You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
113 lines
2.6 KiB
113 lines
2.6 KiB
---
|
|
- name: install openvpn-openssl package
|
|
opkg:
|
|
name: openvpn-openssl
|
|
state: present
|
|
|
|
- name: create openvpn KEY
|
|
shell: 'openssl genrsa -out {{ openvpn_key }} 2047'
|
|
args:
|
|
creates: "{{ openvpn_key }}"
|
|
notify: reload openvpn
|
|
|
|
|
|
- name: create openvpn dh2048
|
|
shell: 'openssl dhparam -out /etc/openvpn/dh2048.pem 2048'
|
|
args:
|
|
creates: /etc/openvpn/dh2048.pem
|
|
notify: reload openvpn
|
|
|
|
|
|
- name: create CSR
|
|
shell: 'openssl req -new -sha256 -subj "/C=IT/ST=ITALY/L=TUSCANY/O=IT/CN={{ ansible_hostname }}.lilik.it" -key /etc/openvpn/openvpn.key -out /etc/openvpn/openvpn.csr'
|
|
args:
|
|
creates: "{{ openvpn_csr }}"
|
|
notify: reload openvpn
|
|
|
|
- name: check if openvpn cert key exist
|
|
stat:
|
|
path: "{{ openvpn_crt }}"
|
|
register: openvpn_cert_key
|
|
|
|
- block:
|
|
- name: get pub key
|
|
shell: "cat /etc/openvpn/openvpn.csr"
|
|
register: pub_key
|
|
|
|
- debug:
|
|
var: pub_key
|
|
verbosity: 2
|
|
|
|
- name: generate host request
|
|
set_fact:
|
|
ca_request:
|
|
type: 'sign_request'
|
|
request:
|
|
keyType: 'ssl_host'
|
|
hostName: '{{ inventory_hostname }}.lilik.it'
|
|
keyData: '{{ pub_key.stdout }}'
|
|
|
|
- debug:
|
|
var: cert_request
|
|
verbosity: 2
|
|
|
|
- name: start sign request
|
|
include: ca-dialog.yaml
|
|
|
|
- set_fact:
|
|
request_output: "{{ request_result.stdout | string | from_json }}"
|
|
|
|
- debug:
|
|
var: request_output
|
|
|
|
- name: generate get request
|
|
set_fact:
|
|
ca_request:
|
|
type: 'get_certificate'
|
|
requestID: '{{ request_output.requestID }}'
|
|
|
|
- debug:
|
|
msg: "Please manualy confirm sign request with id {{ request_output.requestID }}"
|
|
|
|
- name: wait for cert
|
|
include: ca-dialog.yaml
|
|
|
|
- set_fact:
|
|
cert_key: "{{ request_result.stdout | string | from_json }}"
|
|
|
|
- debug:
|
|
var: request_result
|
|
verbosity: 2
|
|
|
|
- name: set pub key
|
|
copy:
|
|
content: "{{ cert_key.result }}"
|
|
dest: "{{ openvpn_crt }}"
|
|
register: set_pub_key
|
|
when: not openvpn_cert_key.stat.exists
|
|
|
|
- set_fact:
|
|
certificates:
|
|
- files/lilik_ca_x1.pub
|
|
- files/lilik_ca_v1.pub
|
|
|
|
- name: create vpn fullchain
|
|
template:
|
|
src: fullchain.j2
|
|
dest: /etc/openvpn/fullchain.crt
|
|
notify: reload openvpn
|
|
|
|
- name: write openvpn configuration
|
|
template:
|
|
dest: /etc/config/openvpn
|
|
src: openvpn.j2
|
|
owner: root
|
|
group: root
|
|
mode: 0400
|
|
register: new_vpn_config
|
|
notify: reload openvpn
|
|
|
|
- name: commit openvpn configuration to uci
|
|
shell: 'uci commit openvpn'
|
|
notify: reload openvpn
|
|
when: new_vpn_config.changed
|