ansible.builtin.group: name: nogroup state: present system: true diff --git a/tasks/iptables.yml b/tasks/iptables.yml index 16c730e2..cd8e7499 100644 --- a/tasks/iptables.yml +++ b/tasks/iptables.yml @@ -1,6 +1,6 @@ --- - name: Change facts to use netfilter-persistent on Debian >= 9 or Ubuntu >= 16 - set_fact: + ansible.builtin.set_fact: iptables_save_command: "/usr/sbin/netfilter-persistent save" iptables_service: netfilter-persistent when: >- @@ -9,21 +9,21 @@ (ansible_distribution == 'Ubuntu' and ansible_lsb.major_release|int >= 16) - name: Install iptables-persistent (Debian/Ubuntu) - package: + ansible.builtin.package: name: "{{ iptables_persistent_package_name }}" state: present register: __iptables_installed when: ansible_os_family == "Debian" - name: Install iptables-services (RedHat/CentOS) - package: + ansible.builtin.package: name: "{{ iptables_services_package_name }}" state: present register: __iptables_installed when: ansible_os_family == "RedHat" - name: Allow VPN forwarding - iptables - iptables: + ansible.builtin.iptables: chain: FORWARD source: "{{ openvpn_server_network }}/24" jump: ACCEPT @@ -32,7 +32,7 @@ notify: "save iptables" - name: Allow incoming SSH connections - iptables - iptables: + ansible.builtin.iptables: chain: INPUT protocol: tcp destination_port: "{{ ansible_port | default(22) }}" @@ -42,7 +42,7 @@ notify: "save iptables" - name: Allow incoming VPN connections - iptables - iptables: + ansible.builtin.iptables: chain: INPUT protocol: "{{ openvpn_proto }}" destination_port: "{{ openvpn_port }}" @@ -52,7 +52,7 @@ notify: "save iptables" - name: Accept packets from VPN tunnel adaptor - iptables - iptables: + ansible.builtin.iptables: chain: INPUT in_interface: tun0 jump: ACCEPT @@ -61,7 +61,7 @@ notify: "save iptables" - name: Perform NAT readdressing - iptables - iptables: + ansible.builtin.iptables: table: nat chain: POSTROUTING source: "{{ openvpn_server_network }}/24" @@ -73,7 +73,7 @@ notify: "save iptables" - name: Perform NAT readdressing with MASQUERADE - iptables - iptables: + ansible.builtin.iptables: table: nat chain: POSTROUTING source: "{{ openvpn_server_network }}/24" @@ -84,11 +84,11 @@ notify: "save iptables" - name: Save existing iptables rule before start iptables service - shell: "{{ iptables_save_command }}" # noqa command-instead-of-shell - when: __iptables_installed.changed | bool # noqa no-handler + ansible.builtin.shell: "{{ iptables_save_command }}" + when: __iptables_installed.changed | bool # noqa no-handler - name: Enable iptables - service: + ansible.builtin.service: name: "{{ iptables_service }}" enabled: true state: started diff --git a/tasks/main.yml b/tasks/main.yml index d1dd28d2..996abb6e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Include vars for OpenVPN installation - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - "../vars/{{ ansible_distribution }}{{ ansible_distribution_major_version }}.yml" - "../vars/{{ ansible_distribution }}.yml" @@ -8,26 +8,25 @@ - "../vars/empty.yml" - name: Set facts - import_tasks: set_facts.yml - + ansible.builtin.import_tasks: set_facts.yml - name: Uninstall OpenVPN - import_tasks: uninstall.yml + ansible.builtin.import_tasks: uninstall.yml when: openvpn_uninstall - name: Install OpenVPN - import_tasks: install.yml + ansible.builtin.import_tasks: install.yml tags: - install - name: Copy or Generate server keys - import_tasks: server_keys.yml + ansible.builtin.import_tasks: server_keys.yml # ignoreerrors is required for CentOS/RHEL 6 # http://serverfault.com/questions/477718/sysctl-p-etc-sysctl-conf-returns-error - name: Enable ipv4 forwarding ansible.posix.sysctl: name: net.ipv4.ip_forward - value: '1' + value: "1" ignoreerrors: true failed_when: false when: not ci_build @@ -35,12 +34,12 @@ - name: Enable ipv6 forwarding ansible.posix.sysctl: name: net.ipv6.conf.all.forwarding - value: '1' + value: "1" ignoreerrors: true when: openvpn_server_ipv6_network is defined and not ci_build - name: Detect firewall type - import_tasks: firewall.yml + ansible.builtin.import_tasks: firewall.yml when: - not ci_build - manage_firewall_rules @@ -48,26 +47,26 @@ - firewall - name: Configure SELinux - import_tasks: selinux.yml + ansible.builtin.import_tasks: selinux.yml when: - ansible_selinux.status == "enabled" - name: Compare existing certs against 'clients' variable - import_tasks: cert_sync_detection.yml + ansible.builtin.import_tasks: cert_sync_detection.yml when: openvpn_sync_certs tags: - sync_certs - name: Generate client configs - import_tasks: client_keys.yml + ansible.builtin.import_tasks: client_keys.yml when: clients is defined - name: Generate revocation list and clean up - import_tasks: revocation.yml + ansible.builtin.import_tasks: revocation.yml when: >- (openvpn_revoke_these_certs is defined) or (openvpn_sync_certs and cert_sync_certs_to_revoke.stdout_lines | length > 0) - name: Configure OpenVPN server - import_tasks: config.yml + ansible.builtin.import_tasks: config.yml diff --git a/tasks/revocation.yml b/tasks/revocation.yml index 61195562..658fd4be 100644 --- a/tasks/revocation.yml +++ b/tasks/revocation.yml @@ -1,36 +1,36 @@ --- - name: Remove client config - file: + ansible.builtin.file: path: "{{ openvpn_ovpn_dir }}/{{ item }}-{{ inventory_hostname }}.ovpn" state: absent force: true with_items: - - '{{ openvpn_revoke_these_certs }}' - - '{{ openvpn_cert_sync_revoke | default([]) }}' + - "{{ openvpn_revoke_these_certs }}" + - "{{ openvpn_cert_sync_revoke | default([]) }}" - name: Revoke certificates - command: sh revoke.sh {{ item }}.crt + ansible.builtin.command: sh revoke.sh {{ item }}.crt changed_when: true args: chdir: "{{ openvpn_key_dir }}" with_items: - - '{{ openvpn_revoke_these_certs }}' - - '{{ openvpn_cert_sync_revoke | default([]) }}' + - "{{ openvpn_revoke_these_certs }}" + - "{{ openvpn_cert_sync_revoke | default([]) }}" - name: Remove client key - file: + ansible.builtin.file: path: "{{ openvpn_key_dir }}/{{ item }}.key" state: absent force: true with_items: - - '{{ openvpn_revoke_these_certs }}' - - '{{ openvpn_cert_sync_revoke | default([]) }}' + - "{{ openvpn_revoke_these_certs }}" + - "{{ openvpn_cert_sync_revoke | default([]) }}" - name: Remove client csr - file: + ansible.builtin.file: path: "{{ openvpn_key_dir }}/{{ item }}.csr" state: absent force: true with_items: - - '{{ openvpn_revoke_these_certs }}' - - '{{ openvpn_cert_sync_revoke | default([]) }}' + - "{{ openvpn_revoke_these_certs }}" + - "{{ openvpn_cert_sync_revoke | default([]) }}" diff --git a/tasks/selinux.yml b/tasks/selinux.yml index 511ed806..b573a4b3 100644 --- a/tasks/selinux.yml +++ b/tasks/selinux.yml @@ -1,15 +1,15 @@ --- - name: SELinux - check if module was loaded - command: semodule --list-modules + ansible.builtin.command: semodule --list-modules register: semodule_loaded - changed_when: 'openvpn_selinux_module not in semodule_loaded.stdout' + changed_when: "openvpn_selinux_module not in semodule_loaded.stdout" notify: - build and install policy - name: SELinux - copy type enforcement file - template: + ansible.builtin.template: src: "selinux_module.te.j2" dest: /var/lib/selinux/{{ openvpn_selinux_module }}.te - mode: 0644 + mode: "0644" notify: - build and install policy diff --git a/tasks/server_keys.yml b/tasks/server_keys.yml index bccc81f1..a466f0f2 100644 --- a/tasks/server_keys.yml +++ b/tasks/server_keys.yml @@ -1,37 +1,37 @@ --- - name: Create openvpn key directory - file: + ansible.builtin.file: path: "{{ openvpn_key_dir }}" state: directory - mode: 0755 + mode: "0755" - name: Copy openssl server/ca extensions - copy: + ansible.builtin.copy: src: "{{ item }}" dest: "{{ openvpn_key_dir }}" owner: root group: root - mode: 0400 + mode: "0400" with_items: - openssl-server.ext - openssl-ca.ext - name: Copy CA key - copy: + ansible.builtin.copy: content: "{{ openvpn_ca_key.key }}" dest: "{{ openvpn_key_dir }}/ca-key.pem" - mode: 0400 + mode: "0400" when: openvpn_ca_key is defined - name: Copy CA cert - copy: + ansible.builtin.copy: content: "{{ openvpn_ca_key.crt }}" dest: "{{ openvpn_key_dir }}/ca.crt" - mode: 0444 + mode: "0444" when: openvpn_ca_key is defined - name: Generate CA key - command: >- + ansible.builtin.command: >- openssl req -nodes -newkey rsa:{{ openvpn_rsa_bits }} -keyout ca-key.pem -out ca-csr.pem -days 3650 -subj /CN=OpenVPN-CA-{{ inventory_hostname[:53] }}/ args: @@ -40,20 +40,20 @@ when: openvpn_ca_key is not defined - name: Protect CA key - file: + ansible.builtin.file: path: "{{ openvpn_key_dir }}/ca-key.pem" - mode: 0400 + mode: "0400" when: openvpn_ca_key is not defined - name: Sign CA key - command: openssl x509 -req -in ca-csr.pem -out ca.crt -CAcreateserial -signkey ca-key.pem -sha256 -days 3650 -extfile openssl-ca.ext + ansible.builtin.command: openssl x509 -req -in ca-csr.pem -out ca.crt -CAcreateserial -signkey ca-key.pem -sha256 -days 3650 -extfile openssl-ca.ext args: chdir: "{{ openvpn_key_dir }}" creates: ca.crt when: openvpn_ca_key is not defined - name: Generate server key - command: >- + ansible.builtin.command: >- openssl req -nodes -newkey rsa:{{ openvpn_rsa_bits }} -keyout server.key -out server.csr -days 3650 -subj /CN=OpenVPN-Server-{{ inventory_hostname[:49] }}/ args: @@ -61,25 +61,25 @@ creates: server.key - name: Protect server key - file: + ansible.builtin.file: path: "{{ openvpn_key_dir }}/server.key" - mode: 0400 + mode: "0400" - name: Sign server key - command: openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca-key.pem -sha256 -days 3650 -CAcreateserial -extfile openssl-server.ext + ansible.builtin.command: openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca-key.pem -sha256 -days 3650 -CAcreateserial -extfile openssl-server.ext args: chdir: "{{ openvpn_key_dir }}" creates: server.crt - name: Copy tls-auth key - copy: + ansible.builtin.copy: content: "{{ openvpn_tls_auth_key }}" dest: "{{ openvpn_key_dir }}/ta.key" - mode: 0400 + mode: "0400" when: openvpn_tls_auth_key is defined - name: Generate tls-auth key - command: openvpn --genkey --secret ta.key + ansible.builtin.command: openvpn --genkey --secret ta.key args: chdir: "{{ openvpn_key_dir }}" creates: ta.key @@ -88,81 +88,81 @@ # not a security issue, params aren't secret, just not generated by an attacker # per http://security.stackexchange.com/questions/42415/openvpn-dhparam/42418#42418 - name: Copy pre-generated DH params - copy: + ansible.builtin.copy: src: dh.pem dest: "{{ openvpn_key_dir }}" owner: root group: root - mode: 0400 + mode: "0400" when: openvpn_use_pregenerated_dh_params|bool # Alternatively, if you're concerned about logjam attacks - name: Generate dh params - command: openssl dhparam -out {{ openvpn_key_dir }}/dh.pem {{ openvpn_rsa_bits }} + ansible.builtin.command: openssl dhparam -out {{ openvpn_key_dir }}/dh.pem {{ openvpn_rsa_bits }} args: chdir: "{{ openvpn_key_dir }}" creates: dh.pem when: not (openvpn_use_pregenerated_dh_params|bool) - name: Install ca.conf config file - template: + ansible.builtin.template: src: ca.conf.j2 dest: "{{ openvpn_key_dir }}/ca.conf" owner: root group: root - mode: 0744 + mode: "0744" - name: Create initial certificate revocation list squence number - shell: "echo 00 > crl_number" + ansible.builtin.shell: "echo 00 > crl_number" args: chdir: "{{ openvpn_key_dir }}" creates: crl_number - name: Generate tls-auth key - command: openvpn --genkey --secret ta.key + ansible.builtin.command: openvpn --genkey --secret ta.key args: chdir: "{{ openvpn_key_dir }}" creates: ta.key when: openvpn_tls_auth_key is not defined - name: Install revocation script - template: + ansible.builtin.template: src: revoke.sh.j2 dest: "{{ openvpn_key_dir }}/revoke.sh" owner: root group: root - mode: 0744 + mode: "0744" - name: Check if certificate revocation list database exists - stat: + ansible.builtin.stat: path: "{{ openvpn_key_dir }}/index.txt" register: file_result - name: Create certificate revocation list database if required - file: + ansible.builtin.file: path: "{{ openvpn_key_dir }}/index.txt" state: touch - mode: 0644 + mode: "0644" when: not file_result.stat.exists - name: Set up certificate revocation list - command: sh revoke.sh + ansible.builtin.command: sh revoke.sh args: chdir: "{{ openvpn_key_dir }}" creates: "{{ openvpn_key_dir }}/ca-crl.pem" - name: Install crl-cron script - template: + ansible.builtin.template: src: crl-cron.sh.j2 dest: "{{ openvpn_base_dir }}/crl-cron.sh" owner: root group: root - mode: 0744 + mode: "0744" # This should eventually be switched to use a systemd timer # eg /usr/local/lib/systemd/system/openvpn-crl.timer - name: Check for crontab - command: which crontab + ansible.builtin.command: which crontab register: crontab check_mode: false changed_when: false diff --git a/tasks/set_facts.yml b/tasks/set_facts.yml index 879cb3b7..c8cf6d79 100644 --- a/tasks/set_facts.yml +++ b/tasks/set_facts.yml @@ -1,18 +1,18 @@ --- - name: Check systemd existence as Docker Guest - stat: + ansible.builtin.stat: path: /bin/systemctl when: ansible_virtualization_role is defined and ansible_virtualization_type == "docker" and ansible_virtualization_role == "guest" register: docker_stat_result - name: Set systemd openvpn service name - set_fact: + ansible.builtin.set_fact: openvpn_service_name: "openvpn@{{ openvpn_config_file }}.service" when: ansible_service_mgr == "systemd" or (docker_stat_result.stat is defined and docker_stat_result.stat.exists) # Fedora and CentOS 8 separate OpenVPN into client and server - name: Set Fedora 27+ and CentOS 8 service name - set_fact: + ansible.builtin.set_fact: openvpn_service_name: "openvpn-server@{{ openvpn_config_file }}.service" when: >- (ansible_distribution == "Fedora" and ansible_distribution_version|int >= 27) @@ -24,7 +24,7 @@ ) - name: Set Fedora 27+ and CentOS 8 OpenVPN base path - set_fact: + ansible.builtin.set_fact: openvpn_base_dir: "/etc/openvpn/server" when: >- (ansible_distribution == "Fedora" and ansible_distribution_version|int >= 27) diff --git a/tasks/ufw.yml b/tasks/ufw.yml index cb18d47d..2fed099b 100644 --- a/tasks/ufw.yml +++ b/tasks/ufw.yml @@ -1,6 +1,6 @@ --- - name: Start ufw service - service: + ansible.builtin.service: name: ufw enabled: true state: started @@ -12,7 +12,7 @@ policy: allow - name: Enable forwarding - ufw - lineinfile: + ansible.builtin.lineinfile: dest: /etc/default/ufw regexp: "^DEFAULT_FORWARD_POLICY=" line: DEFAULT_FORWARD_POLICY="ACCEPT" @@ -31,7 +31,7 @@ rule: allow - name: Setup nat table rules - ufw - blockinfile: + ansible.builtin.blockinfile: dest: /etc/ufw/before.rules state: present insertbefore: \*filter @@ -46,7 +46,7 @@ - restart ufw - name: Setup nat table rules with MASQUERADE - ufw - blockinfile: + ansible.builtin.blockinfile: dest: /etc/ufw/before.rules state: present insertbefore: \*filter diff --git a/tasks/uninstall.yml b/tasks/uninstall.yml index deb5747e..c45e330d 100644 --- a/tasks/uninstall.yml +++ b/tasks/uninstall.yml @@ -1,31 +1,31 @@ --- - name: Disable openvpn auto-start & start - service: + ansible.builtin.service: name: "{{ openvpn_service_name }}" enabled: false state: stopped - name: Wipe out config directory - file: + ansible.builtin.file: path: "{{ openvpn_base_dir }}" state: absent - name: Remove openvpn logrotate config file - file: + ansible.builtin.file: path: /etc/logrotate.d/openvpn.conf state: absent - name: Uninstall OpenVPN - package: + ansible.builtin.package: name: "{{ openvpn_package_name }}" state: absent - name: Uninstall LDAP plugin - package: + ansible.builtin.package: name: "{{ openvpn_ldap_plugin_package_name }}" state: absent when: openvpn_use_ldap - name: Terminate playbook - fail: + ansible.builtin.fail: msg: "OpenVPN uninstalled, playbook stopped" From b30e71aebdb7b79286dd41a8fd80569a33a20657 Mon Sep 17 00:00:00 2001 From: Kyle Lexmond Date: Sun, 22 Dec 2024 02:21:10 +0000 Subject: [PATCH 03/18] Rework ci matrix --- .github/workflows/ci.yml | 111 ++++++--------------------------------- 1 file changed, 16 insertions(+), 95 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6e58466f..2bd5a187 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,7 +1,7 @@ --- name: CI -on: # yamllint disable-line rule:truthy +on: # yamllint disable-line rule:truthy push: branches: - master @@ -9,14 +9,12 @@ on: # yamllint disable-line rule:truthy branches: - master - workflow_dispatch: - jobs: check-syntax: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest name: check-syntax container: - image: diodonfrost/ansible-fedora:35 + image: diodonfrost/ansible-fedora:40 env: container: docker volumes: @@ -33,104 +31,27 @@ jobs: - name: Check syntax of ansible playbook run: ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml --syntax-check - build-fedora: - runs-on: ubuntu-20.04 - name: fedora-${{ matrix.version }} - needs: - - check-syntax - strategy: - fail-fast: false - matrix: - version: - - "33" - - "34" - - "35" - - container: - image: diodonfrost/ansible-fedora:${{ matrix.version }} - env: - container: docker - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - - ${{ github.workspace }}:/etc/ansible/roles/ansible-role-openvpn - options: "--cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/net/tun" - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - name: Setup ansible.posix collection for firewalld - run: ansible-galaxy collection install ansible.posix - - name: Setup community.general collection for ufw - run: ansible-galaxy collection install community.general - - name: Make sure ansible connection is sane - run: ansible -m setup -c local -i 127.0.0.1, all - - name: Run ansible playbook - run: ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml -vv - - name: Check idempotency - run: ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml -vv - - name: Container state debug output - continue-on-error: true - run: | - ls -lR /etc/openvpn - echo "cat /etc/openvpn/**/openvpn_udp_1194.conf" - cat /etc/openvpn/**/openvpn_udp_1194.conf - echo "cat /etc/openvpn/**/alpha-*.ovpn" - cat /etc/openvpn/**/alpha-*.ovpn - - build-centos: - runs-on: ubuntu-20.04 - name: centos-${{ matrix.version }} - needs: - - check-syntax - strategy: - fail-fast: false - matrix: - version: - - "7" - - "8" - - container: - image: diodonfrost/ansible-centos:${{ matrix.version }} - env: - container: docker - volumes: - - /sys/fs/cgroup:/sys/fs/cgroup - - ${{ github.workspace }}:/etc/ansible/roles/ansible-role-openvpn - options: "--cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/net/tun" - steps: - - name: Checkout repository - uses: actions/checkout@v2 - - name: Setup ansible.posix collection for firewalld - run: ansible-galaxy collection install ansible.posix - - name: Setup community.general collection for ufw - run: ansible-galaxy collection install community.general - - name: Make sure ansible connection is sane - run: ansible -m setup -c local -i 127.0.0.1, all - - name: Run ansible playbook - run: ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml -vv - - name: Check idempotency - run: ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml -vv - - name: Container state debug output - continue-on-error: true - run: | - ls -lR /etc/openvpn - echo "cat openvpn_udp_1194.conf" - find /etc/openvpn/ -maxdepth 3 -name openvpn_udp_1194.conf -type f -exec cat {} \; - echo "cat alpha-*.ovpn" - find /etc/openvpn/ -maxdepth 3 -name "alpha-*.ovpn" -type f -exec cat {} \; - - build-rocky: - runs-on: ubuntu-20.04 - name: rocky-${{ matrix.version }} + build-rhel-like: + runs-on: ubuntu-latest + name: rhel-like-${{ matrix.version }} needs: - check-syntax strategy: fail-fast: false matrix: version: - - "8" + - "centos:stream8" + - "centos:stream9" + - "fedora:38" + - "fedora:39" + - "fedora:40" + - "almalinux:8" + - "almalinux:9" + - "rockylinux:8" + - "rockylinux:9" container: - image: diodonfrost/ansible-rockylinux:${{ matrix.version }} + image: diodonfrost/ansible-${{ matrix.version }} env: container: docker volumes: From 0e24db525af4c330241a77b92c059827b39651ce Mon Sep 17 00:00:00 2001 From: Kyle Lexmond Date: Sun, 22 Dec 2024 02:29:50 +0000 Subject: [PATCH 04/18] Remove no longer free Travis CI integration --- .travis.yml | 54 ----------------------------------------------------- 1 file changed, 54 deletions(-) delete mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 6f1734af..00000000 --- a/.travis.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -language: python -sudo: required - -services: - - docker - -env: - global: COMMAND=/usr/lib/systemd/systemd --system - INSTALL=default - matrix: - - DOCKER_TAG=centos:7 - OS=centos - - DOCKER_TAG=fedora:latest-systemd - OS=fedora - INSTALL=fedora-latest - - DOCKER_TAG=fedora:30 - OS=fedora - - DOCKER_TAG=fedora:29 - OS=fedora - - DOCKER_TAG=fedora:28 - OS=fedora - - DOCKER_TAG=travisci/ubuntu-systemd:18.04 - OS=ubuntu - COMMAND=/lib/systemd/systemd --system - -before_install: - - ./tests/install-${INSTALL} - -install: - - >- - sudo docker run --detach ${DOCKER_ARGS} -e "container=docker" -v /sys/fs/cgroup:/sys/fs/cgroup:ro - --cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/net/tun --volume="${PWD}":/etc/ansible/roles/ansible-role-openvpn:ro - --name ${OS} ${DOCKER_TAG} ${COMMAND} - - ./tests/setup-${OS} - - sudo docker exec ${OS} ansible -m setup -c local -i 127.0.0.1, all - -script: - # Check syntax of ansible playbook - - sudo docker exec ${OS} ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml --syntax-check - # Run ansible playbook - - sudo docker exec ${OS} ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml -vv - # Check idempotency - - sudo docker exec ${OS} ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml -vv - -after_script: - - sudo docker exec ${OS} cat /var/log/openvpn.log - - sudo docker exec ${OS} ls /etc/openvpn - - sudo docker exec ${OS} cat /etc/openvpn/openvpn_udp_1194.conf - - sudo docker exec ${OS} cat /etc/openvpn/alpha-127.0.0.1.ovpn - - sudo docker stop ${OS} - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ From dcb27cafc440054cfdfd8f993106d2de356eec04 Mon Sep 17 00:00:00 2001 From: Kyle Lexmond Date: Sun, 22 Dec 2024 02:47:23 +0000 Subject: [PATCH 05/18] Handle ansible-lint errors that required manual touches --- handlers/main.yml | 5 ++++- meta/main.yml | 15 ++++++--------- tasks/compile_ldap_plugin.yml | 3 ++- tasks/firewalld.yml | 2 +- tasks/iptables.yml | 3 ++- tasks/server_keys.yml | 5 ++++- tests/ansible-role-openvpn | 1 + tests/test.yml | 3 ++- 8 files changed, 22 insertions(+), 15 deletions(-) create mode 120000 tests/ansible-role-openvpn diff --git a/handlers/main.yml b/handlers/main.yml index f2b2be1c..fb773d1c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -22,9 +22,10 @@ state: restarted - name: Save iptables rules (Debian/Ubuntu and CentOS/RHEL/Fedora) - ansible.builtin.shell: "{{ iptables_save_command }}" + ansible.builtin.shell: "{{ iptables_save_command }}" # noqa command-instead-of-shell could have shell redirection when: ansible_os_family == 'Debian' or ansible_os_family == 'RedHat' listen: "save iptables" + changed_when: true # always save iptables rules - name: Build and install policy ansible.builtin.command: "{{ item }}" @@ -34,3 +35,5 @@ - "checkmodule -M -m -o {{ openvpn_selinux_module }}.mod {{ openvpn_selinux_module }}.te" - "semodule_package -o {{ openvpn_selinux_module }}.pp -m {{ openvpn_selinux_module }}.mod" - "semodule -i {{ openvpn_selinux_module }}.pp" + changed_when: true + when: ansible_selinux.status == 'enabled' diff --git a/meta/main.yml b/meta/main.yml index 76203064..e19b894f 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -6,21 +6,18 @@ galaxy_info: description: OpenVPN playbook for CentOS/Fedora/RHEL/RHEL clones & Ubuntu/Debian license: MIT - min_ansible_version: 2.9 + min_ansible_version: "2.9" platforms: - name: EL versions: - - 7 - - 8 + - "8" + - "9" - name: Fedora versions: - - 32 - - 33 - - 34 - - name: Ubuntu - versions: - - trusty + - "38" + - "39" + - "40" galaxy_tags: - networking diff --git a/tasks/compile_ldap_plugin.yml b/tasks/compile_ldap_plugin.yml index f9315702..0d7c4a06 100644 --- a/tasks/compile_ldap_plugin.yml +++ b/tasks/compile_ldap_plugin.yml @@ -13,7 +13,8 @@ path: "{{ openvpn_auth_ldap_bin_path }}" register: openvpn_auth_ldap_bin -- when: +- name: Compile openvpn-auth-ldap plugin + when: - not openvpn_auth_ldap_bin.stat.exists or not re2c_bin.stat.exists block: - name: Install gcc objc repo diff --git a/tasks/firewalld.yml b/tasks/firewalld.yml index 01221eca..f4a370f2 100644 --- a/tasks/firewalld.yml +++ b/tasks/firewalld.yml @@ -51,7 +51,7 @@ # workaround for --permanent not working on non-NetworkManager managed ifaces # https://bugzilla.redhat.com/show_bug.cgi?id=1112742 -- name: Check if ifcfg-{{ ansible_default_ipv4.interface }} exists +- name: Check if ifcfg file exists for {{ ansible_default_ipv4.interface }} ansible.builtin.stat: path: "/etc/sysconfig/network-scripts/ifcfg-{{ ansible_default_ipv4.interface }}" register: ifcfg diff --git a/tasks/iptables.yml b/tasks/iptables.yml index cd8e7499..4494d576 100644 --- a/tasks/iptables.yml +++ b/tasks/iptables.yml @@ -84,8 +84,9 @@ notify: "save iptables" - name: Save existing iptables rule before start iptables service - ansible.builtin.shell: "{{ iptables_save_command }}" + ansible.builtin.shell: "{{ iptables_save_command }}" # noqa command-instead-of-shell when: __iptables_installed.changed | bool # noqa no-handler + changed_when: true - name: Enable iptables ansible.builtin.service: diff --git a/tasks/server_keys.yml b/tasks/server_keys.yml index a466f0f2..767a88ba 100644 --- a/tasks/server_keys.yml +++ b/tasks/server_keys.yml @@ -66,7 +66,10 @@ mode: "0400" - name: Sign server key - ansible.builtin.command: openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca-key.pem -sha256 -days 3650 -CAcreateserial -extfile openssl-server.ext + ansible.builtin.command: > + openssl x509 -req -in server.csr -out server.crt + -CA ca.crt -CAkey ca-key.pem -sha256 -days 3650 + -CAcreateserial -extfile openssl-server.ext args: chdir: "{{ openvpn_key_dir }}" creates: server.crt diff --git a/tests/ansible-role-openvpn b/tests/ansible-role-openvpn new file mode 120000 index 00000000..a96aa0ea --- /dev/null +++ b/tests/ansible-role-openvpn @@ -0,0 +1 @@ +.. \ No newline at end of file diff --git a/tests/test.yml b/tests/test.yml index a13f3506..de436ade 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -1,5 +1,6 @@ --- -- hosts: 127.0.0.1 +- name: Run CI tests + hosts: 127.0.0.1 connection: local vars: ci_build: true From 706161bbe5436669176bee7b2cd26d16064eb4d4 Mon Sep 17 00:00:00 2001 From: Kyle Lexmond Date: Sun, 22 Dec 2024 02:50:55 +0000 Subject: [PATCH 06/18] Drop EOLed centos stream 8 --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2bd5a187..fecff744 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,6 @@ jobs: fail-fast: false matrix: version: - - "centos:stream8" - "centos:stream9" - "fedora:38" - "fedora:39" From ff254ab16c7eb4eb7c34fdc0cb4d71a272da08b3 Mon Sep 17 00:00:00 2001 From: Kyle Lexmond Date: Sun, 22 Dec 2024 02:54:08 +0000 Subject: [PATCH 07/18] Fix notify to use the uppercase handler names --- tasks/config.yml | 2 +- tasks/firewalld.yml | 2 +- tasks/iptables.yml | 3 ++- tasks/selinux.yml | 4 ++-- tasks/ufw.yml | 4 ++-- 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/tasks/config.yml b/tasks/config.yml index 98ea11f0..8f3bcacc 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -7,7 +7,7 @@ group: root mode: "0644" notify: - - restart openvpn + - Restart openvpn - name: Copy up script if defined ansible.builtin.copy: diff --git a/tasks/firewalld.yml b/tasks/firewalld.yml index f4a370f2..ecd90cfe 100644 --- a/tasks/firewalld.yml +++ b/tasks/firewalld.yml @@ -47,7 +47,7 @@ # Workaround ansible issue: https://github.com/ansible/ansible/pull/21693 # immediate: true notify: - - restart firewalld + - Restart firewalld # workaround for --permanent not working on non-NetworkManager managed ifaces # https://bugzilla.redhat.com/show_bug.cgi?id=1112742 diff --git a/tasks/iptables.yml b/tasks/iptables.yml index 4494d576..d619a40e 100644 --- a/tasks/iptables.yml +++ b/tasks/iptables.yml @@ -81,7 +81,8 @@ action: insert comment: "Perform NAT readdressing" when: openvpn_masquerade_not_snat - notify: "save iptables" + notify: + - Save iptables - name: Save existing iptables rule before start iptables service ansible.builtin.shell: "{{ iptables_save_command }}" # noqa command-instead-of-shell diff --git a/tasks/selinux.yml b/tasks/selinux.yml index b573a4b3..94b7e0bf 100644 --- a/tasks/selinux.yml +++ b/tasks/selinux.yml @@ -4,7 +4,7 @@ register: semodule_loaded changed_when: "openvpn_selinux_module not in semodule_loaded.stdout" notify: - - build and install policy + - Build and install policy - name: SELinux - copy type enforcement file ansible.builtin.template: @@ -12,4 +12,4 @@ dest: /var/lib/selinux/{{ openvpn_selinux_module }}.te mode: "0644" notify: - - build and install policy + - Build and install policy diff --git a/tasks/ufw.yml b/tasks/ufw.yml index 2fed099b..350400c1 100644 --- a/tasks/ufw.yml +++ b/tasks/ufw.yml @@ -43,7 +43,7 @@ COMMIT when: not openvpn_masquerade_not_snat notify: - - restart ufw + - Restart ufw - name: Setup nat table rules with MASQUERADE - ufw ansible.builtin.blockinfile: @@ -58,4 +58,4 @@ COMMIT when: openvpn_masquerade_not_snat notify: - - restart ufw + - Restart ufw From 5a5dc63a52f03bce552c094eb004edfa84a62257 Mon Sep 17 00:00:00 2001 From: Kyle Lexmond Date: Sun, 22 Dec 2024 04:36:35 +0000 Subject: [PATCH 08/18] Upgrade ansible on EL-like 8 variants to make sure ansible-galaxy operates --- .github/workflows/ci.yml | 46 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fecff744..6b924c76 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,9 +44,7 @@ jobs: - "fedora:38" - "fedora:39" - "fedora:40" - - "almalinux:8" - "almalinux:9" - - "rockylinux:8" - "rockylinux:9" container: @@ -78,3 +76,47 @@ jobs: find /etc/openvpn/ -maxdepth 3 -name openvpn_udp_1194.conf -type f -exec cat {} \; echo "cat alpha-*.ovpn" find /etc/openvpn/ -maxdepth 3 -name "alpha-*.ovpn" -type f -exec cat {} \; + + build-rhel-legacy: + runs-on: ubuntu-latest + name: rhel-legacy-${{ matrix.version }} + needs: + - check-syntax + strategy: + fail-fast: false + matrix: + version: + - "almalinux:8" + - "rockylinux:8" + + container: + image: diodonfrost/ansible-${{ matrix.version }} + env: + container: docker + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup + - ${{ github.workspace }}:/etc/ansible/roles/ansible-role-openvpn + options: "--cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/net/tun" + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Update ansible + run: dnf install python39 && pip3.9 install -U ansible + - name: Setup ansible.posix collection for firewalld + run: ansible-galaxy collection install ansible.posix + - name: Setup community.general collection for ufw + run: ansible-galaxy collection install community.general + - name: Make sure ansible connection is sane + run: ansible -m setup -c local -i 127.0.0.1, all + - name: Run ansible playbook + run: ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml -vv + - name: Check idempotency + run: ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml -vv + - name: Container state debug output + continue-on-error: true + run: | + ls -lR /etc/openvpn + echo "cat openvpn_udp_1194.conf" + find /etc/openvpn/ -maxdepth 3 -name openvpn_udp_1194.conf -type f -exec cat {} \; + echo "cat alpha-*.ovpn" + find /etc/openvpn/ -maxdepth 3 -name "alpha-*.ovpn" -type f -exec cat {} \; From 6b70276e432be455a6512ac4d4f60b8acbf8c8f7 Mon Sep 17 00:00:00 2001 From: Kyle Lexmond Date: Sun, 22 Dec 2024 04:40:43 +0000 Subject: [PATCH 09/18] Use dnf -y to avoid dnf blocking on input --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6b924c76..9b9ac4ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -101,7 +101,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v2 - name: Update ansible - run: dnf install python39 && pip3.9 install -U ansible + run: dnf install -y python39 && pip3.9 install -U ansible - name: Setup ansible.posix collection for firewalld run: ansible-galaxy collection install ansible.posix - name: Setup community.general collection for ufw From 642c397e77dc17719b53280ee231045058a451aa Mon Sep 17 00:00:00 2001 From: Kyle Lexmond Date: Sun, 22 Dec 2024 06:26:40 +0000 Subject: [PATCH 10/18] Add my own docker images of fedora 40 & 41 --- .github/workflows/ci.yml | 43 +++++++++++++++++++++++++++++++++++++- tests/fedora-40.Dockerfile | 39 ++++++++++++++++++++++++++++++++++ tests/fedora-41.Dockerfile | 39 ++++++++++++++++++++++++++++++++++ 3 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 tests/fedora-40.Dockerfile create mode 100644 tests/fedora-41.Dockerfile diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9b9ac4ac..d71a1b81 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,7 +43,6 @@ jobs: - "centos:stream9" - "fedora:38" - "fedora:39" - - "fedora:40" - "almalinux:9" - "rockylinux:9" @@ -120,3 +119,45 @@ jobs: find /etc/openvpn/ -maxdepth 3 -name openvpn_udp_1194.conf -type f -exec cat {} \; echo "cat alpha-*.ovpn" find /etc/openvpn/ -maxdepth 3 -name "alpha-*.ovpn" -type f -exec cat {} \; + + # diodonfrost's images are broken for fedora 40 (thinks it's rawhide) and fedora 41 doesn't exist, so I built my own + build-broken-fedora: + runs-on: ubuntu-latest + name: fedora-${{ matrix.version }} + needs: + - check-syntax + strategy: + fail-fast: false + matrix: + version: + - "fedora:40" + - "fedora:41" + container: + image: ghcr.io/kyl191/ansible-${{ matrix.version }} + env: + container: docker + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup + - ${{ github.workspace }}:/etc/ansible/roles/ansible-role-openvpn + options: "--cap-add NET_ADMIN --cap-add SYS_ADMIN --device /dev/net/tun" + steps: + - name: Checkout repository + uses: actions/checkout@v2 + - name: Setup ansible.posix collection for firewalld + run: ansible-galaxy collection install ansible.posix + - name: Setup community.general collection for ufw + run: ansible-galaxy collection install community.general + - name: Make sure ansible connection is sane + run: ansible -m setup -c local -i 127.0.0.1, all + - name: Run ansible playbook + run: ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml -vv + - name: Check idempotency + run: ansible-playbook /etc/ansible/roles/ansible-role-openvpn/tests/test.yml -vv + - name: Container state debug output + continue-on-error: true + run: | + ls -lR /etc/openvpn + echo "cat openvpn_udp_1194.conf" + find /etc/openvpn/ -maxdepth 3 -name openvpn_udp_1194.conf -type f -exec cat {} \; + echo "cat alpha-*.ovpn" + find /etc/openvpn/ -maxdepth 3 -name "alpha-*.ovpn" -type f -exec cat {} \; diff --git a/tests/fedora-40.Dockerfile b/tests/fedora-40.Dockerfile new file mode 100644 index 00000000..5cde8a30 --- /dev/null +++ b/tests/fedora-40.Dockerfile @@ -0,0 +1,39 @@ +FROM fedora:40 +LABEL org.opencontainers.image.source=https://github.com/kyl191/ansible-role-openvpn +LABEL org.opencontainers.image.title="Fedora 40 with Ansible" +LABEL org.opencontainers.image.description="Fedora 40 with Ansible, duplicate of https://github.com/diodonfrost/docker-ansible/blob/master/fedora-ansible/Dockerfile.fedora-40, just rebuilt so it's not using the rawhide release" + +# Update Fedora +RUN dnf -y update && dnf clean all + +# Install systemd +RUN dnf -y install systemd && dnf clean all; \ +(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ +rm -f /lib/systemd/system/multi-user.target.wants/*; \ +rm -f /etc/systemd/system/*.wants/*; \ +rm -f /lib/systemd/system/local-fs.target.wants/*; \ +rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ +rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ +rm -f /lib/systemd/system/basic.target.wants/*; \ +rm -f /lib/systemd/system/anaconda.target.wants/*; + +RUN dnf -y install \ + git \ + ansible \ + sudo \ + which \ + openssh-server openssh-clients \ + findutils \ + unzip \ + rsync \ + libxcrypt-compat \ + fuse-libs \ + && dnf clean all + +RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers + +RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts + +VOLUME ["/sys/fs/cgroup"] + +CMD ["/usr/sbin/init"] diff --git a/tests/fedora-41.Dockerfile b/tests/fedora-41.Dockerfile new file mode 100644 index 00000000..0d6d2f37 --- /dev/null +++ b/tests/fedora-41.Dockerfile @@ -0,0 +1,39 @@ +FROM fedora:41 +LABEL org.opencontainers.image.source=https://github.com/kyl191/ansible-role-openvpn +LABEL org.opencontainers.image.title="Fedora 41 with Ansible" +LABEL org.opencontainers.image.description="Fedora 41 with Ansible, based off https://github.com/diodonfrost/docker-ansible/blob/master/fedora-ansible/Dockerfile.fedora-40" + +# Update Fedora +RUN dnf -y update && dnf clean all + +# Install systemd +RUN dnf -y install systemd && dnf clean all; \ +(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ +rm -f /lib/systemd/system/multi-user.target.wants/*; \ +rm -f /etc/systemd/system/*.wants/*; \ +rm -f /lib/systemd/system/local-fs.target.wants/*; \ +rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ +rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ +rm -f /lib/systemd/system/basic.target.wants/*; \ +rm -f /lib/systemd/system/anaconda.target.wants/*; + +RUN dnf -y install \ + git \ + ansible \ + sudo \ + which \ + openssh-server openssh-clients \ + findutils \ + unzip \ + rsync \ + libxcrypt-compat \ + fuse-libs \ + && dnf clean all + +RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers + +RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts + +VOLUME ["/sys/fs/cgroup"] + +CMD ["/usr/sbin/init"] From ed58f2467469458fa886c9cd8583f58023c1dd7a Mon Sep 17 00:00:00 2001 From: Kyle Lexmond Date: Sun, 22 Dec 2024 06:37:40 +0000 Subject: [PATCH 11/18] Try adding specific credentials to CI --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d71a1b81..7eb2a2d6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -134,6 +134,9 @@ jobs: - "fedora:41" container: image: ghcr.io/kyl191/ansible-${{ matrix.version }} + credentials: + username: ${{ github.actor }} + password: ${{ secrets.github_token }} env: container: docker volumes: From 9170ece1a9785fae21c5b1ec400dc3bbd4afc145 Mon Sep 17 00:00:00 2001 From: Kyle Lexmond Date: Sun, 22 Dec 2024 06:46:28 +0000 Subject: [PATCH 12/18] Defer fedora 41 builds for now --- .github/workflows/ci.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7eb2a2d6..5cd5fee9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -131,12 +131,8 @@ jobs: matrix: version: - "fedora:40" - - "fedora:41" container: image: ghcr.io/kyl191/ansible-${{ matrix.version }} - credentials: - username: ${{ github.actor }} - password: ${{ secrets.github_token }} env: container: docker volumes: From 27c6046ad79c79f53b79438d1e581083330e9447 Mon Sep 17 00:00:00 2001 From: Georgi Koykov Date: Mon, 17 Oct 2022 15:22:54 +0300 Subject: [PATCH 13/18] Added client generation tag. --- tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index 996abb6e..642adde2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -60,6 +60,8 @@ - name: Generate client configs ansible.builtin.import_tasks: client_keys.yml when: clients is defined + tags: + - openvpn_generate_clients - name: Generate revocation list and clean up ansible.builtin.import_tasks: revocation.yml From 10bf0463ff41dc2592dc4161b6bfe8220985c129 Mon Sep 17 00:00:00 2001 From: Ralph Bolton Date: Sun, 22 Dec 2024 07:06:10 +0000 Subject: [PATCH 14/18] Added ability to optionally configure NAT source address (#168) * Added ability to optionally configure NAT source address * Set the default and use it rather than coding the default in the task * Fixed typo in ipv4 address --------- Co-authored-by: Kyle Lexmond --- defaults/main/openvpn.yml | 2 ++ tasks/ufw.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/defaults/main/openvpn.yml b/defaults/main/openvpn.yml index 8e62bc9f..986e9f23 100644 --- a/defaults/main/openvpn.yml +++ b/defaults/main/openvpn.yml @@ -18,6 +18,8 @@ openvpn_server_netmask: 255.255.255.0 openvpn_server_network: 10.9.0.0 openvpn_set_dns: true openvpn_tun_mtu: +openvpn_lan_source_ip: "{{ ansible_default_ipv4.address }}" + # Security openvpn_auth_alg: SHA256 openvpn_cipher: AES-256-CBC diff --git a/tasks/ufw.yml b/tasks/ufw.yml index 350400c1..b2a92ca9 100644 --- a/tasks/ufw.yml +++ b/tasks/ufw.yml @@ -39,7 +39,7 @@ # OpenVPN config *nat :POSTROUTING ACCEPT [0:0] - -A POSTROUTING -s {{ openvpn_server_network }}/24 -j SNAT --to-source {{ ansible_default_ipv4.address }} + -A POSTROUTING -s {{ openvpn_server_network }}/24 -j SNAT --to-source {{ openvpn_lan_source_ip }} COMMIT when: not openvpn_masquerade_not_snat notify: From 162cce706cc9e67b165314d369802d37e874ac81 Mon Sep 17 00:00:00 2001 From: danielsimkus Date: Tue, 25 Jan 2022 09:55:05 +0000 Subject: [PATCH 15/18] it should always be defined as in config --- templates/server.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 086a14a4..09b2c547 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -60,8 +60,8 @@ client-config-dir {{ openvpn_client_config_dir }} push "redirect-gateway def1 bypass-dhcp" {% endif %} {% if openvpn_set_dns %} -{% if openvpn_custom_dns %} -{% for srv in openvpn_dns_servers %} +{% if openvpn_custom_dns|length > 0 %} +{% for srv in openvpn_custom_dns %} push "dhcp-option DNS {{ srv }}" {% endfor %} {% else %} From 41478d4f9d08f141a8286cd651a4c84688180040 Mon Sep 17 00:00:00 2001 From: danielsimkus Date: Tue, 25 Jan 2022 10:06:53 +0000 Subject: [PATCH 16/18] Remove openvpn_dns_servers variable --- defaults/main/openvpn.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/defaults/main/openvpn.yml b/defaults/main/openvpn.yml index 986e9f23..3a636923 100644 --- a/defaults/main/openvpn.yml +++ b/defaults/main/openvpn.yml @@ -5,7 +5,6 @@ openvpn_client_register_dns: true openvpn_client_to_client: false openvpn_custom_dns: [] -openvpn_dns_servers: [] openvpn_dualstack: true openvpn_keepalive_ping: 5 openvpn_keepalive_timeout: 30 From 1579e3967e262da274bd9615412c5a9bf4d8ee8d Mon Sep 17 00:00:00 2001 From: Wolfgang Jung Date: Tue, 29 Mar 2022 22:10:01 +0200 Subject: [PATCH 17/18] Enables logging to syslog if openvpn_log_file is not set --- README.md | 12 ++++++------ templates/server.conf.j2 | 5 +++++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b0d2e01a..27d1cc96 100644 --- a/README.md +++ b/README.md @@ -136,13 +136,13 @@ These options change how OpenVPN itself works. | openvpn_client_config_dir | string | | ccd | Path of `client-config-dir` | | openvpn_client_configs | dict | | {} | Dict of settings custom client configs | -## Logrotate +## Logrotate/Syslog Set your own custom logrotate options -| Variable | Type | Choices | Default | Comment | -|--------------------------|--------|---------|-------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------| -| openvpn_log_dir | string | | /var/log | Set location of openvpn log files. This parameter is a part of `log-append` configuration value. | -| openvpn_log_file | string | | openvpn.log | Set log filename. This parameter is a part of `log-append` configuration value. | -| openvpn_logrotate_config | string | | rotate 4
weekly
missingok
notifempty
sharedscripts
copytruncate
delaycompress | Configure logrotate script. | +| Variable | Type | Choices | Default | Comment | +|--------------------------|--------|---------|-------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------| +| openvpn_log_dir | string | | /var/log | Set location of openvpn log files. This parameter is a part of `log-append` configuration value. | +| openvpn_log_file | string | | openvpn.log | Set log filename. This parameter is a part of `log-append` configuration value. If empty, syslog is used. | +| openvpn_logrotate_config | string | | rotate 4
weekly
missingok
notifempty
sharedscripts
copytruncate
delaycompress | Configure logrotate script. | ## Packaging This role pulls in a bunch of different packages. Override the names as necessary. diff --git a/templates/server.conf.j2 b/templates/server.conf.j2 index 09b2c547..b430164e 100644 --- a/templates/server.conf.j2 +++ b/templates/server.conf.j2 @@ -91,7 +91,12 @@ group {{ openvpn_service_group }} status status-{{ openvpn_config_file }}.log status-version {{ openvpn_status_version }} + +{% if openvpn_log_file is defined %} log-append {{ openvpn_log_dir }}/{{ openvpn_log_file }} +{% else %} +syslog openvpn +{% endif %} verb 3 {% if openvpn_verify_cn|bool %} From 09aeb80992766df75c7428fc98cfebad1c2af199 Mon Sep 17 00:00:00 2001 From: Manuel Schneider Date: Sun, 22 Dec 2024 16:58:44 +0100 Subject: [PATCH 18/18] add option to not configure nat (#187) Co-authored-by: Kyle Lexmond --- defaults/main/role.yml | 1 + tasks/iptables.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/defaults/main/role.yml b/defaults/main/role.yml index dafcfcc3..93ce419c 100644 --- a/defaults/main/role.yml +++ b/defaults/main/role.yml @@ -19,6 +19,7 @@ iptables_service: iptables manage_firewall_rules: true openvpn_firewall: auto openvpn_masquerade_not_snat: false +openvpn_no_nat: false # Misc ci_build: false diff --git a/tasks/iptables.yml b/tasks/iptables.yml index d619a40e..b2ec9630 100644 --- a/tasks/iptables.yml +++ b/tasks/iptables.yml @@ -69,7 +69,7 @@ jump: SNAT action: insert comment: "Perform NAT readdressing" - when: not openvpn_masquerade_not_snat + when: not openvpn_masquerade_not_snat and not openvpn_no_nat notify: "save iptables" - name: Perform NAT readdressing with MASQUERADE - iptables @@ -80,7 +80,7 @@ jump: MASQUERADE action: insert comment: "Perform NAT readdressing" - when: openvpn_masquerade_not_snat + when: openvpn_masquerade_not_snat and not openvpn_no_nat notify: - Save iptables