Merge pull request #6 from robertdebock/easy-rsa

Easy rsa
robertdebock · Jan 8, 2021 · 004bc73 · 004bc73
2 parents 79ba791 + 1c390bc
commit 004bc73
Show file tree

Hide file tree

Showing 15 changed files with 261 additions and 447 deletions.
diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml
@@ -33,14 +33,28 @@ jobs:
       fail-fast: false
       matrix:
         config:
+          - image: "amazonlinux"
+            tag: "latest"
           - image: "debian"
             tag: "latest"
           - image: "debian"
             tag: "bullseye"
-          - image: "ubuntu"
+          - image: "centos"
+            tag: "7"
+          - image: "centos"
+            tag: "latest"
+          - image: "fedora"
+            tag: "32"
+          - image: "fedora"
+            tag: "latest"
+          - image: "fedora"
+            tag: "rawhide"
+          - image: "debian"
             tag: "latest"
+          - image: "debian"
+            tag: "bullseye"
           - image: "ubuntu"
-            tag: "bionic"
+            tag: "latest"
     steps:
       - name: checkout
         uses: actions/checkout@v2

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -16,14 +16,28 @@ molecule:
   retry: 2
   parallel:
     matrix:
+      - image: "amazonlinux"
+        tag: "latest"
       - image: "debian"
         tag: "latest"
       - image: "debian"
         tag: "bullseye"
-      - image: "ubuntu"
+      - image: "centos"
+        tag: "7"
+      - image: "centos"
+        tag: "latest"
+      - image: "fedora"
+        tag: "32"
+      - image: "fedora"
+        tag: "latest"
+      - image: "fedora"
+        tag: "rawhide"
+      - image: "debian"
         tag: "latest"
+      - image: "debian"
+        tag: "bullseye"
       - image: "ubuntu"
-        tag: "bionic"
+        tag: "latest"
 
 galaxy:
   script:

diff --git a/README.md b/README.md
@@ -16,36 +16,31 @@ This example is taken from `molecule/resources/converge.yml` and is tested on ea
   become: yes
   gather_facts: yes
 
-  vars:
-    _openvpn_config_directory:
-      default: /etc/openvpn
-      RedHat: /etc/openvpn/server
-    openvpn_config_directory: "{{ _openvpn_config_directory[ansible_os_family] | default(_openvpn_config_directory['default']) }}"
-    openvpn_static_encryption_key_filename: "myvpn.tlsauth"
-    openvpn_static_encryption_key: "{{ openvpn_config_directory }}/{{ openvpn_static_encryption_key_filename }}"
-
   tasks:
-    - include_role:
+    - name: create openvpn server
+      include_role:
         name: robertdebock.openvpn
       vars:
-        openvpn_role: server
-
-    - name: save static encryption key
-      slurp:
-        src: "{{ openvpn_static_encryption_key }}"
-      register: openvpn_save_static_encryption_key
+        openvpn_role: "server"
 
-    - name: distribute static encryption key
+    - name: copy certificates and keys from the server to the client
       copy:
-        content: "{{ openvpn_save_static_encryption_key.content | b64decode }}"
-        dest: "{{ openvpn_static_encryption_key }}"
-        mode: "0644"
-
-    - include_role:
+        src: /etc/openvpn/easy-rsa/pki/{{ item }}
+        dest: /etc/openvpn/client/{{ item | basename }}
+        mode: "0640"
+        remote_src: yes
+      loop:
+        - ca.crt
+        - issued/client.crt
+        - private/client.key
+        - ta.key
+
+    - name: create openvpn client
+      include_role:
         name: robertdebock.openvpn
       vars:
-        openvpn_role: client
-        openvpn_client_server: localhost
+        openvpn_role: "client"
+        openvpn_client_server: 127.0.0.1
 ```
 
 The machine needs to be prepared in CI this is done using `molecule/resources/prepare.yml`:
@@ -55,14 +50,13 @@ The machine needs to be prepared in CI this is done using `molecule/resources/pr
   hosts: all
   gather_facts: no
   become: yes
-  serial: 30%
 
   roles:
     - role: robertdebock.bootstrap
-    - role: robertdebock.buildtools
+    # - role: robertdebock.buildtools
     - role: robertdebock.epel
-    - role: robertdebock.python_pip
-    - role: robertdebock.openssl
+    # - role: robertdebock.python_pip
+    # - role: robertdebock.openssl
 ```
 
 Also see a [full explanation and example](https://robertdebock.nl/how-to-use-these-roles.html) on how to use these roles.
@@ -95,13 +89,7 @@ The following roles are used to prepare a system. You may choose to prepare your
 | Requirement | Travis | GitHub |
 |-------------|--------|--------|
 | [robertdebock.bootstrap](https://galaxy.ansible.com/robertdebock/bootstrap) | [![Build Status Travis](https://travis-ci.com/robertdebock/ansible-role-bootstrap.svg?branch=master)](https://travis-ci.com/robertdebock/ansible-role-bootstrap) | [![Build Status GitHub](https://github.com/robertdebock/ansible-role-bootstrap/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-bootstrap/actions) |
-| [robertdebock.buildtools](https://galaxy.ansible.com/robertdebock/buildtools) | [![Build Status Travis](https://travis-ci.com/robertdebock/ansible-role-buildtools.svg?branch=master)](https://travis-ci.com/robertdebock/ansible-role-buildtools) | [![Build Status GitHub](https://github.com/robertdebock/ansible-role-buildtools/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-buildtools/actions) |
-| [robertdebock.ca](https://galaxy.ansible.com/robertdebock/ca) | [![Build Status Travis](https://travis-ci.com/robertdebock/ansible-role-ca.svg?branch=master)](https://travis-ci.com/robertdebock/ansible-role-ca) | [![Build Status GitHub](https://github.com/robertdebock/ansible-role-ca/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-ca/actions) |
 | [robertdebock.epel](https://galaxy.ansible.com/robertdebock/epel) | [![Build Status Travis](https://travis-ci.com/robertdebock/ansible-role-epel.svg?branch=master)](https://travis-ci.com/robertdebock/ansible-role-epel) | [![Build Status GitHub](https://github.com/robertdebock/ansible-role-epel/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-epel/actions) |
-| [robertdebock.openssl](https://galaxy.ansible.com/robertdebock/openssl) | [![Build Status Travis](https://travis-ci.com/robertdebock/ansible-role-openssl.svg?branch=master)](https://travis-ci.com/robertdebock/ansible-role-openssl) | [![Build Status GitHub](https://github.com/robertdebock/ansible-role-openssl/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-openssl/actions) |
-| [robertdebock.python_pip](https://galaxy.ansible.com/robertdebock/python_pip) | [![Build Status Travis](https://travis-ci.com/robertdebock/ansible-role-python_pip.svg?branch=master)](https://travis-ci.com/robertdebock/ansible-role-python_pip) | [![Build Status GitHub](https://github.com/robertdebock/ansible-role-python_pip/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-python_pip/actions) |
-| [robertdebock.reboot](https://galaxy.ansible.com/robertdebock/reboot) | [![Build Status Travis](https://travis-ci.com/robertdebock/ansible-role-reboot.svg?branch=master)](https://travis-ci.com/robertdebock/ansible-role-reboot) | [![Build Status GitHub](https://github.com/robertdebock/ansible-role-reboot/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-reboot/actions) |
-| [robertdebock.update](https://galaxy.ansible.com/robertdebock/update) | [![Build Status Travis](https://travis-ci.com/robertdebock/ansible-role-update.svg?branch=master)](https://travis-ci.com/robertdebock/ansible-role-update) | [![Build Status GitHub](https://github.com/robertdebock/ansible-role-update/workflows/Ansible%20Molecule/badge.svg)](https://github.com/robertdebock/ansible-role-update/actions) |
 
 ## [Context](#context)
 
@@ -116,8 +104,12 @@ This role has been tested on these [container images](https://hub.docker.com/u/r
 
 |container|tags|
 |---------|----|
+|amazon|Candidate|
+|debian|buster, bullseye|
+|el|7, 8|
+|fedora|all|
 |debian|buster, bullseye|
-|ubuntu|focal, bionic|
+|ubuntu|focal|
 
 The minimum version of Ansible required is 2.9, tests have been done to:
 

diff --git a/meta/main.yml b/meta/main.yml
@@ -8,14 +8,27 @@ galaxy_info:
   min_ansible_version: 2.9
 
   platforms:
+    - name: Amazon
+      versions:
+        - Candidate
+    - name: Debian
+      versions:
+        - buster
+        - bullseye
+    - name: EL
+      versions:
+        - 7
+        - 8
+    - name: Fedora
+      versions:
+        - all
     - name: Debian
       versions:
         - buster
         - bullseye
     - name: Ubuntu
       versions:
         - focal
-        - bionic
 
   galaxy_tags:
     - openvpn

diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -4,33 +4,28 @@
   become: yes
   gather_facts: yes
 
-  vars:
-    _openvpn_config_directory:
-      default: /etc/openvpn
-      RedHat: /etc/openvpn/server
-    openvpn_config_directory: "{{ _openvpn_config_directory[ansible_os_family] | default(_openvpn_config_directory['default']) }}"
-    openvpn_static_encryption_key_filename: "myvpn.tlsauth"
-    openvpn_static_encryption_key: "{{ openvpn_config_directory }}/{{ openvpn_static_encryption_key_filename }}"
-
   tasks:
-    - include_role:
+    - name: create openvpn server
+      include_role:
         name: ansible-role-openvpn
       vars:
-        openvpn_role: server
-
-    - name: save static encryption key
-      slurp:
-        src: "{{ openvpn_static_encryption_key }}"
-      register: openvpn_save_static_encryption_key
+        openvpn_role: "server"
 
-    - name: distribute static encryption key
+    - name: copy certificates and keys from the server to the client
       copy:
-        content: "{{ openvpn_save_static_encryption_key.content | b64decode }}"
-        dest: "{{ openvpn_static_encryption_key }}"
-        mode: "0644"
+        src: /etc/openvpn/easy-rsa/pki/{{ item }}
+        dest: /etc/openvpn/client/{{ item | basename }}
+        mode: "0640"
+        remote_src: yes
+      loop:
+        - ca.crt
+        - issued/client.crt
+        - private/client.key
+        - ta.key
 
-    - include_role:
+    - name: create openvpn client
+      include_role:
         name: ansible-role-openvpn
       vars:
-        openvpn_role: client
-        openvpn_client_server: localhost
+        openvpn_role: "client"
+        openvpn_client_server: 127.0.0.1
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -3,11 +3,10 @@
   hosts: all
   gather_facts: no
   become: yes
-  serial: 30%
 
   roles:
     - role: robertdebock.bootstrap
-    - role: robertdebock.buildtools
+    # - role: robertdebock.buildtools
     - role: robertdebock.epel
-    - role: robertdebock.python_pip
-    - role: robertdebock.openssl
+    # - role: robertdebock.python_pip
+    # - role: robertdebock.openssl
diff --git a/requirements.yml b/requirements.yml
@@ -1,10 +1,9 @@
 ---
 roles:
   - name: robertdebock.bootstrap
-  - name: robertdebock.buildtools
-  - name: robertdebock.ca
+  # - name: robertdebock.buildtools
   - name: robertdebock.epel
-  - name: robertdebock.openssl
-  - name: robertdebock.python_pip
-  - name: robertdebock.reboot
-  - name: robertdebock.update
+  # - name: robertdebock.openssl
+  # - name: robertdebock.python_pip
+  # - name: robertdebock.reboot
+  # - name: robertdebock.update
diff --git a/tasks/client.yml b/tasks/client.yml
@@ -0,0 +1,19 @@
+---
+
+- name: ensure /etc/openvpn/client exists
+  file:
+    path: /etc/openvpn/client
+    state: directory
+    owner: root
+    group: "{{ openvpn_group }}"
+    mode: "0750"
+
+- name: place client.conf
+  template:
+    src: client.conf.j2
+    dest: "{{ openvpn_configuration_directory }}/client.conf"
+    owner: root
+    group: "{{ openvpn_group }}"
+    mode: "0640"
+  notify:
+    - restart openvpn
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -5,50 +5,22 @@
   include_tasks: assert.yml
   run_once: yes
 
-- name: install openvpn
+- name: install openvpn packages
   package:
     name: "{{ openvpn_packages }}"
     state: present
 
 - name: setup openvpn server
-  block:
-    - name: include ca role
-      include_role:
-        name: robertdebock.ca
-      vars:
-        ca_openssl_path: "{{ openvpn_certs_directory }}"
-        ca_requests:
-          - name: server
-
-    - name: generate static encryption key
-      command: openvpn --genkey --secret {{ openvpn_static_encryption_key }}
-      args:
-        creates: "{{ openvpn_static_encryption_key }}"
-
-    - name: generate dh2048 key
-      command: openssl dhparam -out {{ openvpn_dh2048_key }} 2048
-      args:
-        creates: "{{ openvpn_dh2048_key }}"
-
-    - name: configure openvpn server
-      template:
-        src: "{{ openvpn_server_config_file }}.j2"
-        dest: "{{ openvpn_config_directory }}/{{ openvpn_server_config_file }}"
-        mode: "0644"
-      notify:
-        - restart openvpn
+  include: server.yml
   when:
     - openvpn_role == "server"
 
-- name: configure openvpn client
-  template:
-    src: "{{ openvpn_client_config_file }}.j2"
-    dest: "{{ openvpn_config_directory }}/{{ openvpn_client_config_file }}"
-    mode: "0644"
+- name: setup openvpn client
+  include: client.yml
   when:
     - openvpn_role == "client"
 
-- name: start and enable openvpn server
+- name: start and enable openvpn
   service:
     name: "{{ openvpn_service }}"
     state: started