- ---
- - name: 'install openvpn-openssl package'
- opkg:
- name: 'openvpn-openssl'
- state: 'present'
- tags:
- - 'packages'
-
- - name: 'create openvpn private key'
- shell:
- cmd: >
- openssl genpkey
- -algorithm ed25519
- -out /etc/openvpn/openvpn.key
- args:
- creates: '/etc/openvpn/openvpn.key'
- notify: 'reload openvpn'
- tags:
- - 'tls_int'
-
- # Shouldn't be required for TLSv1.3
- #
- #- name: create openvpn dh2048
- # shell: 'openssl dhparam -out /etc/openvpn/dh2048.pem 2048'
- # args:
- # creates: /etc/openvpn/dh2048.pem
- # notify: reload openvpn
-
- - name: 'upload server ca'
- copy:
- content: '{{ openvpn_tls_server_ca }}{{ tls_root_ca }}'
- dest: '/etc/openvpn/server_ca.crt'
- tags:
- - 'tls_int'
-
- - name: 'upload user ca'
- copy:
- content: '{{ openvpn_tls_user_ca }}{{ tls_root_ca }}'
- dest: '/etc/openvpn/user_ca.crt'
- notify: 'reload openvpn'
- tags:
- - 'tls_int'
-
- - name: 'check openvpn cert status'
- command: >-
- openssl verify
- -CAfile /etc/openvpn/server_ca.crt
- /etc/openvpn/openvpn.crt
- register: openvpn_cert_is_valid
- changed_when: false
- failed_when: false
- tags:
- - 'tls_int'
-
- - name: 'create openvpn cert request'
- shell: >
- openssl req
- -new
- -subj "{{ openssl_x509_prefix }}/OU=Server/CN={{ host_fqdn }}"
- -key /etc/openvpn/openvpn.key
- -out /etc/openvpn/openvpn.csr
- when: openvpn_cert_is_valid.rc != 0
- tags:
- - 'tls_int'
-
- - import_tasks: 'ca-signing-request.yaml'
- vars:
- host: '{{ host_fqdn }}'
- request_path: '/etc/openvpn/openvpn.csr'
- output_path: '/etc/openvpn/openvpn.crt'
- when: openvpn_cert_is_valid.rc != 0
- notify: 'reload openvpn'
- tags:
- - 'tls_int'
-
- - name: 'write openvpn configuration'
- template:
- dest: '/etc/config/openvpn'
- src: 'openvpn.j2'
- owner: 'root'
- group: 'root'
- mode: '0400'
- register: config_updated
- notify: 'reload openvpn'
-
- - name: 'commit openvpn configuration to uci'
- shell: 'uci commit openvpn'
- notify: 'reload openvpn'
- when: config_updated.changed
|
