diff options
author | Christian Pointner <equinox@spreadspace.org> | 2021-11-16 21:16:00 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2021-11-16 21:16:00 +0100 |
commit | 42220a14f9fb4a6e16a0c00a5839c0a0e831be4d (patch) | |
tree | 4b8f6d98115ce34d4afa3d04f8e9c624cfd7e26a /roles/network/openvpn/server/tasks/tls.yml | |
parent | fix virt-manager spice support (diff) |
openvpn roles - bas scaffolding and certs
Diffstat (limited to 'roles/network/openvpn/server/tasks/tls.yml')
-rw-r--r-- | roles/network/openvpn/server/tasks/tls.yml | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/roles/network/openvpn/server/tasks/tls.yml b/roles/network/openvpn/server/tasks/tls.yml new file mode 100644 index 00000000..6508676d --- /dev/null +++ b/roles/network/openvpn/server/tasks/tls.yml @@ -0,0 +1,104 @@ +--- +- name: install python-cryptography + apt: + name: "{{ python_basename }}-cryptography" + state: present + +- name: create base directory + file: + path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}" + state: directory + +- name: create server cert/key directory + file: + path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server" + state: directory + owner: root + group: root + mode: 0750 + +- name: create private key for server certificate + openssl_privatekey: + path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/key.pem" + type: RSA + size: 4096 + owner: root + group: root + mode: 0400 + notify: restart openvpn-server + +- name: create signing request for server certificate + openssl_csr: + path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/csr.pem" + privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/key.pem" + CN: "{{ inventory_hostname }}" + key_usage: + - digitalSignature + - keyEncipherment + key_usage_critical: yes + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + basic_constraints: + - 'CA:FALSE' + basic_constraints_critical: yes + +- name: slurp CSR + slurp: + src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/csr.pem" + register: openvpn_server_csr + +- name: check if server certificate exists + stat: + path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem" + register: openvpn_server_cert + +- name: read server certificate validity + when: openvpn_server_cert.stat.exists + openssl_certificate_info: + path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem" + valid_at: + ten_years: '+3650d' ## 10 years + register: openvpn_server_cert_info + +- name: slurp existing server certificate + when: openvpn_server_cert.stat.exists + slurp: + src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem" + register: openvpn_server_cert_current + +- name: generate server certificate + delegate_to: "{{ openvpn_zone.ca_host }}" + community.crypto.x509_certificate_pipe: + content: "{{ openvpn_server_cert_current.content | default('') | b64decode }}" + csr_content: "{{ openvpn_server_csr.content | b64decode }}" + provider: ownca + ownca_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem" + ownca_privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca/key.pem" + ownca_digest: sha256 + ownca_not_after: "+18250d" ## 50 years + force: "{{ openvpn_server_cert.stat.exists and (not openvpn_server_cert_info.valid_at.ten_years) }}" + register: openvpn_server_cert + +- name: store server certificate + copy: + content: "{{ openvpn_server_cert.certificate }}" + dest: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem" + notify: restart openvpn-server + +- name: slurp CA certificate + delegate_to: "{{ openvpn_zone.ca_host }}" + slurp: + src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem" + register: openvpn_server_ca_certificate + +- name: install CA certificate + copy: + content: "{{ openvpn_server_ca_certificate.content | b64decode }}" + dest: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem" + +- name: generate Diffie-Hellman parameters + openssl_dhparam: + path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/dhparams.pem" + size: 2048 + notify: restart openvpn-server |