diff --git a/README.md b/README.md index e937631..e7d21d0 100644 --- a/README.md +++ b/README.md @@ -60,21 +60,24 @@ See example test [test_deploy_openvpn.sh](tests/test_deploy_openvpn.sh) 1. Add `username` entry into list of **openvpn_clients_active** in [environments/test/group_vars/openvpn](environments/test/group_vars/openvpn). Client may reserve static VPN IP or dynamic otherwise. + 2. Generate OpenVPN server keys for client: ```bash ansible-playbook -i environments/test/inventory playbooks/openvpn-server.yml ``` VPN keys are downloaded to local dir `./.vpnkeys/test`. +```bash +ls -l ./.vpnkeys/test/ +``` +Send keys file to the user. -Send keys file to the user or deploy to a host VM with `playbooks/openvpn-client.yml`: -3. (Optional) deploy VPN client keys to a particular host VM +3. Deploy client keys (add host to VPN network) -Add target host VM to **openvpn_clients_group** and mark with `openvpn_client_name=username` variable and run playbook: +Add target host VM to **openvpn_clients_group**, tag it with `openvpn_client_name=username` variable and run playbook: ```bash -ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml --limit openvpn-server,vpnhost -ls -l ./.vpnkeys/test/newhost.zip +ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml ``` ##### Revoke VPN access diff --git a/environments/test/group_vars/all.yml b/environments/test/group_vars/all.yml index 73b1a37..ce18fc0 100644 --- a/environments/test/group_vars/all.yml +++ b/environments/test/group_vars/all.yml @@ -1,2 +1,5 @@ monitoring_graphite_host: 192.168.10.101 monitoring_grafana_public_root_url: http://192.168.10.101/ + +# extract subdir name from environment name (e.g. environments/test -> vpnkeys/test) +vpnkeys_dir: "../.vpnkeys/{{ inventory_dir.split('/')[-1] }}/" diff --git a/environments/test/group_vars/openvpn.yml b/environments/test/group_vars/openvpn.yml index 73ada5c..1e9f615 100644 --- a/environments/test/group_vars/openvpn.yml +++ b/environments/test/group_vars/openvpn.yml @@ -14,4 +14,4 @@ openvpn_clients_active: openvpn_clients_revoke: [] openvpn_use_pam: false -openvpn_download_dir: "../.vpnkeys/test/" +openvpn_download_dir: "{{ vpnkeys_dir }}" diff --git a/playbooks/openvpn-client.yml b/playbooks/openvpn-client.yml index 0b6e989..670c70f 100644 --- a/playbooks/openvpn-client.yml +++ b/playbooks/openvpn-client.yml @@ -1,14 +1,3 @@ -- hosts: openvpn-server - become: yes - tasks: - - name: Download client credentials from VPN server to local {{openvpn_download_dir}} - fetch: - src: "/etc/openvpn/ovpns/{{ item.name }}.zip" - dest: "{{ openvpn_download_dir }}" - flat: true - validate_checksum: true - loop: "{{ openvpn_clients_active }}" - - hosts: openvpn_clients_group become: yes roles: diff --git a/playbooks/openvpn-server.yml b/playbooks/openvpn-server.yml index 4d0fa61..cf12bd7 100644 --- a/playbooks/openvpn-server.yml +++ b/playbooks/openvpn-server.yml @@ -35,6 +35,20 @@ openvpn_clients: "{{ openvpn_clients_active | map(attribute='name') | list }}" openvpn_ccd_configs: "{{ openvpn_clients_active }}" openvpn_client_options: ["float", "log /etc/openvpn/client.log"] + + pre_tasks: + - name: "Validate server configuration" + assert: + that: + - "openvpn_download_clients is true" + - "openvpn_clients | length > 0" + msg: "Invalid server configuration" + + post_tasks: + - name: "INFO: VPN clients keys are downloaded to {{openvpn_download_dir}}" + debug: + var: openvpn_clients + verbosity: 0 roles: - role: nkakouros.easyrsa - role: Stouts.openvpn diff --git a/requirements.yml b/requirements.yml index f171c7a..8764683 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,4 +1,6 @@ -- name: Stouts.openvpn - src: https://github.com/Stouts/Stouts.openvpn.git - version: 3.1.1 -- name: nkakouros.easyrsa +--- +roles: + - name: Stouts.openvpn + src: https://github.com/Stouts/Stouts.openvpn.git + version: 3.1.1 + - name: nkakouros.easyrsa diff --git a/roles/openvpn-client/tasks/Debian.yml b/roles/openvpn-client/tasks/Debian.yml new file mode 100644 index 0000000..d1274b2 --- /dev/null +++ b/roles/openvpn-client/tasks/Debian.yml @@ -0,0 +1,8 @@ +- name: Install requirements + apt: + name: "{{ requirements }}" + update_cache: true + vars: + requirements: + - openvpn + - zip diff --git a/roles/openvpn-client/tasks/RedHat.yml b/roles/openvpn-client/tasks/RedHat.yml new file mode 100644 index 0000000..a012348 --- /dev/null +++ b/roles/openvpn-client/tasks/RedHat.yml @@ -0,0 +1,8 @@ +- name: Install requirements + yum: + name: "{{ requirements }}" + update_cache: true + vars: + requirements: + - openvpn + - zip diff --git a/roles/openvpn-client/tasks/main.yml b/roles/openvpn-client/tasks/main.yml index e31dd4b..83eda27 100644 --- a/roles/openvpn-client/tasks/main.yml +++ b/roles/openvpn-client/tasks/main.yml @@ -1,10 +1,9 @@ --- -- name: install openvpn - apt: name='openvpn' +- include_tasks: "{{ ansible_os_family }}.yml" -- name: Extract ovpn client zip into /etc/openvpn +- name: "Deploy VPN keys from {{vpnkeys_dir}}/{{openvpn_client_name}}.zip" unarchive: - src: ../{{ openvpn_download_dir }}/{{openvpn_client_name}}.zip + src: "{{ vpnkeys_dir }}/{{openvpn_client_name}}.zip" dest: /etc/openvpn/ - name: Rename /etc/openvpn/client.ovpn to client.conf diff --git a/tests/test_deploy_openvpn.sh b/tests/test_deploy_openvpn.sh index 760e936..1d07e87 100755 --- a/tests/test_deploy_openvpn.sh +++ b/tests/test_deploy_openvpn.sh @@ -5,7 +5,7 @@ source $DIR/base.sh # create sandbox vagrant up - cleanup +# cleanup if [[ -e $DIR/.vpnkeys/test ]]; then rm -rf $DIR/.vpnkeys/test fi @@ -27,8 +27,8 @@ do fi done -# deploy vpn keys to hostname -ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml -l openvpn-server,vpnhost +# deploy vpn keys +ansible-playbook -i environments/test/inventory playbooks/openvpn-client.yml # check