91 lines
2.2 KiB
YAML
91 lines
2.2 KiB
YAML
- name: Install packages
|
|
package:
|
|
name:
|
|
- netmask # for ocserv-script
|
|
- ocserv
|
|
install_recommends: false # don’t install dnsmasq for whatever reason
|
|
|
|
- name: Configure firewall
|
|
copy:
|
|
dest: /etc/nftables.d/
|
|
src: ocserv.nft
|
|
notify: reload nftables
|
|
|
|
- name: Generate CA key
|
|
command:
|
|
cmd: openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ca.key
|
|
chdir: /etc/ocserv
|
|
creates: ca.key
|
|
notify: restart ocserv
|
|
|
|
- name: Create CA certificate
|
|
command:
|
|
cmd: >
|
|
openssl req -key ca.key -out ca.crt -new -x509 -days 3650
|
|
-subj "/O=FRI/CN=vrata"
|
|
-addext keyUsage=critical,keyCertSign,cRLSign
|
|
chdir: /etc/ocserv
|
|
creates: ca.crt
|
|
notify: restart ocserv
|
|
|
|
- name: Create directory for client certificates
|
|
file:
|
|
path: /var/lib/ocserv/certs
|
|
state: directory
|
|
owner: ocserv
|
|
group: ocserv
|
|
|
|
# this script allows routing from the client to their networks on connection
|
|
- name: Install ocserv firewall script
|
|
copy:
|
|
dest: /usr/local/bin/
|
|
src: ocserv-script
|
|
mode: 755
|
|
|
|
- name: Configure ocserv
|
|
template:
|
|
dest: /etc/ocserv/ocserv.conf
|
|
src: ocserv.conf.j2
|
|
notify: restart ocserv
|
|
|
|
- name: Create config-per-group directory
|
|
file:
|
|
path: /etc/ocserv/config-per-group/
|
|
state: directory
|
|
|
|
- name: Configure ocserv routes for each group
|
|
template:
|
|
dest: '/etc/ocserv/config-per-group/{{ item.key }}'
|
|
src: ocserv-group.j2
|
|
loop: '{{ vpn.routes | dict2items }}'
|
|
notify: restart ocserv
|
|
|
|
- name: Install certificate renewal deployment hook
|
|
copy:
|
|
dest: /etc/letsencrypt/renewal-hooks/deploy/
|
|
src: reload-ocserv.sh
|
|
mode: 0755
|
|
|
|
- name: Create ocserv service override directory
|
|
file:
|
|
path: /etc/systemd/system/ocserv.service.d
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
|
|
- name: Set ocserv to start after network is online
|
|
copy:
|
|
dest: /etc/systemd/system/ocserv.service.d/override.conf
|
|
content: |
|
|
[Unit]
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
notify: reload systemd
|
|
|
|
- name: Enable IP forwarding
|
|
sysctl:
|
|
name: net.ipv4.ip_forward
|
|
value: 1
|
|
sysctl_file: /etc/sysctl.d/99-local.conf
|
|
sysctl_set: true
|