roles/dch-openvpn-server: Deploy OpenVPN server

The *dch-openvpn-server* role installs and configures OpenVPN and stunnel to provide both native OpenVPN service as well as OpenVPN-over-TLS. The latter uses stunnel, listening on TCP port 9876, to allow better firewall traversal and TCP port sharing via reverse proxy.
2018-07-01 15:14:23 -05:00
parent b13f28f505
commit 780c8783db
7 changed files with 120 additions and 0 deletions
--- a/roles/dch-openvpn-server/tasks/main.yml
+++ b/roles/dch-openvpn-server/tasks/main.yml
@@ -0,0 +1,74 @@
+- name: ensure required packages are installed
+  package:
+    name=openvpn,stunnel
+    state=present
+  tags:
+  - install
+
+- name: ensure stunnel configuration is set
+  template:
+    src=openvpn.stunnel.conf.j2
+    dest=/etc/stunnel/openvpn.conf
+    mode=0644
+  notify: restart stunnel openvpn proxy
+
+- name: ensure openvpn server configuration is set
+  template:
+    src=pyrocufflink.openvpn.conf.j2
+    dest=/etc/openvpn/server/pyrocufflink.conf
+    mode=0644
+  notify: restart pyrocufflink openvpn server
+- name: ensure openvpn client config dir exists
+  file:
+    path=/etc/openvpn/server/clients
+    mode=0755
+    state=directory
+- name: ensure openvpn client config files are set
+  copy:
+    src={{ item }}
+    dest=/etc/openvpn/server/clients/{{ item|basename }}
+    mode=0640
+  notify: restart pyrocufflink openvpn server
+  with_fileglob: 'clients/*'
+
+- name: ensure openvpn ca certificate is installed
+  copy:
+    src={{ item }}
+    dest=/etc/openvpn/server/ca.crt
+    mode=0644
+  with_fileglob: '{{ inventory_hostname }}_ca.crt'
+- name: ensure openvpn server certificate is installed
+  copy:
+    src={{ item }}
+    dest=/etc/pki/tls/certs/openvpn.cer
+    mode=0644
+  with_fileglob: '{{ inventory_hostname }}.cer'
+- name: ensure openvpn server private key is installed
+  copy:
+    src={{ item }}
+    dest=/etc/pki/tls/private/openvpn.key
+    mode=0600
+  with_fileglob: '{{ inventory_hostname }}.key'
+- name: ensure openvpn diffie-hellman parameters file is installed
+  copy:
+    src={{ item }}
+    dest=/etc/openvpn/server/dh2048.pem
+    mode=0600
+  with_fileglob: '{{ inventory_hostname }}.dh'
+
+- name: ensure stunnel openvpn proxy starts at boot
+  service:
+    name=stunnel@openvpn
+    enabled=yes
+- name: ensure stunnel openvpn proxy is running
+  service:
+    name=stunnel@openvpn
+    state=started
+- name: ensure pyrocufflink openvpn server service starts at boot
+  service: 
+    name=openvpn-server@pyrocufflink
+    enabled=yes
+- name: ensure pyrocufflink openvpn server service is running
+  service: 
+    name=openvpn-server@pyrocufflink
+    state=started