Add ocserv role

Create a self-signed CA, set up group configs, add script to allow new
connections through the firewall.

In the base debian role, drop the default nftables forward chain with
drop policy because it clashes with this. If you enable forwarding on
a debian host, make sure to configure the firewall.

roles/ocserv/templates/ocserv-group.j2

@@ -0,0 +1,3 @@
+{% for route in item.value %}
+route = {{ route }}
+{% endfor %}

roles/ocserv/templates/ocserv.conf.j2

@@ -0,0 +1,26 @@
+listen-host = {{ dns_name }}
+tcp-port = 443
+server-cert = /etc/letsencrypt/live/{{ dns_name }}/fullchain.pem
+server-key = /etc/letsencrypt/live/{{ dns_name }}/privkey.pem
+
+run-as-user = ocserv
+run-as-group = ocserv
+socket-file = /run/ocserv-socket
+chroot-dir = /var/lib/ocserv
+connect-script = /usr/local/bin/ocserv-script
+disconnect-script = /usr/local/bin/ocserv-script
+
+device = vpns
+cisco-client-compat = true
+dtls-legacy = true
+compression = true
+isolate-workers = true
+
+auth = certificate
+ca-cert = /etc/ocserv/ca.crt
+cert-user-oid = 2.5.4.3
+cert-group-oid = 2.5.4.11
+config-per-group = /etc/ocserv/config-per-group/
+default-domain = {{ domain }}
+ipv4-network = {{ vpn.network }}
+route = {{ vpn.network }}