simplify OpenVPN setup

reefactor · Oct 4, 2020 · c83b72b · c83b72b
1 parent a15222f
commit c83b72b
Show file tree

Hide file tree

Showing 10 changed files with 54 additions and 28 deletions.
diff --git a/README.md b/README.md
@@ -60,21 +60,24 @@ See example test [test_deploy_openvpn.sh](tests/test_deploy_openvpn.sh)
 1. Add `username` entry into list of **openvpn_clients_active** in [environments/test/group_vars/openvpn](environments/test/group_vars/openvpn).
 Client may reserve static VPN IP or dynamic otherwise.
 
+
 2. Generate OpenVPN server keys for client:
 ```bash
 ansible-playbook -i environments/test/inventory playbooks/openvpn-server.yml
 ```
 
 VPN keys are downloaded to local dir `./.vpnkeys/test`.
+```bash
+ls -l ./.vpnkeys/test/
+```
+Send keys file to the user.
 
-Send keys file to the user or deploy to a host VM with `playbooks/openvpn-client.yml`:
 
-3. (Optional) deploy VPN client keys to a particular host VM
+3. Deploy client keys (add host to VPN network)
 
-Add target host VM to **openvpn_clients_group** and mark with `openvpn_client_name=username` variable and run playbook:
+Add target host VM to **openvpn_clients_group**, tag it with `openvpn_client_name=username` variable and run playbook:
 ```bash
-ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml --limit openvpn-server,vpnhost
-ls -l ./.vpnkeys/test/newhost.zip
+ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml
 ```
 
 ##### Revoke VPN access

diff --git a/environments/test/group_vars/all.yml b/environments/test/group_vars/all.yml
@@ -1,2 +1,5 @@
 monitoring_graphite_host: 192.168.10.101
 monitoring_grafana_public_root_url: http://192.168.10.101/
+
+# extract subdir name from environment name (e.g. environments/test -> vpnkeys/test)
+vpnkeys_dir: "../.vpnkeys/{{ inventory_dir.split('/')[-1] }}/"
diff --git a/environments/test/group_vars/openvpn.yml b/environments/test/group_vars/openvpn.yml
@@ -14,4 +14,4 @@ openvpn_clients_active:
 openvpn_clients_revoke: []
 
 openvpn_use_pam: false
-openvpn_download_dir: "../.vpnkeys/test/"
+openvpn_download_dir: "{{ vpnkeys_dir }}"
diff --git a/playbooks/openvpn-client.yml b/playbooks/openvpn-client.yml
@@ -1,14 +1,3 @@
-- hosts: openvpn-server
-  become: yes
-  tasks:
-    - name: Download client credentials from VPN server to local {{openvpn_download_dir}}
-      fetch:
-        src: "/etc/openvpn/ovpns/{{ item.name }}.zip"
-        dest: "{{ openvpn_download_dir }}"
-        flat: true
-        validate_checksum: true
-      loop: "{{ openvpn_clients_active }}"
-
 - hosts: openvpn_clients_group
   become: yes
   roles:

diff --git a/playbooks/openvpn-server.yml b/playbooks/openvpn-server.yml
@@ -35,6 +35,20 @@
     openvpn_clients: "{{ openvpn_clients_active | map(attribute='name') | list }}"
     openvpn_ccd_configs: "{{ openvpn_clients_active }}"
     openvpn_client_options: ["float", "log /etc/openvpn/client.log"]
+
+  pre_tasks:
+    - name: "Validate server configuration"
+      assert:
+        that:
+          - "openvpn_download_clients is true"
+          - "openvpn_clients | length > 0"
+        msg: "Invalid server configuration"
+
+  post_tasks:
+    - name: "INFO: VPN clients keys are downloaded to {{openvpn_download_dir}}"
+      debug:
+        var: openvpn_clients
+        verbosity: 0
   roles:
     - role: nkakouros.easyrsa
     - role: Stouts.openvpn

diff --git a/requirements.yml b/requirements.yml
@@ -1,4 +1,6 @@
-- name: Stouts.openvpn
-  src: https://github.com/Stouts/Stouts.openvpn.git
-  version: 3.1.1
-- name: nkakouros.easyrsa
+---
+roles:
+  - name: Stouts.openvpn
+    src: https://github.com/Stouts/Stouts.openvpn.git
+    version: 3.1.1
+  - name: nkakouros.easyrsa
diff --git a/roles/openvpn-client/tasks/Debian.yml b/roles/openvpn-client/tasks/Debian.yml
@@ -0,0 +1,8 @@
+- name: Install requirements
+  apt:
+    name: "{{ requirements }}"
+    update_cache: true
+  vars:
+    requirements:
+      - openvpn
+      - zip
diff --git a/roles/openvpn-client/tasks/RedHat.yml b/roles/openvpn-client/tasks/RedHat.yml
@@ -0,0 +1,8 @@
+- name: Install requirements
+  yum:
+    name: "{{ requirements }}"
+    update_cache: true
+  vars:
+    requirements:
+      - openvpn
+      - zip
diff --git a/roles/openvpn-client/tasks/main.yml b/roles/openvpn-client/tasks/main.yml
@@ -1,10 +1,9 @@
 ---
-- name: install openvpn
-  apt: name='openvpn'
+- include_tasks: "{{ ansible_os_family }}.yml"
 
-- name: Extract ovpn client zip into /etc/openvpn
+- name: "Deploy VPN keys from {{vpnkeys_dir}}/{{openvpn_client_name}}.zip"
   unarchive:
-    src: ../{{ openvpn_download_dir }}/{{openvpn_client_name}}.zip
+    src: "{{ vpnkeys_dir }}/{{openvpn_client_name}}.zip"
     dest: /etc/openvpn/
 
 - name: Rename /etc/openvpn/client.ovpn to client.conf

diff --git a/tests/test_deploy_openvpn.sh b/tests/test_deploy_openvpn.sh
@@ -5,7 +5,7 @@ source $DIR/base.sh
 # create sandbox
 vagrant up
 
- cleanup
+# cleanup
 if [[ -e $DIR/.vpnkeys/test ]]; then
 rm -rf $DIR/.vpnkeys/test
 fi
@@ -27,8 +27,8 @@ do
   fi
 done
 
-# deploy vpn keys to hostname
-ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml -l openvpn-server,vpnhost
+# deploy vpn keys
+ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml
 
 
 # check