From 5518f672c6b9f03a8a7e857c5da36cd066ae96b1 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Tue, 12 Dec 2023 16:59:31 +0100 Subject: [PATCH 1/5] Supporting a fixed PHP version with a fixed port number. --- roles/debian/nginx/defaults/main.yml | 7 +++---- roles/debian/nginx/templates/symfony4.j2 | 1 - roles/debian/php-fpm/defaults/main.yml | 5 ++++- roles/debian/php-fpm/tasks/main.yml | 10 +++++++++- .../debian/php-fpm/templates/www.conf-fixedport.j2 | 13 +++++++++++++ roles/debian/php-fpm/templates/www.conf.j2 | 4 ++-- 6 files changed, 31 insertions(+), 9 deletions(-) create mode 100755 roles/debian/php-fpm/templates/www.conf-fixedport.j2 diff --git a/roles/debian/nginx/defaults/main.yml b/roles/debian/nginx/defaults/main.yml index 61f2be571..8f86c7321 100644 --- a/roles/debian/nginx/defaults/main.yml +++ b/roles/debian/nginx/defaults/main.yml @@ -22,10 +22,9 @@ nginx: # Group prefix. Useful for grouping by environments. log_group_prefix: "" # Main log stream for nginx (Cloudwatch). - log_stream_name: example - # We can only have one backend, due to the way we use "common" templates. - # Moving this per domain means instead having templates per project type. - php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" + log_stream_name: example # We can only have one backend, due to the way we use "common" templates, moving this per domain means instead having templates per project type. + # See php.fpm.unix_socket, if true use a socket here: + php_fastcgi_backend: "127.0.0.1:90{{ php.version[-1] | replace('.','') }}" # for unix socket use "unix:/var/run/php{{ php.version[-1] | replace('.','') }}-fpm.sock" ratelimitingcrawlers: false client_max_body_size: "700M" fastcgi_read_timeout: 60 diff --git a/roles/debian/nginx/templates/symfony4.j2 b/roles/debian/nginx/templates/symfony4.j2 index 1bab930bf..b01fb1a8e 100644 --- a/roles/debian/nginx/templates/symfony4.j2 +++ b/roles/debian/nginx/templates/symfony4.j2 @@ -7,7 +7,6 @@ location ~ \.php(/|$) { fastcgi_pass {{ nginx.php_fastcgi_backend }}; fastcgi_split_path_info ^(.+\.php)(/.*)$; include fastcgi_params; - fastcgi_param APP_DEBUG 1; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; } diff --git a/roles/debian/php-fpm/defaults/main.yml b/roles/debian/php-fpm/defaults/main.yml index 079312f3c..909b34e3a 100644 --- a/roles/debian/php-fpm/defaults/main.yml +++ b/roles/debian/php-fpm/defaults/main.yml @@ -1,6 +1,9 @@ --- php: + # see php-common for default version fpm: + unix_socket: false # set to true to use a unix socket, you must also update nginx and cachetool if you do + tcp_port: "" # leave empty to automate port selection - port will be "90{{ version | replace('.','') }}" - e.g. 9081 for PHP 8.1 expose_php: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" error_reporting: "{% if _env_type == 'prod' %}E_ALL & ~E_DEPRECATED & ~E_STRICT{% else %}E_ALL{% endif %}" display_errors: "{% if _env_type == 'prod' %}Off{% else %}On{% endif %}" @@ -21,7 +24,7 @@ php: max_file_uploads: 20 date_timezone: "Europe/London" pool_user: "{{ user_deploy.username }}" - pool_group: "{{ user_deploy.username }}" + pool_group: "{{ user_deploy.username }}" # if using unix socket this should be the web server user default_socket_timeout: 60 max_children: 5 start_servers: 2 diff --git a/roles/debian/php-fpm/tasks/main.yml b/roles/debian/php-fpm/tasks/main.yml index b485040ea..e965e8458 100644 --- a/roles/debian/php-fpm/tasks/main.yml +++ b/roles/debian/php-fpm/tasks/main.yml @@ -16,12 +16,20 @@ loop_control: loop_var: version -- name: Copy default pool configuration. +- name: Copy default pool configuration for a single, fixed port PHP version. + ansible.builtin.template: + dest: "/etc/php/{{ php.version[0] }}/fpm/pool.d/www.conf" + src: "www.conf-fixedport.j2" + mode: 0555 + when: php.fpm.tcp_port | length > 0 + +- name: Copy default pool configuration for dynamic PHP versioning. ansible.builtin.template: dest: "/etc/php/{{ version }}/fpm/pool.d/www.conf" src: "www.conf.j2" mode: 0555 with_items: "{{ php.version }}" + when: php.fpm.tcp_port | length == 0 loop_control: loop_var: version diff --git a/roles/debian/php-fpm/templates/www.conf-fixedport.j2 b/roles/debian/php-fpm/templates/www.conf-fixedport.j2 new file mode 100755 index 000000000..7d986a2b5 --- /dev/null +++ b/roles/debian/php-fpm/templates/www.conf-fixedport.j2 @@ -0,0 +1,13 @@ +[www] +user = {{ php.fpm.pool_user }} +group = {{ php.fpm.pool_group }} +listen = 127.0.0.1:{{ php.fpm.tcp_port }} +listen.owner = {{ php.fpm.pool_user }} +listen.group = {{ php.fpm.pool_group }} +pm = dynamic +pm.max_children = {{ php.fpm.max_children }} +pm.start_servers = {{ php.fpm.start_servers }} +pm.min_spare_servers = {{ php.fpm.min_spare_servers }} +pm.max_spare_servers = {{ php.fpm.max_spare_servers }} +pm.process_idle_timeout = {{ php.fpm.process_idle_timeout }} +pm.max_requests = {{ php.fpm.max_requests }} diff --git a/roles/debian/php-fpm/templates/www.conf.j2 b/roles/debian/php-fpm/templates/www.conf.j2 index e960f6c53..551387d5e 100755 --- a/roles/debian/php-fpm/templates/www.conf.j2 +++ b/roles/debian/php-fpm/templates/www.conf.j2 @@ -1,7 +1,7 @@ [www] user = {{ php.fpm.pool_user }} group = {{ php.fpm.pool_group }} -listen = 127.0.0.1:90{{ version | replace('.','') }} +listen = {% if php.fpm.unix_socket %}'/var/run/php{{ version | replace('.','') }}-fpm.sock'{% else %}127.0.0.1:90{{ version | replace('.','') }}{% endif %} listen.owner = {{ php.fpm.pool_user }} listen.group = {{ php.fpm.pool_group }} pm = dynamic @@ -10,4 +10,4 @@ pm.start_servers = {{ php.fpm.start_servers }} pm.min_spare_servers = {{ php.fpm.min_spare_servers }} pm.max_spare_servers = {{ php.fpm.max_spare_servers }} pm.process_idle_timeout = {{ php.fpm.process_idle_timeout }} -pm.max_requests = {{ php.fpm.max_requests }} \ No newline at end of file +pm.max_requests = {{ php.fpm.max_requests }} From e2defdfa312449b22119051eb76c1f1c14f257da Mon Sep 17 00:00:00 2001 From: gregharvey Date: Fri, 22 Dec 2023 13:49:36 +0100 Subject: [PATCH 2/5] Accidently re-added the old VPN role - re-deleting! --- docs/roles/debian/openvpn_config.md | 69 ------ roles/debian/openvpn_config/README.md | 69 ------ roles/debian/openvpn_config/defaults/main.yml | 54 ----- roles/debian/openvpn_config/tasks/main.yml | 155 ------------ .../templates/auth-ldap.conf.j2 | 39 --- .../openvpn_config/templates/openvpn.j2 | 3 - roles/debian/openvpn_config/templates/vars.j2 | 222 ------------------ 7 files changed, 611 deletions(-) delete mode 100644 docs/roles/debian/openvpn_config.md delete mode 100644 roles/debian/openvpn_config/README.md delete mode 100644 roles/debian/openvpn_config/defaults/main.yml delete mode 100644 roles/debian/openvpn_config/tasks/main.yml delete mode 100644 roles/debian/openvpn_config/templates/auth-ldap.conf.j2 delete mode 100644 roles/debian/openvpn_config/templates/openvpn.j2 delete mode 100644 roles/debian/openvpn_config/templates/vars.j2 diff --git a/docs/roles/debian/openvpn_config.md b/docs/roles/debian/openvpn_config.md deleted file mode 100644 index 02bbd8167..000000000 --- a/docs/roles/debian/openvpn_config.md +++ /dev/null @@ -1,69 +0,0 @@ -# OpenVPN Config -This role is used to install an OpenVPN server with an Ansible Galaxy role and corresponding configuration afterwards. The Galaxy role is here: - -* https://galaxy.ansible.com/robertdebock/openvpn - - - - - -## Default variables -```yaml ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so - -``` - - diff --git a/roles/debian/openvpn_config/README.md b/roles/debian/openvpn_config/README.md deleted file mode 100644 index 02bbd8167..000000000 --- a/roles/debian/openvpn_config/README.md +++ /dev/null @@ -1,69 +0,0 @@ -# OpenVPN Config -This role is used to install an OpenVPN server with an Ansible Galaxy role and corresponding configuration afterwards. The Galaxy role is here: - -* https://galaxy.ansible.com/robertdebock/openvpn - - - - - -## Default variables -```yaml ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so - -``` - - diff --git a/roles/debian/openvpn_config/defaults/main.yml b/roles/debian/openvpn_config/defaults/main.yml deleted file mode 100644 index 6c711fe99..000000000 --- a/roles/debian/openvpn_config/defaults/main.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -openvpn_config: - install: true # set to false if we do not want to overwrite the existing VPN certs - - # Defaults from https://github.com/robertdebock/ansible-role-openvpn/blob/master/vars/main.yml - configuration_directory: /etc/openvpn - easyrsa_path: /usr/share/easy-rsa - service: "openvpn@server" - server_ip_range: "server 10.8.0.0 255.255.255.0" - # Additional options - force_redirect_gateway: true - compress: true - no_client_cert: true - custom_directives: [] # optional list of directives, i.e. push routes - # - directive 1 - # - directive 2 - # - directive N - - # easy-rsa vars for generating VPN certs - certs: - cn: "{{ _domain_name }}" - dn_mode: org # choices are org or cn_only - country: US - province: California - city: San Francisco - org: Copyleft Certificate Co - email: me@example.com - org_unit: My Organizational Unit - - # LDAP configuration - ldap: - install: false - url: ldaps://ldap.example.com,ldaps://ldap2.example.com - tls: false # set to true to use TLS on port 389 / ldap:// - tls_cert: /etc/ldap/ssl/ldap.CA.pem - tls_cert_local: "" # Set this to the path on the Ansible controller if you want to copy it to the target - timeout: '15' - basedn: dc=example,dc=com - search_filter: (&(objectClass=posixAccount)(uid=%u)) - require_group: true # set to false to allow any valid user in the basedn to login - group_basedn: ou=Groups,dc=example,dc=com - group_filter: (|(cn=vpnguests)(cn=sysadmins)) - - # PAM configuration - you need to manage the anthentication methods for your VPN via pam_config - # By default we assume the pam_ldap role is installed and configured - # VPN auth will be carried out against the nslcd daemon settings - pam: - install: false - pam_config: | - auth sufficient pam_ldap.so - auth required pam_deny.so - - account required pam_ldap.so - account required pam_permit.so diff --git a/roles/debian/openvpn_config/tasks/main.yml b/roles/debian/openvpn_config/tasks/main.yml deleted file mode 100644 index b07353521..000000000 --- a/roles/debian/openvpn_config/tasks/main.yml +++ /dev/null @@ -1,155 +0,0 @@ ---- -- name: "Ensure {{ openvpn_config.easyrsa_path }} exists." - ansible.builtin.file: - path: "{{ openvpn_config.easyrsa_path }}" - state: directory - owner: root - group: root - mode: "0755" - -# The Galaxy role creates the certs every time it runs using easy-rsa so we set a vars file: -# https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example -- name: Place easy-rsa vars file for SSL cert generation. - ansible.builtin.template: - src: vars.j2 - dest: "{{ openvpn_config.easyrsa_path }}/vars" - owner: root - group: root - mode: "0644" - when: - - openvpn_config.install - -- name: Install OpenVPN server. - ansible.builtin.include_role: - name: robertdebock.openvpn - when: - - openvpn_config.install - -# Loop files from https://github.com/robertdebock/ansible-role-openvpn/blob/master/tasks/server.yml#L58 -- name: Ensure keys permission are correct. - ansible.builtin.file: - path: /etc/openvpn/server/{{ item | basename }} - mode: "0600" - loop: - - ca.crt - - dh.pem - - ta.key - - issued/client.crt - - issued/server.crt - - private/ca.key - - private/client.key - - private/server.key - -# Manipulate the server.conf file set by the OpenVPN role in Galaxy -- name: Prevent pushing DNS servers. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "dhcp-option DNS" - state: absent - -- name: Remove remote-cert-eku assumption. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "remote-cert-eku" - state: absent - -- name: Make forced redirect optional. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "redirect-gateway def1 bypass-dhcp" - state: absent - when: not openvpn_config.force_redirect_gateway - -- name: Enable VPN compression. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: comp-lzo - create: true - when: openvpn_config.compress - -- name: Set no client cert required. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: verify-client-cert none - create: true - when: openvpn_config.no_client_cert - -- name: Alter VPN IP range. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - search_string: "server " - line: "{{ openvpn_config.server_ip_range }}" - -# Handle LDAP configuration -- name: Place LDAP CA cert. - ansible.builtin.copy: - src: "{{ openvpn_config.ldap.tls_cert_local }}" - dest: "{{ openvpn_config.ldap.tls_cert }}" - owner: root - group: root - mode: "0644" - when: - - openvpn_config.ldap.tls_cert_local - - openvpn_config.ldap.install - -- name: Install OpenVPN LDAP auth package. - ansible.builtin.package: - name: openvpn-auth-ldap - state: present - when: openvpn_config.ldap.install - -- name: Ensure LDAP config directory exists. - ansible.builtin.file: - path: "{{ openvpn_config.configuration_directory }}/auth" - state: directory - mode: "0755" - when: openvpn_config.ldap.install - -- name: Place auth-ldap.conf file. - ansible.builtin.template: - src: auth-ldap.conf.j2 - dest: "{{ openvpn_config.configuration_directory }}/auth/auth-ldap.conf" - owner: root - group: root - mode: "0644" - when: openvpn_config.ldap.install - -- name: Enable LDAP config. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "plugin /usr/lib/openvpn/openvpn-auth-ldap.so {{ openvpn_config.configuration_directory }}/auth/auth-ldap.conf" - create: true - when: openvpn_config.ldap.install - -# Handle PAM config -- name: Place openvpn PAM config. - ansible.builtin.template: - src: openvpn.j2 - dest: /etc/pam.d/openvpn - owner: root - group: root - mode: "0644" - when: openvpn_config.pam.install - -- name: Enable PAM config. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn" - create: true - when: openvpn_config.pam.install - -# Handle extra directives -- name: Create custom directives. - ansible.builtin.lineinfile: - path: "{{ openvpn_config.configuration_directory }}/server.conf" - line: "{{ item }}" - create: true - loop: "{{ openvpn_config.custom_directives }}" - when: openvpn_config.custom_directives - -# @TODO this should be a handler if we change the LDAP config rather than a task -- name: Restart OpenVPN. - ansible.builtin.systemd: - name: "{{ openvpn_config.service }}" - state: restarted - daemon_reload: true diff --git a/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 b/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 deleted file mode 100644 index bb3614af3..000000000 --- a/roles/debian/openvpn_config/templates/auth-ldap.conf.j2 +++ /dev/null @@ -1,39 +0,0 @@ -{{ ansible_managed | comment }} - - - # LDAP server URL - URL {{ openvpn_config.ldap.url }} - -{% if openvpn_config.ldap.tls %} - # Enable Start TLS - TLSEnable yes - # TLS CA Certificate File - TLSCACertFile {{ openvpn_config.ldap.tls_cert }} -{% else %} - # Enable Start TLS - TLSEnable no -{% endif %} - - # Network timeout (in seconds) - Timeout {{ openvpn_config.ldap.timeout }} - - - - # Base DN - BaseDN "{{ openvpn_config.ldap.basedn }}" - - # User Search Filter - SearchFilter "{{ openvpn_config.ldap.search_filter }}" - - # Require Group Membership - RequireGroup {{ openvpn_config.ldap.require_group }} - - - #RFC2307bis false - BaseDN "{{ openvpn_config.ldap.group_basedn }}" - SearchFilter "{{ openvpn_config.ldap.group_filter }}" - MemberAttribute memberUid - # Add group members to a PF table (disabled) - #PFTable ips_vpn_eng - - diff --git a/roles/debian/openvpn_config/templates/openvpn.j2 b/roles/debian/openvpn_config/templates/openvpn.j2 deleted file mode 100644 index 97a46ddd3..000000000 --- a/roles/debian/openvpn_config/templates/openvpn.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{{ ansible_managed | comment }} - -{{ openvpn_config.pam.pam_config }} diff --git a/roles/debian/openvpn_config/templates/vars.j2 b/roles/debian/openvpn_config/templates/vars.j2 deleted file mode 100644 index d19baead5..000000000 --- a/roles/debian/openvpn_config/templates/vars.j2 +++ /dev/null @@ -1,222 +0,0 @@ -{{ ansible_managed | comment }} - -# Easy-RSA 3 parameter settings - -# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit -# this file in place -- instead, you should copy the entire easy-rsa directory -# to another location so future upgrades don't wipe out your changes. - -# HOW TO USE THIS FILE -# -# vars.example contains built-in examples to Easy-RSA settings. You MUST name -# this file 'vars' if you want it to be used as a configuration file. If you do -# not, it WILL NOT be automatically read when you call easyrsa commands. -# -# It is not necessary to use this config file unless you wish to change -# operational defaults. These defaults should be fine for many uses without the -# need to copy and edit the 'vars' file. -# -# All of the editable settings are shown commented and start with the command -# 'set_var' -- this means any set_var command that is uncommented has been -# modified by the user. If you're happy with a default, there is no need to -# define the value to its default. - -# NOTES FOR WINDOWS USERS -# -# Paths for Windows *MUST* use forward slashes, or optionally double-escaped -# backslashes (single forward slashes are recommended.) This means your path to -# the openssl binary might look like this: -# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" - -# A little housekeeping: DON'T EDIT THIS SECTION -# -# Easy-RSA 3.x doesn't source into the environment directly. -# Complain if a user tries to do this: -if [ -z "$EASYRSA_CALLER" ]; then - echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2 - echo "This is no longer necessary and is disallowed. See the section called" >&2 - echo "'How to use this file' near the top comments for more details." >&2 - return 1 -fi - -# DO YOUR EDITS BELOW THIS POINT - -# This variable is used as the base location of configuration files needed by -# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) -# may override this default. -# -# The default value of this variable is the location of the easyrsa script -# itself, which is also where the configuration files are located in the -# easy-rsa tree. - -#set_var EASYRSA "${0%/*}" - -# If your OpenSSL command is not in the system PATH, you will need to define the -# path to it here. Normally this means a full path to the executable, otherwise -# you could have left it undefined here and the shown default would be used. -# -# Windows users, remember to use paths with forward-slashes (or escaped -# back-slashes.) Windows users should declare the full path to the openssl -# binary here if it is not in their system PATH. - -#set_var EASYRSA_OPENSSL "openssl" -# -# This sample is in Windows syntax -- edit it for your path if not using PATH: -#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" - -# Edit this variable to point to your soon-to-be-created key directory. By -# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the -# directory you are currently in). -# -# WARNING: init-pki will do a rm -rf on this directory so make sure you define -# it correctly! (Interactive mode will prompt before acting.) - -#set_var EASYRSA_PKI "$PWD/pki" - -# Define directory for temporary subdirectories. - -#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" - -# Define X509 DN mode. -# This is used to adjust what elements are included in the Subject field as the DN -# (this is the "Distinguished Name.") -# Note that in cn_only mode the Organizational fields further below aren't used. -# -# Choices are: -# cn_only - use just a CN value -# org - use the "traditional" Country/Province/City/Org/OU/email/CN format - -set_var EASYRSA_DN "{{ openvpn_config.certs.dn_mode }}" - -# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.) -# These are the default values for fields which will be placed in the -# certificate. Don't leave any of these fields blank, although interactively -# you may omit any specific field by typing the "." symbol (not valid for -# email.) - -set_var EASYRSA_REQ_COUNTRY "{{ openvpn_config.certs.country }}" -set_var EASYRSA_REQ_PROVINCE "{{ openvpn_config.certs.province }}" -set_var EASYRSA_REQ_CITY "{{ openvpn_config.certs.city }}" -set_var EASYRSA_REQ_ORG "{{ openvpn_config.certs.org }}" -set_var EASYRSA_REQ_EMAIL "{{ openvpn_config.certs.email }}" -set_var EASYRSA_REQ_OU "{{ openvpn_config.certs.org_unit }}" - -# Choose a size in bits for your keypairs. The recommended value is 2048. Using -# 2048-bit keys is considered more than sufficient for many years into the -# future. Larger keysizes will slow down TLS negotiation and make key/DH param -# generation take much longer. Values up to 4096 should be accepted by most -# software. Only used when the crypto alg is rsa (see below.) - -#set_var EASYRSA_KEY_SIZE 2048 - -# The default crypto mode is rsa; ec can enable elliptic curve support. -# Note that not all software supports ECC, so use care when enabling it. -# Choices for crypto alg are: (each in lower-case) -# * rsa -# * ec -# * ed - -#set_var EASYRSA_ALGO rsa - -# Define the named curve, used in ec & ed modes: - -#set_var EASYRSA_CURVE secp384r1 - -# In how many days should the root CA key expire? - -#set_var EASYRSA_CA_EXPIRE 3650 - -# In how many days should certificates expire? - -#set_var EASYRSA_CERT_EXPIRE 825 - -# How many days until the next CRL publish date? Note that the CRL can still be -# parsed after this timeframe passes. It is only used for an expected next -# publication date. -#set_var EASYRSA_CRL_DAYS 180 - -# How many days before its expiration date a certificate is allowed to be -# renewed? -#set_var EASYRSA_CERT_RENEW 30 - -# Random serial numbers by default, set to no for the old incremental serial numbers -# -#set_var EASYRSA_RAND_SN "yes" - -# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default -# is "no" to discourage use of deprecated extensions. If you require this -# feature to use with --ns-cert-type, set this to "yes" here. This support -# should be replaced with the more modern --remote-cert-tls feature. If you do -# not use --ns-cert-type in your configs, it is safe (and recommended) to leave -# this defined to "no". When set to "yes", server-signed certs get the -# nsCertType=server attribute, and also get any NS_COMMENT defined below in the -# nsComment field. - -#set_var EASYRSA_NS_SUPPORT "no" - -# When NS_SUPPORT is set to "yes", this field is added as the nsComment field. -# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored. - -#set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" - -# A temp file used to stage cert extensions during signing. The default should -# be fine for most users; however, some users might want an alternative under a -# RAM-based FS, such as /dev/shm or /tmp on some systems. - -#set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" - -# !! -# NOTE: ADVANCED OPTIONS BELOW THIS POINT -# PLAY WITH THEM AT YOUR OWN RISK -# !! - -# Broken shell command aliases: If you have a largely broken shell that is -# missing any of these POSIX-required commands used by Easy-RSA, you will need -# to define an alias to the proper path for the command. The symptom will be -# some form of a 'command not found' error from your shell. This means your -# shell is BROKEN, but you can hack around it here if you really need. These -# shown values are not defaults: it is up to you to know what you're doing if -# you touch these. -# -#alias awk="/alt/bin/awk" -#alias cat="/alt/bin/cat" - -# X509 extensions directory: -# If you want to customize the X509 extensions used, set the directory to look -# for extensions here. Each cert type you sign must have a matching filename, -# and an optional file named 'COMMON' is included first when present. Note that -# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then -# fallback to $EASYRSA for the 'x509-types' dir. You may override this -# detection with an explicit dir here. -# -#set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" - -# If you want to generate KDC certificates, you need to set the realm here. -#set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" - -# OpenSSL config file: -# If you need to use a specific openssl config file, you can reference it here. -# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the -# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA -# specific and you cannot just use a standard config file, so this is an -# advanced feature. - -#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" - -# Default CN: -# This is best left alone. Interactively you will set this manually, and BATCH -# callers are expected to set this themselves. - -set_var EASYRSA_REQ_CN "{{ openvpn_config.certs.cn }}" - -# Cryptographic digest to use. -# Do not change this default unless you understand the security implications. -# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512 - -#set_var EASYRSA_DIGEST "sha256" - -# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly -# in batch mode without any user input, confirmation on dangerous operations, -# or most output. Setting this to any non-blank string enables batch mode. - -#set_var EASYRSA_BATCH "" From 560cf3ffed27a466c084322f28a7008564405aa8 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Tue, 12 Mar 2024 12:44:43 +0100 Subject: [PATCH 3/5] Handling allowing client config template for ovpn to have an FQDN. --- docs/roles/debian/openvpn.md | 1 + roles/debian/openvpn/README.md | 1 + roles/debian/openvpn/defaults/main.yml | 1 + roles/debian/openvpn/tasks/main.yml | 10 ++++++++++ 4 files changed, 13 insertions(+) diff --git a/docs/roles/debian/openvpn.md b/docs/roles/debian/openvpn.md index 54fa885b6..0d4529d9d 100644 --- a/docs/roles/debian/openvpn.md +++ b/docs/roles/debian/openvpn.md @@ -20,6 +20,7 @@ At the moment we do not support headless customisation of encryption settings. T --- openvpn: script_install_path: "/home/{{ user_provision.username }}" + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index 54fa885b6..0d4529d9d 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -20,6 +20,7 @@ At the moment we do not support headless customisation of encryption settings. T --- openvpn: script_install_path: "/home/{{ user_provision.username }}" + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index 21ad4bc44..66287ae08 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -1,6 +1,7 @@ --- openvpn: script_install_path: "/home/{{ user_provision.username }}" + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index 4943530c0..db9c44ee0 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -168,6 +168,16 @@ mode: '0644' when: openvpn.tls_cipher | length > 0 +- name: Use FQDN as OpenVPN server remote in client config. + ansible.builtin.lineinfile: + path: /etc/openvpn/client-template.txt + regexp: '^remote (.*) 1194$' + line: "remote {{ openvpn.fqdn }}" + owner: root + group: root + mode: '0644' + when: openvpn.fqdn | length > 0 + - name: Allow FQDN push routes. ansible.builtin.lineinfile: path: /etc/openvpn/client-template.txt From 029b1787a9e985ad3cf4941c34d3c45be951b1cb Mon Sep 17 00:00:00 2001 From: gregharvey Date: Tue, 12 Mar 2024 13:11:40 +0100 Subject: [PATCH 4/5] Let's not assume port 1194 for ovpn. --- roles/debian/openvpn/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index db9c44ee0..6c8c19c3e 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -171,7 +171,7 @@ - name: Use FQDN as OpenVPN server remote in client config. ansible.builtin.lineinfile: path: /etc/openvpn/client-template.txt - regexp: '^remote (.*) 1194$' + regexp: '^remote (.*)' line: "remote {{ openvpn.fqdn }}" owner: root group: root From 4fe25a5b264cb6d6ed16ad3448c134ae78742120 Mon Sep 17 00:00:00 2001 From: gregharvey Date: Tue, 12 Mar 2024 15:32:04 +0100 Subject: [PATCH 5/5] Tweaking FQDN handling in ovpn. --- docs/roles/debian/openvpn.md | 2 +- roles/debian/openvpn/README.md | 2 +- roles/debian/openvpn/defaults/main.yml | 2 +- roles/debian/openvpn/tasks/main.yml | 5 +++-- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/roles/debian/openvpn.md b/docs/roles/debian/openvpn.md index 0d4529d9d..7acf4980b 100644 --- a/docs/roles/debian/openvpn.md +++ b/docs/roles/debian/openvpn.md @@ -20,7 +20,7 @@ At the moment we do not support headless customisation of encryption settings. T --- openvpn: script_install_path: "/home/{{ user_provision.username }}" - fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty - only works with port_choice: "1" auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/README.md b/roles/debian/openvpn/README.md index 0d4529d9d..7acf4980b 100644 --- a/roles/debian/openvpn/README.md +++ b/roles/debian/openvpn/README.md @@ -20,7 +20,7 @@ At the moment we do not support headless customisation of encryption settings. T --- openvpn: script_install_path: "/home/{{ user_provision.username }}" - fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty - only works with port_choice: "1" auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml index 66287ae08..919dbe884 100644 --- a/roles/debian/openvpn/defaults/main.yml +++ b/roles/debian/openvpn/defaults/main.yml @@ -1,7 +1,7 @@ --- openvpn: script_install_path: "/home/{{ user_provision.username }}" - fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty + fqdn: "" # fully qualified domain name of VPN server for use in client config, uses IP address if empty - only works with port_choice: "1" auto_install: true # post install server config tweaks ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0" diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml index 6c8c19c3e..6f46d5286 100644 --- a/roles/debian/openvpn/tasks/main.yml +++ b/roles/debian/openvpn/tasks/main.yml @@ -168,11 +168,12 @@ mode: '0644' when: openvpn.tls_cipher | length > 0 +# Only works when openvpn.port_choice == '1' because otherwise port will not be 1194 and regexp will not match - name: Use FQDN as OpenVPN server remote in client config. ansible.builtin.lineinfile: path: /etc/openvpn/client-template.txt - regexp: '^remote (.*)' - line: "remote {{ openvpn.fqdn }}" + regexp: '^remote (.*) 1194' + line: "remote {{ openvpn.fqdn }} 1194" owner: root group: root mode: '0644'