-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Idempotent in headless mode #592
Conversation
I only have a question. I don't understand the change to In the list of provisioning you can add Ansible too. Thanks for contributing! |
This line mentions deleting a pre-existing 'easy-rsa' folder that came with older OpenVPN installations. On systems where this folder may pre-exist, it's safer to use a different folder name for the new incoming easy-rsa. Otherwise, it'd be hard to tell on repeated runs of openvpn-install.sh whether the contents of the folder are what we want them to be.
Done! e350220 |
But you didn't delete the line |
But on the next run of the script, easy-rsa-auto will be present. If I kept the original naming convention, easy-rsa would be present and would be deleted and recreated each time. The goal is for the desired version of easy-rsa (currently 3.0.6) to be installed once by this script. If an older version that was packaged with OpenVPN in the distro's repos is present (in easy-rsa), it should be deleted. Then, subsequent runs of this script shouldn't re-download and recreate it. |
An other question is, what does an update of the distro, for example if the distro will be update easy-rsa? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
subsequent runs of this script shouldn't re-download and recreate it.
Now I get it. It would happen when you try to run the command to install it again but it's already installed.
I think we can avoid changing the name of the easy-rsa
directory to easy-rsa-auto
if we move rm -rf /etc/openvpn/easy-rsa/
to be inside if [[ ! -e /etc/openvpn/server.conf ]]; then
. Can you let me know if you agree please?
If the distro updates easy-rsa, it'll go in a separate directory and won't bother us. If the distro overwrites the OpenVPN config referencing easy-rsa, we have a bigger problem, but re-running openvpn-install.sh will fix it. :) |
Agree, that's much cleaner! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Seems great guys, thanks 👍 |
I did my habitual pull rebase and dirtied up this PR, sorry. Will reset and clean it up. |
This set of changes adjusts the script so that you can run it multiple times with the same input and not have any unexpected changes. This makes it appropriate for "enforcing state", as required by automated provisioners like Puppet, Salt, Chef, or Ansible. - Unbound, OpenVPN, easy-rsa, and other dependencies are only installed from upstream if they are not already present. This prevents multiple runs of the script from causing unexpected version upgrades. - The easy-rsa system is put in a folder called "easy-rsa-auto" so it can't conflict with the "easy-rsa" folder from some older OpenVPN packages - The easy-rsa CA is only initialized once - SERVER_CN and SERVER_NAME are randomly generated once and saved for future reference - File append ('>>') is only done strictly after a file is created with '>' (e.g. /etc/sysctl.d/20-openvpn.conf) - Clients are only added to easy-rsa once - If AUTO_INSTALL == y, then the script operates in install mode and doesn't enter manageMenu
Co-Authored-By: randomshell <43271778+randomshell@users.noreply.github.com>
Co-Authored-By: randomshell <43271778+randomshell@users.noreply.github.com>
Okay, it's clean again, let me know if you need me to squash any of the commits. :) |
Don't worry I'll squash them. Thanks again, I just have to find some time to test it and merge it! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @angristan
The removal of an old version of easy-rsa should only happen if OpenVPN is being installed for the first time.
Thanks a lot everyone! |
This changeset adjusts the script so that you can run it multiple times with the same input and not have any unexpected changes. This makes it appropriate for "enforcing state", as required by automated provisioners like Puppet, Salt, Chef, or Ansible.
Also, IPv4-only mode has been fixed with a call to curl -4 ifconfig.co.
Fixes: #545