From 2d126137afa9398699cd2883765f5125c128e03c Mon Sep 17 00:00:00 2001 From: den Date: Sun, 4 Oct 2020 19:35:35 +0300 Subject: [PATCH] move 3rdparty ansible galaxy roles to roles/galaxy --- .gitignore | 2 - ansible.cfg | 2 +- roles/galaxy/Stouts.openvpn/.bumpversion.cfg | 6 + roles/galaxy/Stouts.openvpn/.travis.yml | 18 ++ roles/galaxy/Stouts.openvpn/CONTRIBUTORS | 20 ++ roles/galaxy/Stouts.openvpn/LICENSE | 22 ++ roles/galaxy/Stouts.openvpn/Makefile | 20 ++ roles/galaxy/Stouts.openvpn/README.md | 83 +++++++ roles/galaxy/Stouts.openvpn/defaults/main.yml | 229 ++++++++++++++++++ roles/galaxy/Stouts.openvpn/handlers/main.yml | 40 +++ .../Stouts.openvpn/meta/.galaxy_install_info | 2 + roles/galaxy/Stouts.openvpn/meta/main.yml | 25 ++ .../molecule/default/Dockerfile.j2 | 14 ++ .../molecule/default/INSTALL.rst | 16 ++ .../molecule/default/converge.yml | 46 ++++ .../molecule/default/molecule.yml | 31 +++ .../molecule/default/prepare.yml | 8 + .../molecule/default/requirements.yml | 4 + .../molecule/default/tests/test_default.py | 0 .../molecule/default/yamllint.yml | 56 +++++ .../Stouts.openvpn/tasks/assertions.yml | 7 + .../tasks/authentication/ldap.yml | 7 + .../tasks/authentication/pam.yml | 15 ++ .../tasks/authentication/simple.yml | 11 + .../tasks/authentication/tls.yml | 8 + .../Stouts.openvpn/tasks/core/clients.yml | 69 ++++++ .../Stouts.openvpn/tasks/core/configure.yml | 27 +++ .../tasks/core/install/Debian.yml | 46 ++++ .../tasks/core/install/RedHat.yml | 26 ++ .../Stouts.openvpn/tasks/core/management.yml | 28 +++ .../tasks/core/read-client-files.yml | 52 ++++ roles/galaxy/Stouts.openvpn/tasks/main.yml | 5 + roles/galaxy/Stouts.openvpn/tasks/openvpn.yml | 47 ++++ roles/galaxy/Stouts.openvpn/tasks/scripts.yml | 32 +++ roles/galaxy/Stouts.openvpn/tasks/service.yml | 7 + .../tasks/system/bridge/Debian.yml | 16 ++ .../tasks/system/bridge/RedHat.yml | 29 +++ .../tasks/system/firewall-deps.yml | 31 +++ .../tasks/system/firewall-open.yml | 13 + .../tasks/system/forwarding.yml | 10 + .../Stouts.openvpn/tasks/system/routing.yml | 40 +++ .../galaxy/Stouts.openvpn/tasks/variables.yml | 15 ++ .../authentication/auth-client.sh.j2 | 9 + .../authentication/auth-ldap.conf.j2 | 54 +++++ .../templates/authentication/openvpn.pam.j2 | 12 + ...elasticsearch.openvpn.ingest.pipelines.yml | 55 +++++ .../beats/filebeat.openvpn.fields.yml | 12 + .../beats/filebeat.openvpn.inputs.yml | 15 ++ .../beats/heartbeat.openvpn.monitors.yml | 33 +++ .../templates/bridge/bridge-interface.deb.j2 | 19 ++ .../templates/bridge/bridge-interface.rh.j2 | 13 + .../templates/bridge/down.sh.j2 | 6 + .../Stouts.openvpn/templates/bridge/up.sh.j2 | 9 + .../Stouts.openvpn/templates/client.conf.j2 | 94 +++++++ .../templates/scripts/client-disconnect.sh.j2 | 16 ++ .../Stouts.openvpn/templates/server.conf.j2 | 192 +++++++++++++++ .../Stouts.openvpn/vars/os/Common-default.yml | 3 + .../Stouts.openvpn/vars/os/Debian.jessie.yml | 10 + .../Stouts.openvpn/vars/os/Debian.stretch.yml | 10 + .../galaxy/Stouts.openvpn/vars/os/Debian.yml | 8 + .../galaxy/Stouts.openvpn/vars/os/RedHat.yml | 13 + .../Stouts.openvpn/vars/os/Ubuntu.bionic.yml | 8 + .../Stouts.openvpn/vars/os/Ubuntu.vivid.yml | 7 + .../Stouts.openvpn/vars/os/Ubuntu.xenial.yml | 10 + .../galaxy/Stouts.openvpn/vars/os/Ubuntu.yml | 7 + .../nkakouros.easyrsa/.travis.yml | 0 .../{ => galaxy}/nkakouros.easyrsa/.yamllint | 0 .../{ => galaxy}/nkakouros.easyrsa/README.md | 0 .../nkakouros.easyrsa/defaults/main.yml | 0 .../nkakouros.easyrsa/handlers/main.yml | 0 .../nkakouros.easyrsa/key-formats.md | 0 .../meta/.galaxy_install_info | 2 + .../nkakouros.easyrsa/meta/main.yml | 0 .../molecule/default/Dockerfile.j2 | 0 .../molecule/default/INSTALL.rst | 0 .../molecule/default/molecule.yml | 0 .../molecule/default/playbook.yml | 0 .../molecule/default/prepare.yml | 0 .../molecule/default/tests/test_default.py | 14 ++ .../molecule/default/yamllint.yml | 0 .../nkakouros.easyrsa/tasks/configure.yml | 0 .../nkakouros.easyrsa/tasks/convert.yml | 0 .../nkakouros.easyrsa/tasks/csr.yml | 0 .../nkakouros.easyrsa/tasks/dh.yml | 0 .../nkakouros.easyrsa/tasks/download.yml | 0 .../nkakouros.easyrsa/tasks/easyrsa.yml | 0 .../nkakouros.easyrsa/tasks/install.yml | 0 .../nkakouros.easyrsa/tasks/main.yml | 0 .../nkakouros.easyrsa/tasks/renew.yml | 0 .../nkakouros.easyrsa/tasks/revoke.yml | 0 .../nkakouros.easyrsa/tasks/sign.yml | 0 .../nkakouros.easyrsa/templates/vars.j2 | 0 .../nkakouros.easyrsa/vars/main.yml | 0 .../meta/.galaxy_install_info | 2 - 94 files changed, 1813 insertions(+), 5 deletions(-) create mode 100644 roles/galaxy/Stouts.openvpn/.bumpversion.cfg create mode 100644 roles/galaxy/Stouts.openvpn/.travis.yml create mode 100644 roles/galaxy/Stouts.openvpn/CONTRIBUTORS create mode 100644 roles/galaxy/Stouts.openvpn/LICENSE create mode 100644 roles/galaxy/Stouts.openvpn/Makefile create mode 100644 roles/galaxy/Stouts.openvpn/README.md create mode 100644 roles/galaxy/Stouts.openvpn/defaults/main.yml create mode 100644 roles/galaxy/Stouts.openvpn/handlers/main.yml create mode 100644 roles/galaxy/Stouts.openvpn/meta/.galaxy_install_info create mode 100644 roles/galaxy/Stouts.openvpn/meta/main.yml create mode 100644 roles/galaxy/Stouts.openvpn/molecule/default/Dockerfile.j2 create mode 100644 roles/galaxy/Stouts.openvpn/molecule/default/INSTALL.rst create mode 100644 roles/galaxy/Stouts.openvpn/molecule/default/converge.yml create mode 100644 roles/galaxy/Stouts.openvpn/molecule/default/molecule.yml create mode 100644 roles/galaxy/Stouts.openvpn/molecule/default/prepare.yml create mode 100644 roles/galaxy/Stouts.openvpn/molecule/default/requirements.yml rename roles/{nkakouros.easyrsa => galaxy/Stouts.openvpn}/molecule/default/tests/test_default.py (100%) create mode 100644 roles/galaxy/Stouts.openvpn/molecule/default/yamllint.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/assertions.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/authentication/ldap.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/authentication/pam.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/authentication/simple.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/authentication/tls.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/core/clients.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/core/configure.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/core/install/Debian.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/core/install/RedHat.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/core/management.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/core/read-client-files.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/main.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/openvpn.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/scripts.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/service.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/system/bridge/Debian.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/system/bridge/RedHat.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/system/firewall-deps.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/system/firewall-open.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/system/forwarding.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/system/routing.yml create mode 100644 roles/galaxy/Stouts.openvpn/tasks/variables.yml create mode 100644 roles/galaxy/Stouts.openvpn/templates/authentication/auth-client.sh.j2 create mode 100644 roles/galaxy/Stouts.openvpn/templates/authentication/auth-ldap.conf.j2 create mode 100644 roles/galaxy/Stouts.openvpn/templates/authentication/openvpn.pam.j2 create mode 100644 roles/galaxy/Stouts.openvpn/templates/beats/elasticsearch.openvpn.ingest.pipelines.yml create mode 100644 roles/galaxy/Stouts.openvpn/templates/beats/filebeat.openvpn.fields.yml create mode 100644 roles/galaxy/Stouts.openvpn/templates/beats/filebeat.openvpn.inputs.yml create mode 100644 roles/galaxy/Stouts.openvpn/templates/beats/heartbeat.openvpn.monitors.yml create mode 100644 roles/galaxy/Stouts.openvpn/templates/bridge/bridge-interface.deb.j2 create mode 100644 roles/galaxy/Stouts.openvpn/templates/bridge/bridge-interface.rh.j2 create mode 100644 roles/galaxy/Stouts.openvpn/templates/bridge/down.sh.j2 create mode 100644 roles/galaxy/Stouts.openvpn/templates/bridge/up.sh.j2 create mode 100644 roles/galaxy/Stouts.openvpn/templates/client.conf.j2 create mode 100644 roles/galaxy/Stouts.openvpn/templates/scripts/client-disconnect.sh.j2 create mode 100644 roles/galaxy/Stouts.openvpn/templates/server.conf.j2 create mode 100644 roles/galaxy/Stouts.openvpn/vars/os/Common-default.yml create mode 100644 roles/galaxy/Stouts.openvpn/vars/os/Debian.jessie.yml create mode 100644 roles/galaxy/Stouts.openvpn/vars/os/Debian.stretch.yml create mode 100644 roles/galaxy/Stouts.openvpn/vars/os/Debian.yml create mode 100644 roles/galaxy/Stouts.openvpn/vars/os/RedHat.yml create mode 100644 roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.bionic.yml create mode 100644 roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.vivid.yml create mode 100644 roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.xenial.yml create mode 100644 roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.yml rename roles/{ => galaxy}/nkakouros.easyrsa/.travis.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/.yamllint (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/README.md (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/defaults/main.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/handlers/main.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/key-formats.md (100%) create mode 100644 roles/galaxy/nkakouros.easyrsa/meta/.galaxy_install_info rename roles/{ => galaxy}/nkakouros.easyrsa/meta/main.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/molecule/default/Dockerfile.j2 (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/molecule/default/INSTALL.rst (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/molecule/default/molecule.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/molecule/default/playbook.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/molecule/default/prepare.yml (100%) create mode 100644 roles/galaxy/nkakouros.easyrsa/molecule/default/tests/test_default.py rename roles/{ => galaxy}/nkakouros.easyrsa/molecule/default/yamllint.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/tasks/configure.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/tasks/convert.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/tasks/csr.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/tasks/dh.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/tasks/download.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/tasks/easyrsa.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/tasks/install.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/tasks/main.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/tasks/renew.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/tasks/revoke.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/tasks/sign.yml (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/templates/vars.j2 (100%) rename roles/{ => galaxy}/nkakouros.easyrsa/vars/main.yml (100%) delete mode 100644 roles/nkakouros.easyrsa/meta/.galaxy_install_info diff --git a/.gitignore b/.gitignore index 679c96b..4fad98a 100644 --- a/.gitignore +++ b/.gitignore @@ -6,5 +6,3 @@ # vagrant logs /ubuntu-xenial-16.04-cloudimg-console.log -# installed via requirements.yml -/roles/Stouts.openvpn/ diff --git a/ansible.cfg b/ansible.cfg index 3042f4e..73943cd 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,7 +1,7 @@ [defaults] # inventory = ./environments/test retry_files_enabled = False -roles_path = ./roles +roles_path = ./roles/galaxy:./roles gathering = smart fact_caching = jsonfile fact_caching_connection = ./.facts diff --git a/roles/galaxy/Stouts.openvpn/.bumpversion.cfg b/roles/galaxy/Stouts.openvpn/.bumpversion.cfg new file mode 100644 index 0000000..294bb51 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/.bumpversion.cfg @@ -0,0 +1,6 @@ +[bumpversion] +commit = True +current_version = 2.4.1 +tag = True +tag_name = {new_version} + diff --git a/roles/galaxy/Stouts.openvpn/.travis.yml b/roles/galaxy/Stouts.openvpn/.travis.yml new file mode 100644 index 0000000..a434bef --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/.travis.yml @@ -0,0 +1,18 @@ +--- + +language: python + +env: + - MOLECULE_DISTRO=ubuntu1604 + - MOLECULE_DISTRO=ubuntu1804 + - MOLECULE_DISTRO=debian8 MOLECULE_INIT_CMD=/lib/systemd/systemd + - MOLECULE_DISTRO=debian9 MOLECULE_INIT_CMD=/lib/systemd/systemd + - MOLECULE_DISTRO=debian10 MOLECULE_INIT_CMD=/lib/systemd/systemd +install: + - pip install docker molecule ansible-lint + +script: + - molecule test + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/roles/galaxy/Stouts.openvpn/CONTRIBUTORS b/roles/galaxy/Stouts.openvpn/CONTRIBUTORS new file mode 100644 index 0000000..5cfd33b --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/CONTRIBUTORS @@ -0,0 +1,20 @@ +Contributors: + +* Adam Kunicki (https://github.com/kunickiaj) +* Adham Helal (https://github.com/ahelal) +* Daniel Miranda (https://github.com/danielkza) +* Elias (https://github.com/viderizer) +* Federico Capoano (https://github.com/nemesisdesign) +* JP Viljoen (https://github.com/froztbyte) +* Jason Bond Pratt (https://github.com/juniorplenty) +* Kirill Klenov (http://klen.github.io/) +* Kurt Sussman (https://github.com/neophiliac) +* Mahmoud Abdelkader (https://github.com/mahmoudimus) +* Marcelo Anton (https://github.com/mbanton) +* Maxim Kravets (https://github.com/zeelax) +* Michael Frister (https://github.com/meeee) +* Mohammed Naser (https://github.com/mnaser) +* Roland von Ohlen (https://github.com/RockingRolli) +* Sebastien Badia (https://github.com/sbadia) +* Thomas Krille (https://github.com/tkrille) +* https://github.com/teadur diff --git a/roles/galaxy/Stouts.openvpn/LICENSE b/roles/galaxy/Stouts.openvpn/LICENSE new file mode 100644 index 0000000..a89b814 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/LICENSE @@ -0,0 +1,22 @@ +The MIT License (MIT) + +Copyright (c) 2014 Stouts + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + diff --git a/roles/galaxy/Stouts.openvpn/Makefile b/roles/galaxy/Stouts.openvpn/Makefile new file mode 100644 index 0000000..658035a --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/Makefile @@ -0,0 +1,20 @@ +.PHONY: release major minor patch + +VERSION?=minor +release: + @bumpversion $(VERSION) + @git checkout master + @git merge develop + @git checkout develop + @git push --all + @git push --tags + @git checkout develop + +major: + make release VERSION=major + +minor: + make release VERSION=minor + +patch: + make release VERSION=patch diff --git a/roles/galaxy/Stouts.openvpn/README.md b/roles/galaxy/Stouts.openvpn/README.md new file mode 100644 index 0000000..78d9a63 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/README.md @@ -0,0 +1,83 @@ +# Stouts.openvpn + +[![Build Status](http://img.shields.io/travis/Stouts/Stouts.openvpn.svg?style=flat-square)](https://travis-ci.org/Stouts/Stouts.openvpn) +[![Galaxy](http://img.shields.io/badge/galaxy-Stouts.openvpn-blue.svg?style=flat-square)](https://galaxy.ansible.com/Stouts/openvpn/) + +Ansible role that installs an openvpn server + +* Install and setup OpenVPN server +* Setup authentication + +## Requirements + +Previous versions of the role supported generating certificates and keys for the +OpenVPN server to use. Since version 3.0.0, such support has been removed and +the users of the role are expected to use some other way of generating +certificates/keys (eg using another Ansible role). See the example playbook for +an example. + +An EasyRSA role that was created specifically to compliment this role can be +found [here](https://github.com/nkakouros-original/ansible-role-easyrsa). + +## Supported platforms + +- Ubuntu 14.04 +- Ubuntu 16.04 +- Ubuntu 18.04 +- Debian 8 +- Debian 9 +- Centos 7 + +## Variables + +See [defaults/main.yml](defaults/main.yml) for a full list of variables together +with documentation on how to use them to configure this role. + +## Elastic Beats from monitoring +### Heartbeat monitor + +The role comes bundled with a [meta/monitors.yml](meta/monitors.yml) template +that can be used by [Heartbeat](https://www.elastic.co/products/beats/heartbeat) +to check if the OpenVPN server is up and running. The template can be +configured via variables (they should be self-explanatory). To use it, you can +use some Ansible tasks to upload it to your Heartbeat instance. For example: + +```yaml +- name: Add earth-kibana host + add_host: + name: heartbeat_instance + hostname: "{{ heartbeat.hostname }}" + ansible_host: "{{ heartbeat.ansible_host }}" + ansible_password: "{{ heartbeat.ansible_password }}" + ansible_user: "{{ heartbeat.ansible_user }}" + +- name: Upload role monitors + template: + src: "{{ item.1 + '/' + item.0 }}/meta/monitors.yml" + dest: "/etc/heartbeat/monitors.d/{{ inventory_hostname }}.{{ item.0.split('.')[-1] }}.yml" + when: (item.1 + '/' + item.0 + '/meta/monitors.yml') is file + loop: "{{ roles | product(lookup('config', 'DEFAULT_ROLES_PATH')) | list }}" + delegate_to: heartbeat_instance +``` + +### Filebeat input + +The role also includes a filebeat input file that can be uploaded to a filebeat +server. The input reads the OpenVPN log and reads the lines that correspond to +successful connections. The role includes an Elasticsearch ingest pipeline that +can be imported to Elasticsearch to parse and break the log lines into fields. +The files can be found under the `meta/` folder. + +## Example playbook + +See [molecule/default/playbook.yml](molecule/default/playbook.yml) for a working +example of how to use this role. + + +## License + +Licensed under the MIT License. See the LICENSE file for details. + +## Feedback, bug-reports, requests, ... + +...are [welcome](https://github.com/Stouts/Stouts.openvpn/issues)! diff --git a/roles/galaxy/Stouts.openvpn/defaults/main.yml b/roles/galaxy/Stouts.openvpn/defaults/main.yml new file mode 100644 index 0000000..72aed80 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/defaults/main.yml @@ -0,0 +1,229 @@ +--- + +# This file contains fold markers (`{{{` and `}}}`). If you use an editor that +# supports fold markers, you can use them to view this file in a pretty format. + +# Set to 'false' to completely disable the role +openvpn_enabled: true + +# Installation {{{ +openvpn_use_external_repo: false +# Set to 'true' to install openvpn from the upstream repo + +openvpn_etcdir: /etc/openvpn +# The OpenVPN configuration directory + +openvpn_keydir: "{{ openvpn_etcdir }}/keys" +# The directory where the keys will be found. This should be a pki folder from +# easyrsa. Under this folder, the role will expect to find the pem keys and +# certificates for: +# +# - the server (private/server.key and issued/server.crt) +# - the clients (private/client-1.key, issued/client-2.crt, etc) +# - the ca (issued/ca.crt) +# +# Also: +# - the Diffie-Hellman parameters should be also located there (dh.pem) +# - the CA certificate (ca.pem) +# +# You can generate these keys and certificates using another role. See the +# README. Then you can simply point this variable to the pki folder of the +# easyrsa installation and all keys/certificates will be located fine. +# }}} +# Server configuration {{{ +# Default settings (See OpenVPN documentation) +openvpn_host: "{{ inventory_hostname }}" + +openvpn_port: '1194' +openvpn_proto: udp +openvpn_dev: tun +openvpn_server: 10.8.0.0 255.255.255.0 +openvpn_bridge: {} +openvpn_max_clients: 100 +openvpn_log: /var/log/openvpn.log +openvpn_keepalive: "10 120" +openvpn_ifconfig_pool_persist: ipp.txt +openvpn_comp_lzo: true +openvpn_cipher: BF-CBC +openvpn_status: openvpn-status.log +openvpn_verb: 3 +openvpn_user: nobody +openvpn_group: nogroup +openvpn_resolv_retry: infinite + +openvpn_server_options: [] +# Additional server options that are not covered by the above variables. For +# instace: +# openvpn_server_options: +# - dev-node MyTap +# - client-to-client +# }}} +# Management {{{ +openvpn_management_enable: false +# Whether to enable the OpenVPN management server. For more information about +# the management server, see +# https://github.com/OpenVPN/openvpn/blob/master/doc/management-notes.txt + +openvpn_management_host: localhost +openvpn_management_port: 7505 +# Set where the management server will listen on. + +openvpn_management_pass: ~ +# Set a password that will be required when connecting to the management server. +# It is important to set a password if you expose the server to the public +# internet via `openvpn_management_host`. +# }}} +# Networking {{{ +# Set to true to make the vpn server NAT incoming traffic +openvpn_route_traffic: false + +# Whether to create an iptables rule to allow connections to the openvpn server. +openvpn_open_firewall: true + +# The interface that traffic will come in from. This is used when creating +# firewall rules to allow the vpn server to successfully forward traffic (see +# `openvpn_route_traffic`). The interface you specify here will limit these +# firewall rules only to that interface. Leave this None to have the rules apply +# to any interface. +openvpn_out_interface: ~ + +# A list of ranges that you want the OpenVPN server to be able to forward +# traffic for you. Traffic from your machine to these ranges will be NATed so +# that your IP address is hidden. +openvpn_nat_ranges: + - 0.0.0.0/0 + +# The address that will become the source address of outgoing traffic from the +# OpenVPN server. You would want this to be the address of +# `openvpn_out_interface`, if you have also set that variable. +openvpn_nat_address: "{{ ansible_facts.default_ipv4.address }}" + +# Network ranges that the connecting clients should try to reach using the VPN +# connection. When connecting to the OpenVPN server, it will create routes on +# your local machine, so that any traffic from your machine to these ranges, +# will go through the OpenVPN server. This makes sense to be the same as +# `openvpn_nat_ranges`, but you may want to use different values. Example: +# openvpn_route_ranges: +# - 192.168.0.0 255.255.255.0 +# - 192.168.10.0 255.255.255.0 +openvpn_route_ranges: [] + +# DNS servers to push to the connecting client to avoid leaks via DNS queries. +openvpn_dns_servers: [] +# }}} +# Clients {{{ +openvpn_clients: + - client +# Make clients certificate + +openvpn_clients_revoke: [] +# Revoke clients certificates + +openvpn_client_options: [] +# Additional client options. These will be placed in the ovpn files of all the +# clients. +# openvpn_client_options: +# - dev-node MyTap +# - client-to-client + +openvpn_unified_client_profiles: false +# Whether to embed CA, cert, and key info inside client OVPN config file. + +openvpn_download_clients: false +openvpn_download_dir: "client_credentials/" +openvpn_download_extract: "{{ openvpn_download_clients }}" +# Download the created client credentials as a zip to the specified directory on +# the Ansible controller and, optionally, extract them. + +# Whether to allow communication among clients via the openvpn server. +# Communication is still possible via the IP layer. +openvpn_client_to_client: true + +# Whether to allow communication among clients via the IP layer. Communication +# is still possible via the OpenVPN server itself (see +# `openvpn_client_to_client`). +openvpn_client_to_client_via_ip: false + +openvpn_ccd: /etc/openvpn/ccd/ +# The ccd (clients configuration directory). This will contain files with +# configuration directives that the server will apply per connecting client. + +openvpn_ccd_configs: [] +# A list of configuration directives to be placed under the ccd for the +# specified clients. For instance: +# +# - name: client +# content: | +# ifconfig-push 192.168.0.2 255.255.255.0 +# +# The above will create a file named `client` under the ccd folder containing +# the `ifconfig-push` directive. This will be applied to the `client` when it +# connects to the openvpn server. +# }}} +# Authentication {{{ +# Use PAM authentication +openvpn_use_pam: true +openvpn_use_pam_users: [] +# Only for Debian-based, CentOS requires 'pam_pwdfile' from third party repos. +# If empty use system users +# otherwise use users from the option +# openvpn_use_pam_users: +# - { name: user, password: password } + +# LDAP authentication and configuration (optional) +openvpn_use_ldap: false +openvpn_ldap_tlsenable: 'false' +openvpn_ldap_follow_referrals: 'false' + +# Use simple authentication (default is disabled) +openvpn_simple_auth: false +openvpn_simple_auth_password: "" + +# Enable HMAC signature to TLS handshakes +openvpn_tls_auth: false +openvpn_tls_key: "ta.key" +# }}} +# Scripting {{{ +# A list of directories that the role should create and that should be +# accessible by the OpenVPN server to write into after it has dropped +# privileges. The OpenVPN server should run with limited privileges, e.g. with +# `openvpn_user` set to `nobody`. Such a user will not be able to access many +# files and directories in the file system. This means that if you want one of +# your scripts to write to some file (e.g. under `/var/log`), that file will +# need to be writable by the OpenVPN server. The directories included in this +# variable will be created by the role with permissions that will allow the +# OpenVPN server to write into them, thus your scripts will be able to create +# and write to files inside them. Example: [`/var/log/openvpn-script-out/`]. +openvpn_script_output_directories: [] + +# A path on the OpenVPN server where OpenVPN scripts should be uploaded to. +openvpn_scripts_dir: "{{ openvpn_etcdir }}/scripts/" + +# A list of files located on the Ansible controller that the role should upload. +# The scripts will be uploaded under `openvpn_scripts_dir`. You can reference +# them in `openvpn_server_options` for the OpenVPN configuration option you +# want. The files can be templates. The role comes with an example script (under +# `templates/scripts/client-disconnect.sh.j2`) that will log client +# disconnections. Eg: +# ``` +# openvpn_script_files: +# - "scripts/client-disconnect.sh.j2" +# - "/home/me/ansible-stuff/script.sh" +# ``` +openvpn_script_files: [] + +# Similar to `openvpn_script_files` but contains a list of inline script to +# upload. Example: +# ``` +# openvpn_inline_scripts: +# - name: my-up-script.sh +# content: | +# #!/usr/bin/env +# echo 'Up!' >> "{{ openvpn_script_output_directories[0] }}/up.log" +# ``` +openvpn_inline_scripts: [] + +# NOTE The role also comes with `up` and `down` scripts that are used if you +# enable bridge configuration (see `openvpn_bridge`). These are handled by the +# bridge-specific tasks. +# }}} diff --git a/roles/galaxy/Stouts.openvpn/handlers/main.yml b/roles/galaxy/Stouts.openvpn/handlers/main.yml new file mode 100644 index 0000000..7eec5fe --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/handlers/main.yml @@ -0,0 +1,40 @@ +--- + +- name: Restart networking (Debian) + service: + name: networking + state: restarted + listen: restart networking debian + +- name: Restart networking (RedHat) + service: + name: network + state: restarted + listen: restart networking redhat + +- name: Save iptables rules + block: + - name: Save iptable rules (RedHat) + command: iptables-save + when: ansible_os_family == "RedHat" + listen: openvpn save iptables + + - name: Save iptable rules (Ubuntu Trusty) + command: /etc/init.d/iptables-persistent save + when: + - ansible_os_family == "Debian" + - ansible_lsb.codename == "trusty" + listen: openvpn save iptables + + - name: Save the rules (Ubuntu) + command: netfilter-persistent save + when: + - ansible_os_family == "Debian" + - ansible_lsb.codename != "trusty" + listen: openvpn save iptables + +- name: Restart OpenVPN service + service: + name: "{{ openvpn_service }}" + state: restarted + listen: openvpn restart diff --git a/roles/galaxy/Stouts.openvpn/meta/.galaxy_install_info b/roles/galaxy/Stouts.openvpn/meta/.galaxy_install_info new file mode 100644 index 0000000..1d34fef --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/meta/.galaxy_install_info @@ -0,0 +1,2 @@ +install_date: Sun Oct 4 16:33:19 2020 +version: 3.1.1 diff --git a/roles/galaxy/Stouts.openvpn/meta/main.yml b/roles/galaxy/Stouts.openvpn/meta/main.yml new file mode 100644 index 0000000..e77d837 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/meta/main.yml @@ -0,0 +1,25 @@ +--- + +galaxy_info: + author: klen + company: Stouts + description: Manage OpenVPN server + min_ansible_version: 2.4 + license: MIT + platforms: + - name: Ubuntu + versions: + - trusty + - xenial + - bionic + - name: EL + versions: + - 7 + - name: Debian + versions: + - jessie + - stretch + galaxy_tags: + - system + - networking +dependencies: [] diff --git a/roles/galaxy/Stouts.openvpn/molecule/default/Dockerfile.j2 b/roles/galaxy/Stouts.openvpn/molecule/default/Dockerfile.j2 new file mode 100644 index 0000000..0a60553 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/molecule/default/Dockerfile.j2 @@ -0,0 +1,14 @@ +# Molecule managed + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python2-dnf bash && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates && xbps-remove -O; fi diff --git a/roles/galaxy/Stouts.openvpn/molecule/default/INSTALL.rst b/roles/galaxy/Stouts.openvpn/molecule/default/INSTALL.rst new file mode 100644 index 0000000..b42edf5 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/molecule/default/INSTALL.rst @@ -0,0 +1,16 @@ +******* +Docker driver installation guide +******* + +Requirements +============ + +* General molecule dependencies (see https://molecule.readthedocs.io/en/latest/installation.html) +* Docker Engine +* docker-py +* docker + +Install +======= + + $ sudo pip install docker-py diff --git a/roles/galaxy/Stouts.openvpn/molecule/default/converge.yml b/roles/galaxy/Stouts.openvpn/molecule/default/converge.yml new file mode 100644 index 0000000..a7c008b --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/molecule/default/converge.yml @@ -0,0 +1,46 @@ +--- +- name: Converge + hosts: all + vars: + # EasyRSA + easyrsa_generate_dh: true + easyrsa_servers: + - name: server + easyrsa_clients: + - name: client1 + - name: client2 + easyrsa_pki_dir: /etc/easyrsa/pki + + # OpenVPN + openvpn_keydir: "{{ easyrsa_pki_dir }}" + openvpn_clients: "{{ easyrsa_clients | map(attribute='name') | list }}" + openvpn_download_dir: /tmp/ + openvpn_ccd_configs: + - name: client1 + content: '# pass' + - name: client2 + content: '# pass' + + ## scripting + openvpn_script_output_directories: + - /var/log/openvpn-script-out/ + + openvpn_script_files: + - scripts/client-disconnect.sh.j2 + + openvpn_inline_scripts: + - name: my-up-script.sh + content: | + #!/usr/bin/env + echo 'Up!' >> "/var/up.log" + + # Enabled them + openvpn_download_clients: false + openvpn_open_firewall: false + openvpn_route_traffic: false + openvpn_unified_client_profiles: false + openvpn_management_enable: false + openvpn_client_to_client_via_ip: false + roles: + - role: nkakouros.easyrsa + - role: Stouts.openvpn diff --git a/roles/galaxy/Stouts.openvpn/molecule/default/molecule.yml b/roles/galaxy/Stouts.openvpn/molecule/default/molecule.yml new file mode 100644 index 0000000..919d1d3 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/molecule/default/molecule.yml @@ -0,0 +1,31 @@ +--- + +dependency: + name: galaxy +driver: + name: docker +lint: | + set -e + yamllint --config-file molecule/default/yamllint.yml . + ansible-lint --exclude=meta/beats +platforms: + - name: "instance-${MOLECULE_DISTRO:-ubuntu1604}" + image: "geerlingguy/docker-${MOLECULE_DISTRO:-ubuntu1604}-ansible:latest" + command: ${MOLECULE_INIT_CMD-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:ro + sysctls: + net.ipv4.ip_forward: 1 + privileged: true + pre_build_image: true +provisioner: + name: ansible + options: + vvv: true + env: + IN_MOLECULE: 'true' +scenario: + name: default +verifier: + name: testinfra + enabled: false diff --git a/roles/galaxy/Stouts.openvpn/molecule/default/prepare.yml b/roles/galaxy/Stouts.openvpn/molecule/default/prepare.yml new file mode 100644 index 0000000..ee18a42 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/molecule/default/prepare.yml @@ -0,0 +1,8 @@ +--- + +- name: Prepare + hosts: all + become: true + tasks: + - include_role: + name: geerlingguy.git diff --git a/roles/galaxy/Stouts.openvpn/molecule/default/requirements.yml b/roles/galaxy/Stouts.openvpn/molecule/default/requirements.yml new file mode 100644 index 0000000..6b5bdbd --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/molecule/default/requirements.yml @@ -0,0 +1,4 @@ +--- + +- src: geerlingguy.git +- src: nkakouros.easyrsa diff --git a/roles/nkakouros.easyrsa/molecule/default/tests/test_default.py b/roles/galaxy/Stouts.openvpn/molecule/default/tests/test_default.py similarity index 100% rename from roles/nkakouros.easyrsa/molecule/default/tests/test_default.py rename to roles/galaxy/Stouts.openvpn/molecule/default/tests/test_default.py diff --git a/roles/galaxy/Stouts.openvpn/molecule/default/yamllint.yml b/roles/galaxy/Stouts.openvpn/molecule/default/yamllint.yml new file mode 100644 index 0000000..5d0abbb --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/molecule/default/yamllint.yml @@ -0,0 +1,56 @@ +--- + +rules: + braces: + min-spaces-inside: 1 + max-spaces-inside: 1 + min-spaces-inside-empty: 0 + max-spaces-inside-empty: 0 + brackets: + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: 0 + max-spaces-inside-empty: 0 + colons: + max-spaces-before: 0 + max-spaces-after: 1 + commas: + max-spaces-before: 0 + min-spaces-after: 1 + max-spaces-after: 1 + comments: + require-starting-space: true + min-spaces-from-content: 2 + comments-indentation: enable + document-end: disable + document-start: + present: true + empty-lines: + max: 2 + max-start: 0 + max-end: 1 + empty-values: + forbid-in-block-mappings: true + forbid-in-flow-mappings: true + hyphens: + max-spaces-after: 1 + indentation: + spaces: 2 + indent-sequences: true + check-multi-line-strings: false + key-duplicates: enable + key-ordering: disable + line-length: + max: 100 + allow-non-breakable-words: true + allow-non-breakable-inline-mappings: false + new-line-at-end-of-file: enable + new-lines: + type: unix + octal-values: + forbid-implicit-octal: true + forbid-explicit-octal: false + trailing-spaces: enable + truthy: + level: warning + diff --git a/roles/galaxy/Stouts.openvpn/tasks/assertions.yml b/roles/galaxy/Stouts.openvpn/tasks/assertions.yml new file mode 100644 index 0000000..08d431a --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/assertions.yml @@ -0,0 +1,7 @@ +--- + +- name: Check OS is supported + assert: + that: + - "ansible_os_family in ['Debian', 'RedHat']" + msg: "{{ ansible_os_family }} is not supported" diff --git a/roles/galaxy/Stouts.openvpn/tasks/authentication/ldap.yml b/roles/galaxy/Stouts.openvpn/tasks/authentication/ldap.yml new file mode 100644 index 0000000..430fa7a --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/authentication/ldap.yml @@ -0,0 +1,7 @@ +--- + +- name: Setup LDAP + template: + src: authentication/auth-ldap.conf.j2 + dest: /etc/openvpn/auth-ldap.conf + when: openvpn_use_ldap | bool diff --git a/roles/galaxy/Stouts.openvpn/tasks/authentication/pam.yml b/roles/galaxy/Stouts.openvpn/tasks/authentication/pam.yml new file mode 100644 index 0000000..6b40457 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/authentication/pam.yml @@ -0,0 +1,15 @@ +--- + +- name: Setup PAM + template: + src: authentication/openvpn.pam.j2 + dest: /etc/pam.d/openvpn + when: openvpn_use_pam | bool + +- name: Configure users + htpasswd: + path: "{{ openvpn_etcdir }}/users" + name: "{{ item.name }}" + password: "{{ item.password }}" + crypt_scheme: des_crypt + loop: "{{ openvpn_use_pam_users }}" diff --git a/roles/galaxy/Stouts.openvpn/tasks/authentication/simple.yml b/roles/galaxy/Stouts.openvpn/tasks/authentication/simple.yml new file mode 100644 index 0000000..654694f --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/authentication/simple.yml @@ -0,0 +1,11 @@ +--- + +- name: Setup simple authentication + template: + src: authentication/auth-client.sh.j2 + dest: "{{ openvpn_etcdir }}/auth-client.sh" + mode: 0o755 + when: + - openvpn_simple_auth | bool + - openvpn_simple_auth_password | bool + notify: openvpn restart diff --git a/roles/galaxy/Stouts.openvpn/tasks/authentication/tls.yml b/roles/galaxy/Stouts.openvpn/tasks/authentication/tls.yml new file mode 100644 index 0000000..1439a58 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/authentication/tls.yml @@ -0,0 +1,8 @@ +--- + +- name: Generate tls-auth key + command: + openvpn --genkey --secret "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}" + args: + creates: "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}" + when: openvpn_tls_auth diff --git a/roles/galaxy/Stouts.openvpn/tasks/core/clients.yml b/roles/galaxy/Stouts.openvpn/tasks/core/clients.yml new file mode 100644 index 0000000..30b6bc4 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/core/clients.yml @@ -0,0 +1,69 @@ +--- + +- name: Generate client configurations + template: + src: client.conf.j2 + dest: "{{ openvpn_etcdir }}/ovpns/{{ item }}.ovpn" + loop: "{{ openvpn_clients }}" + register: openvpn_clients_changed + +- name: Pack clients + command: >- + zip -j + {{ item }}.zip + {{ openvpn_keydir }}/issued/{{ item }}.crt + {{ openvpn_keydir }}/private/{{ item }}.key + {{ item }}.ovpn + {{ openvpn_keydir }}/ca.crt + {{ openvpn_tls_key if openvpn_tls_auth else '' }} + loop: "{{ openvpn_clients }}" + loop_control: + index_var: index + args: + chdir: "{{ openvpn_etcdir }}/ovpns/" + when: openvpn_clients_changed.results[index] is changed + +- name: Download client credentials + fetch: + src: "{{ openvpn_etcdir }}/ovpns/{{ item }}.zip" + dest: "{{ openvpn_download_dir }}" + flat: true + validate_checksum: true + loop: "{{ openvpn_clients }}" + loop_control: + index_var: index + when: openvpn_download_clients | bool + tags: openvpn-download + +- name: Extract client credentials + unarchive: + src: "{{ openvpn_download_dir }}/{{ item }}.zip" + dest: "{{ openvpn_download_dir }}" + loop: "{{ openvpn_clients }}" + become: false + when: + - openvpn_download_clients | bool + - openvpn_download_extract | bool + delegate_to: localhost + tags: openvpn-download + +- name: Create ccd directory + file: + path: "{{ openvpn_ccd }}" + state: directory + +- name: Upload ccd configs + copy: + content: "{{ item.content }}" + dest: "{{ openvpn_ccd }}/{{ item.name }}" + loop: "{{ openvpn_ccd_configs }}" + +- name: Disable client-to-client at the IP layer + iptables: + chain: FORWARD + in_interface: "{{ openvpn_dev }}+" + out_interface: "{{ openvpn_dev }}+" + jump: "{{ openvpn_client_to_client_via_ip | ternary('ALLOW', 'DROP') }}" + comment: drop-client-to-client + notify: openvpn save iptables + when: openvpn_client_to_client_via_ip | bool diff --git a/roles/galaxy/Stouts.openvpn/tasks/core/configure.yml b/roles/galaxy/Stouts.openvpn/tasks/core/configure.yml new file mode 100644 index 0000000..6916598 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/core/configure.yml @@ -0,0 +1,27 @@ +--- + +- name: Ensure openvpn key dir has the right permission + file: + path: "{{ openvpn_keydir }}" + state: directory + mode: 0o700 + owner: "{{ openvpn_user }}" + +- name: Check if crl.pem exists + stat: + path: "{{ openvpn_keydir }}/crl.pem" + register: crl_pem_file + +- name: Configure server + template: + src: server.conf.j2 + dest: "{{ openvpn_etcdir }}/server.conf" + notify: openvpn restart + +# Needed by both tls-authentication tasks and client-configuration tasks. Placed +# here to avoid repeating it twice in both places where the tls and +# client-config tasks are located. +- name: Create client configuration directory + file: + path: "{{ openvpn_etcdir }}/ovpns" + state: directory diff --git a/roles/galaxy/Stouts.openvpn/tasks/core/install/Debian.yml b/roles/galaxy/Stouts.openvpn/tasks/core/install/Debian.yml new file mode 100644 index 0000000..80f5810 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/core/install/Debian.yml @@ -0,0 +1,46 @@ +--- + +- name: Add OpenVPN repo GPG key + apt_key: + id: E158C569 + url: https://swupdate.openvpn.net/repos/repo-public.gpg + when: openvpn_use_external_repo | bool + +- name: Add OpenVPN repo sources + apt_repository: + filename: openvpn + repo: deb http://swupdate.openvpn.net/apt "{{ ansible_lsb.codename }}" main + when: openvpn_use_external_repo | bool + +- name: Install requirements + apt: + name: "{{ requirements }}" + update_cache: true + force: true + vars: + requirements: + - openvpn + - udev + - openssl + - zip + +- name: Install PAM dependencies + apt: + name: "{{ dependencies }}" + force: true + when: openvpn_use_pam_users | length > 0 + vars: + dependencies: + - libpam-pwdfile + - python-passlib + +- name: Install LDAP dependencies + apt: + name: openvpn-auth-ldap + force: true + when: openvpn_use_ldap | bool + +- name: Install bridge dependencies + apt: + name: bridge-utils + when: openvpn_bridge | bool diff --git a/roles/galaxy/Stouts.openvpn/tasks/core/install/RedHat.yml b/roles/galaxy/Stouts.openvpn/tasks/core/install/RedHat.yml new file mode 100644 index 0000000..c56f20d --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/core/install/RedHat.yml @@ -0,0 +1,26 @@ +--- + +- name: Install requirements + yum: + name: "{{ requirements }}" + update_cache: true + vars: + requirements: + - openvpn + - openssl + - zip + +- name: Install PAM dependencies + yum: + name: python-passlib + when: openvpn_use_pam_users | length > 0 + +- name: Install LDAP dependencies + yum: + name: openvpn-auth-ldap + when: openvpn_use_ldap | bool + +- name: Install bridge dependencies + yum: + name: bridge-utils + when: openvpn_bridge| bool diff --git a/roles/galaxy/Stouts.openvpn/tasks/core/management.yml b/roles/galaxy/Stouts.openvpn/tasks/core/management.yml new file mode 100644 index 0000000..3f0396b --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/core/management.yml @@ -0,0 +1,28 @@ +--- + +- name: Create management password file + copy: + content: "{{ openvpn_management_pass }}" + dest: "{{ openvpn_etcdir }}/mgmt.pw" + owner: "{{ openvpn_user }}" + group: "{{ openvpn_group }}" + mode: 0o400 + when: openvpn_management_pass != None + no_log: >- + {{ + lookup('env', 'IN_MOLECULE') + | default(false, true) + | ternary(false, true) + }} + +- name: Add management directive to OpenVPN config + set_fact: + openvpn_server_options: + "{{ openvpn_server_options + _mgmt_option }}" + vars: + _mgmt_option: + - "management {{ + openvpn_management_host }} {{ + openvpn_management_port }} {{ + openvpn_etcdir + '/mgmt.pw' if openvpn_management_pass != None else '' + }}" diff --git a/roles/galaxy/Stouts.openvpn/tasks/core/read-client-files.yml b/roles/galaxy/Stouts.openvpn/tasks/core/read-client-files.yml new file mode 100644 index 0000000..362b9e6 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/core/read-client-files.yml @@ -0,0 +1,52 @@ +--- +- name: Read CA file + command: cat "{{ openvpn_keydir }}/ca.crt" + no_log: true + register: openvpn_read_ca_file_results + changed_when: false + +- name: Read TLS-auth key + slurp: + src: "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}" + no_log: true + register: openvpn_read_tlsauth_file_results + changed_when: false + when: openvpn_tls_auth + +- name: Read client cert files + command: >- + sed -n + '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' + {{ openvpn_keydir }}/issued/{{ item }}.crt + args: + warn: false + no_log: true + changed_when: false + register: openvpn_read_client_cert_files_results + loop: "{{ openvpn_clients }}" + +- name: Read client key files + command: cat {{ openvpn_keydir }}/private/{{ item }}.key + no_log: true + changed_when: false + register: openvpn_read_client_key_files_results + loop: "{{ openvpn_clients }}" + +- name: Set client cert and CA info as fact + set_fact: + openvpn_ca_file_contents: + "{{ openvpn_read_ca_file_results.stdout }}" + openvpn_client_cert_output: + "{{ openvpn_read_client_cert_files_results.results }}" + openvpn_client_keys_output: + "{{ openvpn_read_client_key_files_results.results }}" + +- name: Set tls auth file contents as fact + set_fact: + openvpn_tls_auth_file_contents: >- + {{ + openvpn_read_tlsauth_file_results['content'] + | b64decode + | default('') + }} + when: openvpn_tls_auth diff --git a/roles/galaxy/Stouts.openvpn/tasks/main.yml b/roles/galaxy/Stouts.openvpn/tasks/main.yml new file mode 100644 index 0000000..f2a1f42 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/main.yml @@ -0,0 +1,5 @@ +--- + +- import_tasks: openvpn.yml + when: openvpn_enabled | bool + tags: openvpn diff --git a/roles/galaxy/Stouts.openvpn/tasks/openvpn.yml b/roles/galaxy/Stouts.openvpn/tasks/openvpn.yml new file mode 100644 index 0000000..28a1965 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/openvpn.yml @@ -0,0 +1,47 @@ +--- + +- include_tasks: variables.yml + +- include_tasks: assertions.yml + +- include_tasks: "core/install/{{ ansible_os_family }}.yml" + +- include_tasks: core/management.yml + when: openvpn_management_enable | bool + +- include_tasks: core/configure.yml + +- include_tasks: system/forwarding.yml + +- include_tasks: system/firewall-deps.yml + when: + openvpn_open_firewall | bool + or openvpn_route_traffic | bool + or openvpn_client_to_client_via_ip | bool + +- include_tasks: system/firewall-open.yml + when: openvpn_open_firewall | bool + +- include_tasks: system/routing.yml + when: openvpn_route_traffic | bool + +- include_tasks: core/read-client-files.yml + when: openvpn_unified_client_profiles + +- include_tasks: authentication/ldap.yml + +- include_tasks: authentication/pam.yml + +- include_tasks: authentication/simple.yml + +- include_tasks: authentication/tls.yml + +- import_tasks: core/clients.yml + +- include_tasks: scripts.yml + +- include_tasks: "system/bridge/{{ ansible_os_family }}.yml" + +- include_tasks: "system/bridge/{{ ansible_os_family }}.yml" + +- include_tasks: service.yml diff --git a/roles/galaxy/Stouts.openvpn/tasks/scripts.yml b/roles/galaxy/Stouts.openvpn/tasks/scripts.yml new file mode 100644 index 0000000..9244054 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/scripts.yml @@ -0,0 +1,32 @@ +--- + +- name: Create directories for the scripts to write into + file: + path: "{{ item }}" + state: directory + # The openvpn user (the 'other') needs to write and execute the script dirs. + mode: 0o753 + loop: "{{ openvpn_script_output_directories }}" + +- name: Create scripts directory + file: + path: "{{ openvpn_scripts_dir }}" + state: directory + +- name: Upload script files + template: + src: "{{ item }}" + dest: "{{ openvpn_scripts_dir }}/{{ item | basename | replace('.j2', '') }}" + owner: "{{ openvpn_user }}" + group: "{{ openvpn_group }}" + mode: 0o744 + loop: "{{ openvpn_script_files }}" + +- name: Upload inline scripts + copy: + content: "{{ item.content }}" + dest: "{{ openvpn_scripts_dir }}/{{ item.name }}" + owner: "{{ openvpn_user }}" + group: "{{ openvpn_group }}" + mode: 0o744 + loop: "{{ openvpn_inline_scripts }}" diff --git a/roles/galaxy/Stouts.openvpn/tasks/service.yml b/roles/galaxy/Stouts.openvpn/tasks/service.yml new file mode 100644 index 0000000..a4507bb --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/service.yml @@ -0,0 +1,7 @@ +--- + +- name: Ensure OpenVPN is started + service: + name: "{{ openvpn_service }}" + state: started + enabled: true diff --git a/roles/galaxy/Stouts.openvpn/tasks/system/bridge/Debian.yml b/roles/galaxy/Stouts.openvpn/tasks/system/bridge/Debian.yml new file mode 100644 index 0000000..cca7ee3 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/system/bridge/Debian.yml @@ -0,0 +1,16 @@ +--- + +- name: Setup bridge + template: + src: bridge/bridge-interface.deb.j2 + dest: "/etc/network/interfaces.d/{{ openvpn_dev }}" + when: + - openvpn_bridge is defined + - openvpn_bridge | length > 0 + notify: restart networking debian + +- name: Remove interface configuration for "{{ openvpn_dev }}" + file: + path: "/etc/network/interfaces.d/{{ openvpn_dev }}" + state: absent + when: openvpn_bridge is not defined or openvpn_bridge | length == 0 diff --git a/roles/galaxy/Stouts.openvpn/tasks/system/bridge/RedHat.yml b/roles/galaxy/Stouts.openvpn/tasks/system/bridge/RedHat.yml new file mode 100644 index 0000000..8444889 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/system/bridge/RedHat.yml @@ -0,0 +1,29 @@ +--- + +- block: + - name: Setup up script + template: + src: bridge/up.sh.j2 + dest: "{{ openvpn_scripts_dir }}/up.sh" + mode: o+x + + - name: Setup down script + template: + src: bridge/down.sh.j2 + dest: "{{ openvpn_scripts_dir }}/down.sh" + mode: o+x + + - name: Setup bridge + template: + src: bridge/bridge-interface.rh.j2 + dest: "/etc/sysconfig/network-scripts/ifcfg-br-{{ openvpn_dev }}" + when: + - openvpn_bridge is defined + - openvpn_bridge | length > 0 + notify: restart networking redhat + +- name: Remove interface configuration for "{{ openvpn_dev }}" + file: + path: "/etc/sysconfig/network-scripts/ifcfg-br-{{ openvpn_dev }}" + state: absent + when: openvpn_bridge is not defined or openvpn_bridge | length == 0 diff --git a/roles/galaxy/Stouts.openvpn/tasks/system/firewall-deps.yml b/roles/galaxy/Stouts.openvpn/tasks/system/firewall-deps.yml new file mode 100644 index 0000000..27aa198 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/system/firewall-deps.yml @@ -0,0 +1,31 @@ +--- + +- name: Install firewall dependencies (Debian) + apt: + name: "{{ packages }}" + when: ansible_os_family == "Debian" + vars: + packages: + - iptables + - iptables-persistent + +- name: Install more firewall deps + apt: + name: module-init-tools + when: ansible_distribution_release == 'jessie' + +- name: Read existing iptable rules + shell: iptables -L + tags: + # Ansible Lint complains about using shell instead of the iptables_module + - skip_ansible_lint + register: iptables_rules + changed_when: false + +- name: Read existing iptable rules (nat table) + shell: iptables -L -t nat + tags: + # Ansible Lint complains about using shell instead of the iptables_module + - skip_ansible_lint + register: iptables_nat_rules + changed_when: false diff --git a/roles/galaxy/Stouts.openvpn/tasks/system/firewall-open.yml b/roles/galaxy/Stouts.openvpn/tasks/system/firewall-open.yml new file mode 100644 index 0000000..e08e813 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/system/firewall-open.yml @@ -0,0 +1,13 @@ +--- + +- name: Allow connections to the OpenVPN server + iptables: + chain: INPUT + in_interface: "{{ openvpn_out_interface | default(omit, true) }}" + ctstate: NEW + protocol: "{{ openvpn_proto }}" + destination_port: "{{ openvpn_port }}" + jump: ACCEPT + comment: incoming_openvpn + notify: openvpn save iptables + when: iptables_rules.stdout.find("incoming_openvpn") == -1 diff --git a/roles/galaxy/Stouts.openvpn/tasks/system/forwarding.yml b/roles/galaxy/Stouts.openvpn/tasks/system/forwarding.yml new file mode 100644 index 0000000..5690068 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/system/forwarding.yml @@ -0,0 +1,10 @@ +--- + +- name: Set ip forwarding in the sysctl file and reload if necessary + sysctl: + name: net.ipv4.ip_forward + value: '1' + sysctl_set: true + state: present + reload: true + when: not lookup('env', 'IN_MOLECULE') | d(true, true) | bool diff --git a/roles/galaxy/Stouts.openvpn/tasks/system/routing.yml b/roles/galaxy/Stouts.openvpn/tasks/system/routing.yml new file mode 100644 index 0000000..7bdd6e5 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/system/routing.yml @@ -0,0 +1,40 @@ +--- + +- name: Allow forwarding from tun/tap to interface + iptables: + chain: FORWARD + in_interface: "{{ openvpn_dev }}+" + out_interface: "{{ openvpn_out_interface | default(omit, true) }}" + jump: ACCEPT + comment: forward_tun_tap + notify: openvpn save iptables + when: iptables_rules.stdout.find("forward_tun_tap") == -1 + +- name: Allow forwarding from interface to tun/tap + iptables: + chain: FORWARD + in_interface: "{{ openvpn_out_interface | default(omit, true) }}" + out_interface: "{{ openvpn_dev }}+" + jump: ACCEPT + comment: forward_reverse + notify: openvpn save iptables + when: iptables_rules.stdout.find("forward_reverse") == -1 + +- name: Allow NATing outgoing vpn traffic + iptables: + table: nat + chain: POSTROUTING + source: >- + {{ + openvpn_server + | regex_replace('^(?P.+)\s+(?P.+)$', '\g/\g') + | ipaddr('net') + }} + destination: "{{ item }}" + out_interface: "{{ openvpn_out_interface | default(omit, true) }}" + jump: SNAT + to_source: "{{ openvpn_nat_address }}" + comment: vpn_masquerade + loop: "{{ openvpn_nat_ranges }}" + when: iptables_nat_rules.stdout.find("vpn_masquerade") == -1 + notify: openvpn save iptables diff --git a/roles/galaxy/Stouts.openvpn/tasks/variables.yml b/roles/galaxy/Stouts.openvpn/tasks/variables.yml new file mode 100644 index 0000000..b08e713 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/tasks/variables.yml @@ -0,0 +1,15 @@ +--- + +- name: Include OS-specific variables. + include_vars: + file: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - "{{ ansible_distribution }}.{{ + ansible_lsb.codename | default(omit) }}.yml" + - "{{ ansible_distribution }}.yml" + - "{{ ansible_os_family }}.yml" + - "Common-default.yml" + paths: + - 'vars/os' diff --git a/roles/galaxy/Stouts.openvpn/templates/authentication/auth-client.sh.j2 b/roles/galaxy/Stouts.openvpn/templates/authentication/auth-client.sh.j2 new file mode 100644 index 0000000..fbfab3e --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/authentication/auth-client.sh.j2 @@ -0,0 +1,9 @@ +#!/bin/bash + +if [[ "$password" == "{{ openvpn_simple_auth_password }}" ]]; then + R="0" +else + R="1" +fi + +exit $R diff --git a/roles/galaxy/Stouts.openvpn/templates/authentication/auth-ldap.conf.j2 b/roles/galaxy/Stouts.openvpn/templates/authentication/auth-ldap.conf.j2 new file mode 100644 index 0000000..5d49641 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/authentication/auth-ldap.conf.j2 @@ -0,0 +1,54 @@ + + # LDAP server URL + # possible values are: + # - ldapserver.example.org + # - ldap://ldapserver.example.org + # - ldaps://ldapserver.example.org + URL {% if openvpn_ldap_server | regex_search('(^\w+:\/\/.+$)') %}{{ openvpn_ldap_server }}{% else %}ldap://{{ openvpn_ldap_server }}{% endif %} + + + # Bind DN (If your LDAP server doesn't support anonymous binds) + # e.g. cn=administrator,cn=users,dc=ctc,dc=local + BindDN {{ openvpn_ldap_bind_dn }} + + # Bind Password + Password {{ openvpn_ldap_bind_password }} + + # Network timeout (in seconds) + Timeout 15 + + # Enable Start TLS + TLSEnable {{ openvpn_ldap_tlsenable }} + + # Follow LDAP Referrals (anonymously) + FollowReferrals {{ openvpn_ldap_follow_referrals }} + + # TLS CA Certificate File + TLSCACertFile /etc/ssl/ca-cert.pem + + # TLS CA Certificate Directory + TLSCACertDir /etc/ssl/certs + + # Client Certificate and key + # If TLS client authentication is required + TLSCertFile /etc/ssl/client-cert.pem + TLSKeyFile /etc/ssl/client-key.pem + + # Cipher Suite + # The defaults are usually fine here + # TLSCipherSuite ALL:!ADH:@STRENGTH + + + + # e.g. "dc=ctc,dc=local" + BaseDN {{ openvpn_ldap_base_dn }} + # e.g. "sAMAccountName=%u" + SearchFilter {{ openvpn_ldap_search_filter }} + RequireGroup true + + BaseDN {{ openvpn_ldap_base_dn }} + # e.g. "cn=OpenVPNUsers" + SearchFilter {{ openvpn_ldap_group_search_filter }} + MemberAttribute Member + + diff --git a/roles/galaxy/Stouts.openvpn/templates/authentication/openvpn.pam.j2 b/roles/galaxy/Stouts.openvpn/templates/authentication/openvpn.pam.j2 new file mode 100644 index 0000000..2aa43ba --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/authentication/openvpn.pam.j2 @@ -0,0 +1,12 @@ +# {{ ansible_managed }} + +{% if openvpn_use_pam_users and ansible_os_family == 'Debian' %} +auth required pam_pwdfile.so pwdfile={{openvpn_etcdir}}/users +account required pam_permit.so +{% elif ansible_os_family == 'Debian' %} +@include common-auth +@include common-account +{% elif ansible_os_family == 'RedHat' %} +auth include system-auth +account include system-auth +{% endif %} diff --git a/roles/galaxy/Stouts.openvpn/templates/beats/elasticsearch.openvpn.ingest.pipelines.yml b/roles/galaxy/Stouts.openvpn/templates/beats/elasticsearch.openvpn.ingest.pipelines.yml new file mode 100644 index 0000000..479ca04 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/beats/elasticsearch.openvpn.ingest.pipelines.yml @@ -0,0 +1,55 @@ +--- + +pipelines: + - description: "openvpn-connection-log-line" + processors: + - set: + field: openvpn + value: {} + - grok: + field: message + ignore_failure: true + patterns: + # yamllint disable-line rule:line-length + - "%{TIMESTAMP:openvpn.date} %{DATA} \\[%{DATA:openvpn.common_name}\\] Peer Connection Initiated with \\[AF_INET\\]%{IP:openvpn.client_ip}:%{POSINT:openvpn.port}" + pattern_definitions: + TIMESTAMP: "%{DAY} %{MONTH} ?%{MONTHDAY} %{TIME} %{YEAR}" + - gsub: + # the month day is ' 3' or '24'. The space before '3' will break the + # date filter that follows, so removing it. + field: "openvpn.date" + pattern: " " + replacement: ' ' + - date: + field: "openvpn.date" + formats: + - EEE MMM d HH:mm:ss yyyy + - set: + field: 'openvpn.event' + value: 'client-connected' + + # Parses log lines created with the + # `templates/etc/openvpn/scripts/client-disconnect.sh` script. + - description: "openvpn-disconnection-log-line" + processors: + - set: + field: openvpn + value: {} + - grok: + field: message + ignore_failure: true + patterns: + - "%{TIMESTAMP:openvpn.date},%{DATA:openvpn.common_name},%{IP:openvpn.client_ip}" + pattern_definitions: + TIMESTAMP: "%{DAY} %{MONTH} ?%{MONTHDAY} %{TIME} %{TZ} %{YEAR}" + - gsub: + field: "openvpn.date" + pattern: " " + replacement: ' ' + - date: + field: "openvpn.date" + formats: + - EEE MMM d HH:mm:ss z yyyy + - set: + field: 'openvpn.event' + value: 'client-disconnected' diff --git a/roles/galaxy/Stouts.openvpn/templates/beats/filebeat.openvpn.fields.yml b/roles/galaxy/Stouts.openvpn/templates/beats/filebeat.openvpn.fields.yml new file mode 100644 index 0000000..2e4b334 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/beats/filebeat.openvpn.fields.yml @@ -0,0 +1,12 @@ +--- + +- name: openvpn.date + type: date +- name: openvpn.client_ip + type: ip +- name: openvpn.common_name + type: keyword +- name: openvpn.event + type: keyword +- name: openvpn.port + type: long diff --git a/roles/galaxy/Stouts.openvpn/templates/beats/filebeat.openvpn.inputs.yml b/roles/galaxy/Stouts.openvpn/templates/beats/filebeat.openvpn.inputs.yml new file mode 100644 index 0000000..68752ab --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/beats/filebeat.openvpn.inputs.yml @@ -0,0 +1,15 @@ +--- + +- type: log + enabled: "{{ openvpn_filebeat_connection_log_enabled | default(True) }}" + paths: + - "{{ openvpn_log }}" + include_lines: + - 'Peer Connection Initiated' + pipeline: openvpn_connection_log_line + +- type: log + enabled: "{{ openvpn_filebeat_disconnection_log_enabled | default(True) }}" + paths: + - "{{ openvpn_client_disconnect_log }}" + pipeline: openvpn_disconnection_log_line diff --git a/roles/galaxy/Stouts.openvpn/templates/beats/heartbeat.openvpn.monitors.yml b/roles/galaxy/Stouts.openvpn/templates/beats/heartbeat.openvpn.monitors.yml new file mode 100644 index 0000000..504e857 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/beats/heartbeat.openvpn.monitors.yml @@ -0,0 +1,33 @@ +# vi: ft=yaml.ansible.jinja2 +# yamllint disable rule:braces +--- + +- name: OpenVPN host up + id: "{{ openvpn_monitor_icmp_id | d('openvpn_icmp') }}" + type: icmp + enabled: {{ openvpn_monitor_icmp_enabled | d(false) }} + schedule: '@every 5s' + hosts: + - "{{ openvpn_host | d(inventory_hostname) }}" + +# The next two monitors require the management server to be enabled in OpenVPN +# config. +- name: OpenVPN service running + id: "{{ openvpn_monitor_mgmt_with_pass_id | d('openvpn_mgmt_with_pass') }}" + type: tcp + enabled: {{ openvpn_monitor_tcp_with_pass_enabled | d(false) }} + schedule: '@every 5s' + hosts: + - "tcp://{{ openvpn_monitor_mgmt_host }}:{{ openvpn_monitor_mgmt_port }}" + check: + receive: 'ENTER PASSWORD:' + +- name: OpenVPN service running + id: "{{ openvpn_monitor_mgmt_id | d('openvpn_mgmt') }}" + type: tcp + enabled: {{ openvpn_monitor_mgmt_enabled | d(false) }} + schedule: '@every 5s' + hosts: + - "tcp://{{ openvpn_monitor_mgmt_host }}:{{ openvpn_monitor_mgmt_port }}" + check: + receive: '>INFO:OpenVPN Management Interface' diff --git a/roles/galaxy/Stouts.openvpn/templates/bridge/bridge-interface.deb.j2 b/roles/galaxy/Stouts.openvpn/templates/bridge/bridge-interface.deb.j2 new file mode 100644 index 0000000..bca1033 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/bridge/bridge-interface.deb.j2 @@ -0,0 +1,19 @@ +# DO NOT EDIT THIS FILE BECAUSE IT IS AUTOMATICALLY GENERATED FROM ANSIBLE + +# OpenVPN interface +auto {{ openvpn_dev }} +iface {{ openvpn_dev }} inet manual + pre-up openvpn --mktun --dev {{ openvpn_dev }} --dev-type tap + post-down openvpn --rmtun --dev {{ openvpn_dev }} --dev-type tap + up ifconfig $IFACE 0.0.0.0 up + down ifconfig $IFACE down + +# Bridge +auto br-{{ openvpn_dev }} +iface br-{{ openvpn_dev }} inet static + bridge_ports {{ openvpn_dev }} + bridge_stp off + address {{openvpn_bridge.address}} + netmask {{openvpn_bridge.netmask}} + network {{openvpn_bridge.network}} + broadcast {{openvpn_bridge.broadcast}} diff --git a/roles/galaxy/Stouts.openvpn/templates/bridge/bridge-interface.rh.j2 b/roles/galaxy/Stouts.openvpn/templates/bridge/bridge-interface.rh.j2 new file mode 100644 index 0000000..8cb7339 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/bridge/bridge-interface.rh.j2 @@ -0,0 +1,13 @@ +# DO NOT EDIT THIS FILE BECAUSE IT IS AUTOMATICALLY GENERATED FROM ANSIBLE + +DEVICE=br-{{ openvpn_dev }} +TYPE=Bridge +IPADDR={{openvpn_bridge.address}} +NETMASK={{openvpn_bridge.netmask}} +#NETWORK={{openvpn_bridge.network}} +#BROADCAST={{openvpn_bridge.broadcast}} +ONBOOT=yes +BOOTPROTO=none +NM_CONTROLLED=no +DELAY=0 +STP=off \ No newline at end of file diff --git a/roles/galaxy/Stouts.openvpn/templates/bridge/down.sh.j2 b/roles/galaxy/Stouts.openvpn/templates/bridge/down.sh.j2 new file mode 100644 index 0000000..d8ebf9a --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/bridge/down.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/sh +PATH=/sbin:/usr/sbin:/bin:/usr/bin +BR=$1 +DEV=$2 +brctl delif $BR $DEV +ip link set "$DEV" down \ No newline at end of file diff --git a/roles/galaxy/Stouts.openvpn/templates/bridge/up.sh.j2 b/roles/galaxy/Stouts.openvpn/templates/bridge/up.sh.j2 new file mode 100644 index 0000000..9cc1bd5 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/bridge/up.sh.j2 @@ -0,0 +1,9 @@ +#!/bin/sh +PATH=/sbin:/usr/sbin:/bin:/usr/bin +BR=$1 +DEV=$2 +MTU=$3 +ip link set "$DEV" up promisc on mtu "$MTU" +if ! brctl show $BR | egrep -q "\W+$DEV$"; then + brctl addif $BR $DEV +fi \ No newline at end of file diff --git a/roles/galaxy/Stouts.openvpn/templates/client.conf.j2 b/roles/galaxy/Stouts.openvpn/templates/client.conf.j2 new file mode 100644 index 0000000..2881f6c --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/client.conf.j2 @@ -0,0 +1,94 @@ +# {{ ansible_managed }} + +{%- set client=item -%} + +# Specify that we are a client and that we will be pulling certain config file +# directives from the server. +client + +# Use the same setting as you are using on the server. On most systems, the VPN +# will not function unless you partially or fully disable the firewall for the +# TUN/TAP interface. +dev {{ openvpn_dev }} + +# Are we connecting to a TCP or UDP server? Use the same setting as on the +# server. +proto {{ openvpn_proto }} + +# Encrypt packets with cipher algorithm +cipher {{ openvpn_cipher }} + +# The hostname/IP and port of the server. You can have multiple remote entries +# to load balance between the servers. +remote {{openvpn_host}} {{openvpn_port}} + +# Keep trying indefinitely to resolve the host name of the OpenVPN server. +# Very useful on machines which are not permanently connected to the internet +# such as laptops. +resolv-retry {{ openvpn_resolv_retry }} + +# Most clients don't need to bind to a specific local port number. +nobind + +# Try to preserve some state across restarts. +persist-key +persist-tun + +# SSL/TLS parms. See the server config file for more description. It's best to +# use a separate .crt/.key file pair for each client. A single ca file can be +# used for all clients. +{% if openvpn_unified_client_profiles %} + +{{ openvpn_ca_file_contents }} + + +{{ openvpn_client_cert_output |default([{'item':client,'stdout':''}])|selectattr('item', 'match', client)|map(attribute='stdout')|list|first }} + + +{{ openvpn_client_keys_output |default([{'item':client,'stdout':''}])|selectattr('item', 'match', client)|map(attribute='stdout')|list|first }} + +{% if openvpn_tls_auth %} +key-direction 1 + +{{ openvpn_tls_auth_file_contents | default('') }} + +{% endif %} + +{% else %} +ca ca.crt +cert {{client}}.crt +key {{client}}.key +{% endif %} + +# Verify server certificate by checking that the certicate has the nsCertType +# field set to "server". This is an important precaution to protect against a +# potential attack discussed here: http://openvpn.net/howto.html#mitm +# +# To use this feature, you will need to generate your server certificates with +# the nsCertType field set to "server". The build-key-server script in the +# easy-rsa folder will do this. +ns-cert-type server + +{% if openvpn_tls_auth and not openvpn_unified_client_profiles -%} +# Use a static pre-shared key (PSK) +tls-auth {{openvpn_tls_key}} 1 +{% endif %} + +# Enable compression on the VPN link. Don't enable this unless it is also +# enabled in the server config file. +{% if openvpn_comp_lzo -%} +comp-lzo +{% else -%} +;comp-lzo +{% endif %} + +# Set log file verbosity. +verb {{openvpn_verb}} + +{% if openvpn_use_pam or openvpn_use_ldap %} +auth-user-pass +{% endif %} + +{% for option in openvpn_client_options %} +{{option}} +{% endfor %} diff --git a/roles/galaxy/Stouts.openvpn/templates/scripts/client-disconnect.sh.j2 b/roles/galaxy/Stouts.openvpn/templates/scripts/client-disconnect.sh.j2 new file mode 100644 index 0000000..99199b1 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/scripts/client-disconnect.sh.j2 @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +{# openvpn_client_disconnect_log is a variable specific to this file and is not +mentioned in $(defaults/main.yml) #} + +{%- if openvpn_client_disconnect_log is not defined -%} + {% set openvpn_client_disconnect_log = "{{ + openvpn_script_output_directories[0] }}/disconnect.log" %} +{%- endif -%} + +if [[ ! -e "{{ openvpn_client_disconnect_log }}" ]]; then + echo 'time,common_name,external_ip' >"{{ openvpn_client_disconnect_log }}" +fi + +d="$(date -d "$time_ascii+$time_duration"sec)" +echo "$d,$common_name,$trusted_ip" >>"{{ openvpn_client_disconnect_log }}" diff --git a/roles/galaxy/Stouts.openvpn/templates/server.conf.j2 b/roles/galaxy/Stouts.openvpn/templates/server.conf.j2 new file mode 100644 index 0000000..21668e7 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/templates/server.conf.j2 @@ -0,0 +1,192 @@ +# {{ ansible_managed }} + +# Which local IP address should OpenVPN listen on? (optional) +{% if openvpn_local is defined -%} +local {{ openvpn_local }} +{% else -%} +;local a.b.c.d {% endif %} + +# Which TCP/UDP port should OpenVPN listen on? If you want to run multiple +# OpenVPN instances on the same machine, use a different port number for each +# one. You will need to open up this port on your firewall. +port {{ openvpn_port }} + +# TCP or UDP server? +proto {{ openvpn_proto }} + +{% if openvpn_portshare is defined %} +# Port sharing +port-share 127.0.0.1 {{ openvpn_portshare }} +{% endif %} + +# Encrypt packets with cipher algorithm +cipher {{ openvpn_cipher }} + +# "dev tun" will create a routed IP tunnel, "dev tap" will create an ethernet +# tunnel. Use "dev tap0" if you are ethernet bridging and have precreated a +# tap0 virtual interface and bridged it with your ethernet interface. If you +# want to control access policies over the VPN, you must create firewall rules +# for the the TUN/TAP interface. On non-Windows systems, you can give an +# explicit unit number, such as tun0. On Windows, use "dev-node" for this. On +# most systems, the VPN will not function unless you partially or fully disable +# the firewall for the TUN/TAP interface. +dev {{ openvpn_dev }} + +# SSL/TLS root certificate (ca), certificate (cert), and private key (key). +# Each client and the server must have their own cert and key file. The server +# and all clients will use the same ca file. +# +# See the "easy-rsa" directory for a series of scripts for generating RSA +# certificates and private keys. Remember to use a unique Common Name for the +# server and each of the client certificates. +# +# Any X509 key management system can be used. OpenVPN can also use a PKCS #12 +# formatted key file (see "pkcs12" directive in man page). +ca {{ openvpn_keydir }}/ca.crt +cert {{ openvpn_keydir }}/issued/server.crt +key {{ openvpn_keydir }}/private/server.key # This file should be kept secret + +# Diffie hellman parameters. Generate your own with: openssl dhparam -out +# dh1024.pem 1024 Substitute 2048 for 1024 if you are using 2048 bit keys. +dh {{ openvpn_keydir }}/dh.pem + +{% if openvpn_tls_auth -%} +# Use a static pre-shared key (PSK) +tls-auth {{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }} 0 +tls-server +{% endif %} + +# Client configuration directory. +{% if openvpn_ccd is defined -%} +client-config-dir {{ openvpn_ccd }} +{% endif %} + +# Which VPN topology to use? (net30, subnet, p2p) +{% if openvpn_topology is defined -%} +topology {{ openvpn_topology }} +{% endif %} + +{% if openvpn_server and not openvpn_bridge %} +# Configure server mode and supply a VPN subnet for OpenVPN to draw client +# addresses from. The server will take 10.8.0.1 for itself, the rest will be +# made available to clients. Each client will be able to reach the server on +# 10.8.0.1. Comment this line out if you are ethernet bridging. See the man +# page for more info. +server {{ openvpn_server }} +{% endif %} +{% if openvpn_bridge %} +# Configure server mode for ethernet bridging. +# You must first use your OS's bridging capability +# to bridge the TAP interface with the ethernet +# NIC interface. Then you must manually set the +# IP/netmask on the bridge interface, here we +# assume 10.8.0.4/255.255.255.0. Finally we +# must set aside an IP range in this subnet +# (start=10.8.0.50 end=10.8.0.100) to allocate +# to connecting clients. Leave this line commented +# out unless you are ethernet bridging. +server-bridge {{ openvpn_bridge.address }} {{ openvpn_bridge.netmask }} {{ openvpn_bridge.dhcp_start }} {{ openvpn_bridge.dhcp_end }} + +{% if ansible_os_family == 'RedHat' %} +# Tap management through script +up "/etc/openvpn/up.sh br-{{ openvpn_dev }}" +down "/etc/openvpn/down.sh br-{{ openvpn_dev }}" +script-security 2 +{% endif %} +{% endif %} + +# Maintain a record of client <-> virtual IP address associations in this file. +# If OpenVPN goes down or is restarted, reconnecting clients can be assigned +# the same virtual IP address from the pool that was previously assigned. +ifconfig-pool-persist {{ openvpn_ifconfig_pool_persist }} + +# The keepalive directive causes ping-like messages to be sent back and forth +# over the link so that each side knows when the other side has gone down. Ping +# every 10 seconds, assume that remote peer is down if no ping received during +# a 120 second time period. +{%- if openvpn_keepalive != '' %} +keepalive {{ openvpn_keepalive }} +{% endif %} + +# Enable compression on the VPN link. If you enable it here, you must also +# enable it in the client config file. +{% if openvpn_comp_lzo -%} +comp-lzo +{% else -%} +;comp-lzo +{% endif %} + +# The persist options will try to avoid accessing certain resources on restart +# that may no longer be accessible because of the privilege downgrade. +persist-key +persist-tun + +# Output a short status file showing current connections, truncated and +# rewritten every minute. +status {{openvpn_status}} + +# By default, log messages will go to the syslog (or on Windows, if running as +# a service, they will go to the "\Program Files\OpenVPN\log" directory). Use +# log or log-append to override this default. "log" will truncate the log file +# on OpenVPN startup, while "log-append" will append to it. Use one or the +# other (but not both). +;log openvpn.log +log-append {{openvpn_log}} + +# Set the appropriate level of log file verbosity. +# +# 0 is silent, except for fatal errors 4 is reasonable for general usage 5 and +# 6 can help to debug connection problems 9 is extremely verbose +verb {{openvpn_verb}} + +# The maximum number of concurrently connected clients we want to allow. +max-clients {{openvpn_max_clients}} + +# It's a good idea to reduce the OpenVPN daemon's privileges after +# initialization. +# +# You can uncomment this out on non-Windows systems. +{% if openvpn_user -%} +user {{openvpn_user}} +{% else -%} +;user nobody +{% endif %} +{% if openvpn_group -%} +group {{openvpn_group}} +{% else -%} +group nogroup +{% endif %} + +{% if openvpn_client_to_client %} +client-to-client +{% endif %} + +{% if openvpn_use_pam %} +client-cert-not-required +plugin {{openvpn_use_pam_plugin|default(openvpn_use_pam_plugin_distribution)}} openvpn +{% endif %} + +{% if openvpn_use_ldap %} +plugin {{ openvpn_use_ldap_plugin | default(openvpn_use_ldap_plugin_distribution) }} "/etc/openvpn/auth-ldap.conf" +{% endif %} + +{% if openvpn_simple_auth and openvpn_simple_auth_password %} +auth-user-pass-verify auth-client.sh via-env +script-security 3 execve +{% endif %} + +{% for option in openvpn_server_options %} +{{option}} +{% endfor %} + +{% if crl_pem_file.stat.exists %} +crl-verify {{ openvpn_keydir }}/crl.pem +{% endif %} + +{% for dns in openvpn_dns_servers %} +push "dhcp-option DNS {{ dns }}" +{% endfor %} + +{% for push_route in openvpn_route_ranges %} +push "route {{ push_route }}" +{% endfor %} diff --git a/roles/galaxy/Stouts.openvpn/vars/os/Common-default.yml b/roles/galaxy/Stouts.openvpn/vars/os/Common-default.yml new file mode 100644 index 0000000..c99be61 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/vars/os/Common-default.yml @@ -0,0 +1,3 @@ +--- + +openvpn_service: openvpn diff --git a/roles/galaxy/Stouts.openvpn/vars/os/Debian.jessie.yml b/roles/galaxy/Stouts.openvpn/vars/os/Debian.jessie.yml new file mode 100644 index 0000000..267e8bc --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/vars/os/Debian.jessie.yml @@ -0,0 +1,10 @@ +--- + +openvpn_use_pam_plugin_distribution: + /usr/lib/openvpn/openvpn-plugin-auth-pam.so + +openvpn_use_ldap_plugin_distribution: + /usr/lib/openvpn/openvpn-auth-ldap.so + +openvpn_service: + "{{ 'openvpn@server' if ansible_service_mgr == 'systemd' else 'openvpn' }}" diff --git a/roles/galaxy/Stouts.openvpn/vars/os/Debian.stretch.yml b/roles/galaxy/Stouts.openvpn/vars/os/Debian.stretch.yml new file mode 100644 index 0000000..267e8bc --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/vars/os/Debian.stretch.yml @@ -0,0 +1,10 @@ +--- + +openvpn_use_pam_plugin_distribution: + /usr/lib/openvpn/openvpn-plugin-auth-pam.so + +openvpn_use_ldap_plugin_distribution: + /usr/lib/openvpn/openvpn-auth-ldap.so + +openvpn_service: + "{{ 'openvpn@server' if ansible_service_mgr == 'systemd' else 'openvpn' }}" diff --git a/roles/galaxy/Stouts.openvpn/vars/os/Debian.yml b/roles/galaxy/Stouts.openvpn/vars/os/Debian.yml new file mode 100644 index 0000000..0254469 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/vars/os/Debian.yml @@ -0,0 +1,8 @@ +--- + +openvpn_service: openvpn + +openvpn_use_pam_plugin_distribution: /usr/lib/openvpn/openvpn-auth-pam.so + +openvpn_use_ldap_plugin_distribution: /usr/lib/openvpn/openvpn-auth-ldap.so + diff --git a/roles/galaxy/Stouts.openvpn/vars/os/RedHat.yml b/roles/galaxy/Stouts.openvpn/vars/os/RedHat.yml new file mode 100644 index 0000000..3359d3b --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/vars/os/RedHat.yml @@ -0,0 +1,13 @@ +--- + +openvpn_service: openvpn@server + +openvpn_group: nobody + +openvpn_use_pam_plugin_distribution: + /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so + +openvpn_use_ldap_plugin_distribution: + /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so + +openvpn_use_external_repo: true diff --git a/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.bionic.yml b/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.bionic.yml new file mode 100644 index 0000000..76dfd15 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.bionic.yml @@ -0,0 +1,8 @@ +--- + +openvpn_use_pam_plugin_distribution: + /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so + +openvpn_use_ldap_plugin_distribution: /usr/lib/openvpn/openvpn-auth-ldap.so + +openvpn_service: openvpn diff --git a/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.vivid.yml b/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.vivid.yml new file mode 100644 index 0000000..2da5bf5 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.vivid.yml @@ -0,0 +1,7 @@ +--- + +openvpn_use_pam_plugin_distribution: /usr/lib/openvpn/openvpn-plugin-auth-pam.so + +openvpn_use_ldap_plugin_distribution: /usr/lib/openvpn/openvpn-auth-ldap.so + +openvpn_service: openvpn diff --git a/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.xenial.yml b/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.xenial.yml new file mode 100644 index 0000000..751d5a5 --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.xenial.yml @@ -0,0 +1,10 @@ +--- + +openvpn_use_pam_plugin_distribution: + /usr/lib/openvpn/openvpn-plugin-auth-pam.so + +openvpn_use_ldap_plugin_distribution: + /usr/lib/openvpn/openvpn-auth-ldap.so + +openvpn_service: openvpn + diff --git a/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.yml b/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.yml new file mode 100644 index 0000000..b2052ff --- /dev/null +++ b/roles/galaxy/Stouts.openvpn/vars/os/Ubuntu.yml @@ -0,0 +1,7 @@ +--- + +openvpn_use_pam_plugin_distribution: /usr/lib/openvpn/openvpn-auth-pam.so + +openvpn_use_ldap_plugin_distribution: /usr/lib/openvpn/openvpn-auth-ldap.so + +openvpn_service: openvpn diff --git a/roles/nkakouros.easyrsa/.travis.yml b/roles/galaxy/nkakouros.easyrsa/.travis.yml similarity index 100% rename from roles/nkakouros.easyrsa/.travis.yml rename to roles/galaxy/nkakouros.easyrsa/.travis.yml diff --git a/roles/nkakouros.easyrsa/.yamllint b/roles/galaxy/nkakouros.easyrsa/.yamllint similarity index 100% rename from roles/nkakouros.easyrsa/.yamllint rename to roles/galaxy/nkakouros.easyrsa/.yamllint diff --git a/roles/nkakouros.easyrsa/README.md b/roles/galaxy/nkakouros.easyrsa/README.md similarity index 100% rename from roles/nkakouros.easyrsa/README.md rename to roles/galaxy/nkakouros.easyrsa/README.md diff --git a/roles/nkakouros.easyrsa/defaults/main.yml b/roles/galaxy/nkakouros.easyrsa/defaults/main.yml similarity index 100% rename from roles/nkakouros.easyrsa/defaults/main.yml rename to roles/galaxy/nkakouros.easyrsa/defaults/main.yml diff --git a/roles/nkakouros.easyrsa/handlers/main.yml b/roles/galaxy/nkakouros.easyrsa/handlers/main.yml similarity index 100% rename from roles/nkakouros.easyrsa/handlers/main.yml rename to roles/galaxy/nkakouros.easyrsa/handlers/main.yml diff --git a/roles/nkakouros.easyrsa/key-formats.md b/roles/galaxy/nkakouros.easyrsa/key-formats.md similarity index 100% rename from roles/nkakouros.easyrsa/key-formats.md rename to roles/galaxy/nkakouros.easyrsa/key-formats.md diff --git a/roles/galaxy/nkakouros.easyrsa/meta/.galaxy_install_info b/roles/galaxy/nkakouros.easyrsa/meta/.galaxy_install_info new file mode 100644 index 0000000..b2fe533 --- /dev/null +++ b/roles/galaxy/nkakouros.easyrsa/meta/.galaxy_install_info @@ -0,0 +1,2 @@ +install_date: Sun Oct 4 16:33:22 2020 +version: master diff --git a/roles/nkakouros.easyrsa/meta/main.yml b/roles/galaxy/nkakouros.easyrsa/meta/main.yml similarity index 100% rename from roles/nkakouros.easyrsa/meta/main.yml rename to roles/galaxy/nkakouros.easyrsa/meta/main.yml diff --git a/roles/nkakouros.easyrsa/molecule/default/Dockerfile.j2 b/roles/galaxy/nkakouros.easyrsa/molecule/default/Dockerfile.j2 similarity index 100% rename from roles/nkakouros.easyrsa/molecule/default/Dockerfile.j2 rename to roles/galaxy/nkakouros.easyrsa/molecule/default/Dockerfile.j2 diff --git a/roles/nkakouros.easyrsa/molecule/default/INSTALL.rst b/roles/galaxy/nkakouros.easyrsa/molecule/default/INSTALL.rst similarity index 100% rename from roles/nkakouros.easyrsa/molecule/default/INSTALL.rst rename to roles/galaxy/nkakouros.easyrsa/molecule/default/INSTALL.rst diff --git a/roles/nkakouros.easyrsa/molecule/default/molecule.yml b/roles/galaxy/nkakouros.easyrsa/molecule/default/molecule.yml similarity index 100% rename from roles/nkakouros.easyrsa/molecule/default/molecule.yml rename to roles/galaxy/nkakouros.easyrsa/molecule/default/molecule.yml diff --git a/roles/nkakouros.easyrsa/molecule/default/playbook.yml b/roles/galaxy/nkakouros.easyrsa/molecule/default/playbook.yml similarity index 100% rename from roles/nkakouros.easyrsa/molecule/default/playbook.yml rename to roles/galaxy/nkakouros.easyrsa/molecule/default/playbook.yml diff --git a/roles/nkakouros.easyrsa/molecule/default/prepare.yml b/roles/galaxy/nkakouros.easyrsa/molecule/default/prepare.yml similarity index 100% rename from roles/nkakouros.easyrsa/molecule/default/prepare.yml rename to roles/galaxy/nkakouros.easyrsa/molecule/default/prepare.yml diff --git a/roles/galaxy/nkakouros.easyrsa/molecule/default/tests/test_default.py b/roles/galaxy/nkakouros.easyrsa/molecule/default/tests/test_default.py new file mode 100644 index 0000000..eedd64a --- /dev/null +++ b/roles/galaxy/nkakouros.easyrsa/molecule/default/tests/test_default.py @@ -0,0 +1,14 @@ +import os + +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') + + +def test_hosts_file(host): + f = host.file('/etc/hosts') + + assert f.exists + assert f.user == 'root' + assert f.group == 'root' diff --git a/roles/nkakouros.easyrsa/molecule/default/yamllint.yml b/roles/galaxy/nkakouros.easyrsa/molecule/default/yamllint.yml similarity index 100% rename from roles/nkakouros.easyrsa/molecule/default/yamllint.yml rename to roles/galaxy/nkakouros.easyrsa/molecule/default/yamllint.yml diff --git a/roles/nkakouros.easyrsa/tasks/configure.yml b/roles/galaxy/nkakouros.easyrsa/tasks/configure.yml similarity index 100% rename from roles/nkakouros.easyrsa/tasks/configure.yml rename to roles/galaxy/nkakouros.easyrsa/tasks/configure.yml diff --git a/roles/nkakouros.easyrsa/tasks/convert.yml b/roles/galaxy/nkakouros.easyrsa/tasks/convert.yml similarity index 100% rename from roles/nkakouros.easyrsa/tasks/convert.yml rename to roles/galaxy/nkakouros.easyrsa/tasks/convert.yml diff --git a/roles/nkakouros.easyrsa/tasks/csr.yml b/roles/galaxy/nkakouros.easyrsa/tasks/csr.yml similarity index 100% rename from roles/nkakouros.easyrsa/tasks/csr.yml rename to roles/galaxy/nkakouros.easyrsa/tasks/csr.yml diff --git a/roles/nkakouros.easyrsa/tasks/dh.yml b/roles/galaxy/nkakouros.easyrsa/tasks/dh.yml similarity index 100% rename from roles/nkakouros.easyrsa/tasks/dh.yml rename to roles/galaxy/nkakouros.easyrsa/tasks/dh.yml diff --git a/roles/nkakouros.easyrsa/tasks/download.yml b/roles/galaxy/nkakouros.easyrsa/tasks/download.yml similarity index 100% rename from roles/nkakouros.easyrsa/tasks/download.yml rename to roles/galaxy/nkakouros.easyrsa/tasks/download.yml diff --git a/roles/nkakouros.easyrsa/tasks/easyrsa.yml b/roles/galaxy/nkakouros.easyrsa/tasks/easyrsa.yml similarity index 100% rename from roles/nkakouros.easyrsa/tasks/easyrsa.yml rename to roles/galaxy/nkakouros.easyrsa/tasks/easyrsa.yml diff --git a/roles/nkakouros.easyrsa/tasks/install.yml b/roles/galaxy/nkakouros.easyrsa/tasks/install.yml similarity index 100% rename from roles/nkakouros.easyrsa/tasks/install.yml rename to roles/galaxy/nkakouros.easyrsa/tasks/install.yml diff --git a/roles/nkakouros.easyrsa/tasks/main.yml b/roles/galaxy/nkakouros.easyrsa/tasks/main.yml similarity index 100% rename from roles/nkakouros.easyrsa/tasks/main.yml rename to roles/galaxy/nkakouros.easyrsa/tasks/main.yml diff --git a/roles/nkakouros.easyrsa/tasks/renew.yml b/roles/galaxy/nkakouros.easyrsa/tasks/renew.yml similarity index 100% rename from roles/nkakouros.easyrsa/tasks/renew.yml rename to roles/galaxy/nkakouros.easyrsa/tasks/renew.yml diff --git a/roles/nkakouros.easyrsa/tasks/revoke.yml b/roles/galaxy/nkakouros.easyrsa/tasks/revoke.yml similarity index 100% rename from roles/nkakouros.easyrsa/tasks/revoke.yml rename to roles/galaxy/nkakouros.easyrsa/tasks/revoke.yml diff --git a/roles/nkakouros.easyrsa/tasks/sign.yml b/roles/galaxy/nkakouros.easyrsa/tasks/sign.yml similarity index 100% rename from roles/nkakouros.easyrsa/tasks/sign.yml rename to roles/galaxy/nkakouros.easyrsa/tasks/sign.yml diff --git a/roles/nkakouros.easyrsa/templates/vars.j2 b/roles/galaxy/nkakouros.easyrsa/templates/vars.j2 similarity index 100% rename from roles/nkakouros.easyrsa/templates/vars.j2 rename to roles/galaxy/nkakouros.easyrsa/templates/vars.j2 diff --git a/roles/nkakouros.easyrsa/vars/main.yml b/roles/galaxy/nkakouros.easyrsa/vars/main.yml similarity index 100% rename from roles/nkakouros.easyrsa/vars/main.yml rename to roles/galaxy/nkakouros.easyrsa/vars/main.yml diff --git a/roles/nkakouros.easyrsa/meta/.galaxy_install_info b/roles/nkakouros.easyrsa/meta/.galaxy_install_info deleted file mode 100644 index 374150e..0000000 --- a/roles/nkakouros.easyrsa/meta/.galaxy_install_info +++ /dev/null @@ -1,2 +0,0 @@ -install_date: Thu Oct 1 15:59:12 2020 -version: master