Idempotent in headless mode #592
Conversation
|
I only have a question. I don't understand the change to In the list of provisioning you can add Ansible too. Thanks for contributing! |
This line mentions deleting a pre-existing 'easy-rsa' folder that came with older OpenVPN installations. On systems where this folder may pre-exist, it's safer to use a different folder name for the new incoming easy-rsa. Otherwise, it'd be hard to tell on repeated runs of openvpn-install.sh whether the contents of the folder are what we want them to be.
Done! e350220 |
But you didn't delete the line |
But on the next run of the script, easy-rsa-auto will be present. If I kept the original naming convention, easy-rsa would be present and would be deleted and recreated each time. The goal is for the desired version of easy-rsa (currently 3.0.6) to be installed once by this script. If an older version that was packaged with OpenVPN in the distro's repos is present (in easy-rsa), it should be deleted. Then, subsequent runs of this script shouldn't re-download and recreate it. |
An other question is, what does an update of the distro, for example if the distro will be update easy-rsa? |
There was a problem hiding this comment.
subsequent runs of this script shouldn't re-download and recreate it.
Now I get it. It would happen when you try to run the command to install it again but it's already installed.
I think we can avoid changing the name of the easy-rsa directory to easy-rsa-auto if we move rm -rf /etc/openvpn/easy-rsa/ to be inside if [[ ! -e /etc/openvpn/server.conf ]]; then. Can you let me know if you agree please?
If the distro updates easy-rsa, it'll go in a separate directory and won't bother us. If the distro overwrites the OpenVPN config referencing easy-rsa, we have a bigger problem, but re-running openvpn-install.sh will fix it. :) |
Agree, that's much cleaner! |
|
Seems great guys, thanks 👍 |
|
I did my habitual pull rebase and dirtied up this PR, sorry. Will reset and clean it up. |
This set of changes adjusts the script so that you can run it multiple times with the same input and not have any unexpected changes. This makes it appropriate for "enforcing state", as required by automated provisioners like Puppet, Salt, Chef, or Ansible.
- Unbound, OpenVPN, easy-rsa, and other dependencies are only installed from upstream if they are not already present. This prevents multiple runs of the script from causing unexpected version upgrades.
- The easy-rsa system is put in a folder called "easy-rsa-auto" so it can't conflict with the "easy-rsa" folder from some older OpenVPN packages
- The easy-rsa CA is only initialized once
- SERVER_CN and SERVER_NAME are randomly generated once and saved for future reference
- File append ('>>') is only done strictly after a file is created with '>' (e.g. /etc/sysctl.d/20-openvpn.conf)
- Clients are only added to easy-rsa once
- If AUTO_INSTALL == y, then the script operates in install mode and doesn't enter manageMenu
Co-Authored-By: randomshell <43271778+randomshell@users.noreply.github.com>
Co-Authored-By: randomshell <43271778+randomshell@users.noreply.github.com>
|
Okay, it's clean again, let me know if you need me to squash any of the commits. :) |
|
Don't worry I'll squash them. Thanks again, I just have to find some time to test it and merge it! |
The removal of an old version of easy-rsa should only happen if OpenVPN is being installed for the first time.
|
Thanks a lot everyone! |
This changeset adjusts the script so that you can run it multiple times with the same input and not have any unexpected changes. This makes it appropriate for "enforcing state", as required by automated provisioners like Puppet, Salt, Chef, or Ansible.
Also, IPv4-only mode has been fixed with a call to curl -4 ifconfig.co.
Fixes: #545