summaryrefslogtreecommitdiff
path: root/roles/network/openvpn/server/tasks/tls.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/network/openvpn/server/tasks/tls.yml')
-rw-r--r--roles/network/openvpn/server/tasks/tls.yml104
1 files changed, 104 insertions, 0 deletions
diff --git a/roles/network/openvpn/server/tasks/tls.yml b/roles/network/openvpn/server/tasks/tls.yml
new file mode 100644
index 00000000..6508676d
--- /dev/null
+++ b/roles/network/openvpn/server/tasks/tls.yml
@@ -0,0 +1,104 @@
+---
+- name: install python-cryptography
+ apt:
+ name: "{{ python_basename }}-cryptography"
+ state: present
+
+- name: create base directory
+ file:
+ path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}"
+ state: directory
+
+- name: create server cert/key directory
+ file:
+ path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server"
+ state: directory
+ owner: root
+ group: root
+ mode: 0750
+
+- name: create private key for server certificate
+ openssl_privatekey:
+ path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/key.pem"
+ type: RSA
+ size: 4096
+ owner: root
+ group: root
+ mode: 0400
+ notify: restart openvpn-server
+
+- name: create signing request for server certificate
+ openssl_csr:
+ path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/csr.pem"
+ privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/key.pem"
+ CN: "{{ inventory_hostname }}"
+ key_usage:
+ - digitalSignature
+ - keyEncipherment
+ key_usage_critical: yes
+ extended_key_usage:
+ - serverAuth
+ extended_key_usage_critical: yes
+ basic_constraints:
+ - 'CA:FALSE'
+ basic_constraints_critical: yes
+
+- name: slurp CSR
+ slurp:
+ src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/csr.pem"
+ register: openvpn_server_csr
+
+- name: check if server certificate exists
+ stat:
+ path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
+ register: openvpn_server_cert
+
+- name: read server certificate validity
+ when: openvpn_server_cert.stat.exists
+ openssl_certificate_info:
+ path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
+ valid_at:
+ ten_years: '+3650d' ## 10 years
+ register: openvpn_server_cert_info
+
+- name: slurp existing server certificate
+ when: openvpn_server_cert.stat.exists
+ slurp:
+ src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
+ register: openvpn_server_cert_current
+
+- name: generate server certificate
+ delegate_to: "{{ openvpn_zone.ca_host }}"
+ community.crypto.x509_certificate_pipe:
+ content: "{{ openvpn_server_cert_current.content | default('') | b64decode }}"
+ csr_content: "{{ openvpn_server_csr.content | b64decode }}"
+ provider: ownca
+ ownca_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"
+ ownca_privatekey_path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca/key.pem"
+ ownca_digest: sha256
+ ownca_not_after: "+18250d" ## 50 years
+ force: "{{ openvpn_server_cert.stat.exists and (not openvpn_server_cert_info.valid_at.ten_years) }}"
+ register: openvpn_server_cert
+
+- name: store server certificate
+ copy:
+ content: "{{ openvpn_server_cert.certificate }}"
+ dest: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/server/crt.pem"
+ notify: restart openvpn-server
+
+- name: slurp CA certificate
+ delegate_to: "{{ openvpn_zone.ca_host }}"
+ slurp:
+ src: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"
+ register: openvpn_server_ca_certificate
+
+- name: install CA certificate
+ copy:
+ content: "{{ openvpn_server_ca_certificate.content | b64decode }}"
+ dest: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/ca-crt.pem"
+
+- name: generate Diffie-Hellman parameters
+ openssl_dhparam:
+ path: "/etc/ssl/openvpn/{{ openvpn_zone.name }}/dhparams.pem"
+ size: 2048
+ notify: restart openvpn-server
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-29 07:06:43 +0000