LILiK
/
lilik_playbook


								---

								- name: 'install openvpn-openssl package'

								  opkg:

								    name: 'openvpn-openssl'

								    state: 'present'

								  tags:

								    - 'packages'


								- name: 'create openvpn private key'

								  shell:

								    cmd: >

								      openssl genpkey

								      -algorithm ed25519

								      -out /etc/openvpn/openvpn.key

								  args:

								    creates: '/etc/openvpn/openvpn.key'

								  notify: 'reload openvpn'

								  tags:

								    - 'tls_int'


								# Shouldn't be required for TLSv1.3

								#

								#- name: create openvpn dh2048

								#  shell: 'openssl dhparam -out /etc/openvpn/dh2048.pem 2048'

								#  args:

								#    creates: /etc/openvpn/dh2048.pem

								#  notify: reload openvpn


								- name: 'upload server ca'

								  copy:

								    content: '{{ tls_vpn_server_ca }}{{ tls_root_ca }}'

								    dest: '/etc/openvpn/server_ca.crt'

								  tags:

								    - 'tls_int'


								- name: 'upload user ca'

								  copy:

								    content: '{{ tls_vpn_user_ca }}{{ tls_root_ca }}'

								    dest: '/etc/openvpn/user_ca.crt'

								  notify: 'reload openvpn'

								  tags:

								    - 'tls_int'


								- name: 'check openvpn cert status'

								  command: >-

								    openssl verify

								    -CAfile /etc/openvpn/server_ca.crt

								    /etc/openvpn/openvpn.crt

								  register: openvpn_cert_is_valid

								  changed_when: false

								  failed_when: false

								  tags:

								    - 'tls_int'


								- name: 'create openvpn cert request'

								  shell: >

								    openssl req

								    -new

								    -subj "{{ x509_subject_prefix }}/OU=Server/CN={{ server_fqdn }}"

								    -key /etc/openvpn/openvpn.key

								    -out /etc/openvpn/openvpn.csr

								  when: openvpn_cert_is_valid.rc != 0

								  tags:

								    - 'tls_int'


								- import_tasks: 'ca-signing-request.yaml'

								  vars:

								    host: '{{ server_fqdn }}'

								    request_path: '/etc/openvpn/openvpn.csr'

								    output_path: '/etc/openvpn/openvpn.crt'

								  when: openvpn_cert_is_valid.rc != 0

								  notify: 'reload openvpn'

								  tags:

								    - 'tls_int'


								- name: 'write openvpn configuration'

								  template:

								    dest: '/etc/config/openvpn'

								    src: 'openvpn.j2'

								    owner: 'root'

								    group: 'root'

								    mode: '0400'

								  register: config_updated

								  notify: 'reload openvpn'


								- name: 'commit openvpn configuration to uci'

								  shell: 'uci commit openvpn'

								  notify: 'reload openvpn'

								  when: config_updated.changed