Added openvpn server role

Signed-off-by: Nis Wechselberg <enbewe@enbewe.de>
2025-06-21 22:27:47 +02:00 · 2025-06-21 22:27:47 +02:00 · 6e8d01203a
commit 6e8d01203a
parent 3a99c37a82
13 changed files with 249 additions and 0 deletions
--- a/roles/server/tasks/main.yml
+++ b/roles/server/tasks/main.yml
@ -0,0 +1,99 @@
+---
+- name: 'Install the official package repository for OpenVPN'
+  block:
+    - name: 'Add the signing key'
+      become: true
+      ansible.builtin.get_url:
+        url: 'https://swupdate.openvpn.net/repos/repo-public.gpg'
+        dest: '/etc/apt/keyrings/openvpn-repo-public.asc'
+
+    - name: 'Add the actual repo'
+      become: true
+      ansible.builtin.apt_repository:
+        repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/openvpn-repo-public.asc] https://build.openvpn.net/debian/openvpn/stable {{ ansible_distribution_release }} main"
+        state: present
+
+- name: 'Install server software and kernel module'
+  become: true
+  ansible.builtin.apt:
+    name: '{{ item }}'
+    update_cache: true
+    state: 'present'
+  loop:
+    - 'openvpn'
+    - 'openvpn-dco-dkms'
+
+- name: 'Prepare the folder for vpn server files'
+  become: true
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: 'u=rwx,g=rx,o=rx'
+  loop:
+    - '/etc/openvpn/{{ openvpn_server_directory }}'
+    - '/etc/openvpn/{{ openvpn_server_directory }}/ccd'
+
+- name: 'Deploy config files'
+  become: true
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: 'root'
+    group: 'root'
+    mode: '{{ item.mode }}'
+  loop:
+    - src: 'ca.crt.j2'
+      dest: '/etc/openvpn/{{ openvpn_server_ca }}'
+      mode: 'u=rw,g=r,o=r'
+    - src: 'cert.crt.j2'
+      dest: '/etc/openvpn/{{ openvpn_server_cert }}'
+      mode: 'u=rw,g=r,o=r'
+    - src: 'cert.key.j2'
+      dest: '/etc/openvpn/{{ openvpn_server_key }}'
+      mode: 'u=rw,g=,o='
+    - src: 'cert.pwd.j2'
+      dest: '/etc/openvpn/{{ openvpn_server_passfile }}'
+      mode: 'u=rw,g=,o='
+    - src: 'crl.pem.j2'
+      dest: '/etc/openvpn/{{ openvpn_server_crl }}'
+      mode: 'u=rw,g=r,o=r'
+    - src: 'tls-auth.key.j2'
+      dest: '/etc/openvpn/{{ openvpn_server_tlsauth }}'
+      mode: 'u=rw,g=,o='
+    - src: 'dh2048.pem.j2'
+      dest: '/etc/openvpn/{{ openvpn_server_dhfile }}'
+      mode: 'u=rw,g=r,o=r'
+  notify: 'Restart openvpn server'
+
+- name: 'Deploy client specific config'
+  become: true
+  ansible.builtin.template:
+    src: 'ccd.j2'
+    dest: '/etc/openvpn/{{ openvpn_server_directory }}/ccd/{{ item.key }}'
+    owner: 'root'
+    group: 'root'
+    mode: 'u=rw,g=r,o=r'
+  loop: '{{ openvpn_server_client_configs | dict2items }}'
+  notify: 'Restart openvpn server'
+
+- name: 'Deploy server config'
+  become: true
+  ansible.builtin.template:
+    src: 'openvpn_server.conf.j2'
+    dest: '/etc/openvpn/{{ openvpn_server_config_name }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: 'u=rw,g=r,o=r'
+  notify: 
+    - 'Reload openvpn services'
+    - 'Restart openvpn server'
+
+- name: 'Configure ip forwarding to allow external communication throught the vpn'
+  become: true
+  ansible.posix.sysctl:
+    name: '{{ item.key }}'
+    value: '{{ item.value }}'
+  loop: '{{ openvpn_sysctl_settings | dict2items }}'
+  notify: 'Restart openvpn server'