You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
56 lines
1.4 KiB
56 lines
1.4 KiB
---
|
|
- name: 'install openvpn-openssl package'
|
|
opkg:
|
|
name: 'openvpn-openssl'
|
|
state: 'present'
|
|
tags:
|
|
- 'packages'
|
|
|
|
# Shouldn't be required for TLSv1.3
|
|
#
|
|
#- name: create openvpn dh2048
|
|
# shell: 'openssl dhparam -out /etc/openvpn/dh2048.pem 2048'
|
|
# args:
|
|
# creates: /etc/openvpn/dh2048.pem
|
|
# notify: reload openvpn
|
|
|
|
- name: 'upload server ca'
|
|
copy:
|
|
content: '{{ openvpn_tls_server_ca }}{{ tls_root_ca }}'
|
|
dest: '/etc/openvpn/server_ca.crt'
|
|
tags:
|
|
- 'tls_int'
|
|
|
|
- name: 'upload user ca'
|
|
copy:
|
|
content: '{{ openvpn_tls_user_ca }}{{ tls_root_ca }}'
|
|
dest: '/etc/openvpn/user_ca.crt'
|
|
notify: 'reload openvpn'
|
|
tags:
|
|
- 'tls_int'
|
|
|
|
- name: 'generate and sign server certificate'
|
|
import_role: name='ca_cert'
|
|
vars:
|
|
ca_cert_common_name: '{{ host_fqdn }}'
|
|
ca_cert_proto: 'tls'
|
|
ca_cert_tls_ca_path: '/etc/openvpn/server_ca.crt'
|
|
ca_cert_tls_key_path: '/etc/openvpn/openvpn.key'
|
|
ca_cert_tls_csr_path: '/etc/openvpn/openvpn.csr'
|
|
ca_cert_tls_cert_path: '/etc/openvpn/openvpn.crt'
|
|
|
|
- name: 'write openvpn configuration'
|
|
template:
|
|
dest: '/etc/config/openvpn'
|
|
src: 'openvpn.j2'
|
|
owner: 'root'
|
|
group: 'root'
|
|
mode: '0400'
|
|
register: config_updated
|
|
notify: 'reload openvpn'
|
|
|
|
- name: 'commit openvpn configuration to uci'
|
|
shell: 'uci commit openvpn'
|
|
notify: 'reload openvpn'
|
|
when: config_updated.changed
|
|
...
|