Added openvpn server role

Signed-off-by: Nis Wechselberg <enbewe@enbewe.de>
2025-06-21 22:39:37 +02:00 · 2025-06-21 22:39:37 +02:00 · b65650d733
commit b65650d733
parent 3a99c37a82
14 changed files with 257 additions and 1 deletions
--- a/roles/server/tasks/main.yml
+++ b/roles/server/tasks/main.yml
@ -0,0 +1,102 @@
+---
+- name: 'Install the official package repository for OpenVPN'
+  block:
+    - name: 'Add the signing key'
+      become: true
+      ansible.builtin.get_url:
+        url: 'https://swupdate.openvpn.net/repos/repo-public.gpg'
+        dest: '{{ server_openvpn_signing_file }}'
+        owner: 'root'
+        group: 'root'
+        mode: 'u=rw,g=r,o=r'
+
+    - name: 'Add the actual repo'
+      become: true
+      ansible.builtin.apt_repository:
+        repo: '{{ server_openvpn_source_line }}'
+        state: 'present'
+
+- name: 'Install server software and kernel module'
+  become: true
+  ansible.builtin.apt:
+    name: '{{ item }}'
+    update_cache: true
+    state: 'present'
+  loop:
+    - 'openvpn'
+    - 'openvpn-dco-dkms'
+
+- name: 'Prepare the folder for vpn server files'
+  become: true
+  ansible.builtin.file:
+    path: '{{ item }}'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: 'u=rwx,g=rx,o=rx'
+  loop:
+    - '/etc/openvpn/{{ server_openvpn_directory }}'
+    - '/etc/openvpn/{{ server_openvpn_directory }}/ccd'
+
+- name: 'Deploy config files'
+  become: true
+  ansible.builtin.template:
+    src: '{{ item.src }}'
+    dest: '{{ item.dest }}'
+    owner: 'root'
+    group: 'root'
+    mode: '{{ item.mode }}'
+  loop:
+    - src: 'ca.crt.j2'
+      dest: '/etc/openvpn/{{ server_openvpn_ca }}'
+      mode: 'u=rw,g=r,o=r'
+    - src: 'cert.crt.j2'
+      dest: '/etc/openvpn/{{ server_openvpn_cert }}'
+      mode: 'u=rw,g=r,o=r'
+    - src: 'cert.key.j2'
+      dest: '/etc/openvpn/{{ server_openvpn_key }}'
+      mode: 'u=rw,g=,o='
+    - src: 'cert.pwd.j2'
+      dest: '/etc/openvpn/{{ server_openvpn_passfile }}'
+      mode: 'u=rw,g=,o='
+    - src: 'crl.pem.j2'
+      dest: '/etc/openvpn/{{ server_openvpn_crl }}'
+      mode: 'u=rw,g=r,o=r'
+    - src: 'tls-auth.key.j2'
+      dest: '/etc/openvpn/{{ server_openvpn_tlsauth }}'
+      mode: 'u=rw,g=,o='
+    - src: 'dh2048.pem.j2'
+      dest: '/etc/openvpn/{{ server_openvpn_dhfile }}'
+      mode: 'u=rw,g=r,o=r'
+  notify: 'Restart openvpn server'
+
+- name: 'Deploy client specific config'
+  become: true
+  ansible.builtin.template:
+    src: 'ccd.j2'
+    dest: '/etc/openvpn/{{ server_openvpn_directory }}/ccd/{{ item.key }}'
+    owner: 'root'
+    group: 'root'
+    mode: 'u=rw,g=r,o=r'
+  loop: '{{ server_openvpn_client_configs | dict2items }}'
+  notify: 'Restart openvpn server'
+
+- name: 'Deploy server config'
+  become: true
+  ansible.builtin.template:
+    src: 'openvpn_server.conf.j2'
+    dest: '/etc/openvpn/{{ server_openvpn_config_name }}.conf'
+    owner: 'root'
+    group: 'root'
+    mode: 'u=rw,g=r,o=r'
+  notify:
+    - 'Reload openvpn services'
+    - 'Restart openvpn server'
+
+- name: 'Configure ip forwarding to allow external communication throught the vpn'
+  become: true
+  ansible.posix.sysctl:
+    name: '{{ item.key }}'
+    value: '{{ item.value }}'
+  loop: '{{ server_openvpn_sysctl_settings | dict2items }}'
+  notify: 'Restart openvpn server'