diff --git a/group_vars/all.yaml.example b/group_vars/all.yaml.example index 9359e90..d752485 100644 --- a/group_vars/all.yaml.example +++ b/group_vars/all.yaml.example @@ -1,37 +1,48 @@ --- -# Put here the public ip for your organisation public_ip: 0.0.0.0 -# Put here the domain for your organisation domain: "example.com" -# Put here an email address to receive Let's Encrypt communications. +organization: 'ExampleOrg' letsencrypt_email: 'admin@example.com' -# Put the TLS X.509 Subject Prefix (before OU=) -x509_subject_prefix: '/C=IT/L=Firenze/O=Example' -# Here the same in LDAP (and reversed) format -x509_ldap_suffix: 'o=Example,l=Firenze,c=it' +# Put the TLS X.509 Subject Prefix elements (before OU) +x509_subj_prefix: + C: 'IT' + #ST: '' + L: 'Firenze' + O: '{{ organization }}' # Put here the public key of the user CAs. # The first one will be used also to check if host certificate are # updated. -user_ca_keys: - - "ssh-ed25519 AAAA(...) Active Production key" +ssh_user_ca: + - "ssh-ed25519 AAAA(...) SSH User CA - Active Production key" - "ssh-ed25519 AAAA(...) Older not-expired key" # - "ssh-ed25519 AAAA(...) Revoked key" +ssh_server_ca: "ssh-ed25519 AAAA(...) SSH Server CA - Active Production key" + +monitoring_host: 'status' + +# Do not change -> probably will soon be moved elsewhere +openssl_x509_prefix: >- + {% for k, v in x509_subj_prefix.items() %}/{{k}}={{v}}{% endfor %} + # Put TLS Certificate of your Root Certification Authority tls_root_ca: | -----BEGIN CERTIFICATE----- ######################### -----END CERTIFICATE----- # Put TLS Certificate for OpenVPN Server Intermediate CA -tls_vpn_user_ca: | +tls_intermediate_server_ca: | -----BEGIN CERTIFICATE----- ######################### -----END CERTIFICATE----- # Put TLS Certificate for OpenVPN Users Intermediate CA -tls_vpn_server_ca: | +tls_intermediate_user_ca: | -----BEGIN CERTIFICATE----- ########################## -----END CERTIFICATE----- +# Optionals customization +#openvpn_tls_server_ca: '{{ tls_intermediate_server_ca }}' +#openvpn_tls_user_ca: '{{ tls_intermediate_server_ca }}' diff --git a/roles/openvpn/defaults/main.yaml b/roles/openvpn/defaults/main.yaml index 9c49d19..83aa9b6 100644 --- a/roles/openvpn/defaults/main.yaml +++ b/roles/openvpn/defaults/main.yaml @@ -1,3 +1,5 @@ --- -server_fqdn: '{{ inventory_hostname }}.{{ domain }}' +host_fqdn: '{{ inventory_hostname }}.dmz.{{ domain }}' +openvpn_tls_server_ca: '{{ tls_intermediate_server_ca }}' +openvpn_tls_user_ca: '{{ tls_intermediate_user_ca }}' ... diff --git a/roles/openvpn/tasks/main.yaml b/roles/openvpn/tasks/main.yaml index 092175b..3b91740 100644 --- a/roles/openvpn/tasks/main.yaml +++ b/roles/openvpn/tasks/main.yaml @@ -28,14 +28,14 @@ - name: 'upload server ca' copy: - content: '{{ tls_vpn_server_ca }}{{ tls_root_ca }}' + content: '{{ openvpn_tls_server_ca }}{{ tls_root_ca }}' dest: '/etc/openvpn/server_ca.crt' tags: - 'tls_int' - name: 'upload user ca' copy: - content: '{{ tls_vpn_user_ca }}{{ tls_root_ca }}' + content: '{{ openvpn_tls_user_ca }}{{ tls_root_ca }}' dest: '/etc/openvpn/user_ca.crt' notify: 'reload openvpn' tags: @@ -56,7 +56,7 @@ shell: > openssl req -new - -subj "{{ x509_subject_prefix }}/OU=Server/CN={{ server_fqdn }}" + -subj "{{ openssl_x509_prefix }}/OU=Server/CN={{ host_fqdn }}" -key /etc/openvpn/openvpn.key -out /etc/openvpn/openvpn.csr when: openvpn_cert_is_valid.rc != 0 @@ -65,7 +65,7 @@ - import_tasks: 'ca-signing-request.yaml' vars: - host: '{{ server_fqdn }}' + host: '{{ host_fqdn }}' request_path: '/etc/openvpn/openvpn.csr' output_path: '/etc/openvpn/openvpn.crt' when: openvpn_cert_is_valid.rc != 0 diff --git a/roles/ssh_server/templates/user_ca.pub.j2 b/roles/ssh_server/templates/user_ca.pub.j2 index 01175e7..fe55c72 100644 --- a/roles/ssh_server/templates/user_ca.pub.j2 +++ b/roles/ssh_server/templates/user_ca.pub.j2 @@ -1,4 +1,4 @@ -{% for key in user_ca_keys %} +{% for key in ssh_user_ca %} {{ key }} {% endfor %}