From b7a455303f42911005c6e0f47a2864af613ffd6e Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 20 Feb 2024 18:10:17 +0100
Subject: ele-router: add vpn for mixer vlan

---
 dan/ele-router.yml | 58 +++++++++++++++++++++++++++---------------------------
 1 file changed, 29 insertions(+), 29 deletions(-)

(limited to 'dan/ele-router.yml')

diff --git a/dan/ele-router.yml b/dan/ele-router.yml
index 13616ad0..e160b57a 100644
--- a/dan/ele-router.yml
+++ b/dan/ele-router.yml
@@ -1,5 +1,5 @@
 ---
-- name: generate TLS CA for openvpn mgmt
+- name: generate TLS CA for openvpn
   hosts: ele-router
   connection: local
   gather_facts: no
@@ -7,18 +7,18 @@
   - name: generate CA key and certificate
     run_once: yes
     block:
-    - name: generate CA key
+    - name: generate CA keys
       community.crypto.openssl_privatekey_pipe:
         type: "Ed25519"
-        content: "{{ vault_ovpn_mgmt_ca_key | default(omit) }}"
+        content: "{{ vault_ovpn_ca_key | default(omit) }}"
         return_current_key: yes
-      register: ovpn_mgmt_ca_key_result
+      register: ovpn_ca_key_result
       no_log: true
 
     - name: create signing request for CA certificate
       community.crypto.openssl_csr_pipe:
-        privatekey_content: "{{ ovpn_mgmt_ca_key_result.privatekey }}"
-        CN: "CA for ele-router mgmt vpn"
+        privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
+        CN: "CA for ele-router vpn"
         useCommonNameForSAN: no
         key_usage:
         - cRLSign
@@ -28,32 +28,32 @@
         - 'CA:TRUE'
         - 'pathlen:0'
         basic_constraints_critical: yes
-      register: ovpn_mgmt_ca_csr_result
+      register: ovpn_ca_csr_result
       changed_when: false
 
     - name: create self-signed CA certificate
       community.crypto.x509_certificate_pipe:
-        content: "{{ vault_ovpn_mgmt_ca_cert | default(omit) }}"
-        csr_content: "{{ ovpn_mgmt_ca_csr_result.csr }}"
-        privatekey_content: "{{ ovpn_mgmt_ca_key_result.privatekey }}"
+        content: "{{ vault_ovpn_ca_cert | default(omit) }}"
+        csr_content: "{{ ovpn_ca_csr_result.csr }}"
+        privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
         provider: selfsigned
         selfsigned_digest: sha256
         selfsigned_not_after: "+18250d" ## 50 years
         selfsigned_create_subject_key_identifier: always_create
-      register: ovpn_mgmt_ca_cert_result
+      register: ovpn_ca_cert_result
 
 
   - name: generate key
     community.crypto.openssl_privatekey_pipe:
       type: "Ed25519"
-      content: "{{ vault_ovpn_mgmt_keys[inventory_hostname] | default(omit) }}"
+      content: "{{ vault_ovpn_keys[inventory_hostname] | default(omit) }}"
       return_current_key: yes
-    register: ovpn_mgmt_key_result
+    register: ovpn_key_result
     no_log: true
 
   - name: create signing request for certificate
     community.crypto.openssl_csr_pipe:
-      privatekey_content: "{{ ovpn_mgmt_key_result.privatekey }}"
+      privatekey_content: "{{ ovpn_key_result.privatekey }}"
       CN: "{{ inventory_hostname }}"
       key_usage:
       - digitalSignature
@@ -65,39 +65,39 @@
       basic_constraints:
       - 'CA:FALSE'
       basic_constraints_critical: yes
-    register: ovpn_mgmt_csr_result
+    register: ovpn_csr_result
     changed_when: false
 
   - name: create certificate
     community.crypto.x509_certificate_pipe:
-      content: "{{ vault_ovpn_mgmt_certs[inventory_hostname] | default(omit) }}"
-      csr_content: "{{ ovpn_mgmt_csr_result.csr }}"
-      privatekey_content: "{{ ovpn_mgmt_key_result.privatekey }}"
+      content: "{{ vault_ovpn_certs[inventory_hostname] | default(omit) }}"
+      csr_content: "{{ ovpn_csr_result.csr }}"
+      privatekey_content: "{{ ovpn_key_result.privatekey }}"
       provider: ownca
-      ownca_content: "{{ ovpn_mgmt_ca_cert_result.certificate }}"
-      ownca_privatekey_content: "{{ ovpn_mgmt_ca_key_result.privatekey }}"
+      ownca_content: "{{ ovpn_ca_cert_result.certificate }}"
+      ownca_privatekey_content: "{{ ovpn_ca_key_result.privatekey }}"
       ownca_digest: sha256
       ownca_not_after: "+18250d" ## 50 years
-    register: ovpn_mgmt_cert_result
+    register: ovpn_cert_result
 
 
   - run_once: yes
     set_fact:
       vault_content: |
         ---
-        vault_ovpn_mgmt_ca_key: |
-          {{ ovpn_mgmt_ca_key_result.privatekey | indent(2) }}
-        vault_ovpn_mgmt_ca_cert: |
-          {{ ovpn_mgmt_ca_cert_result.certificate | indent(2) }}
-        vault_ovpn_mgmt_keys:
+        vault_ovpn_ca_key: |
+          {{ ovpn_ca_key_result.privatekey | indent(2) }}
+        vault_ovpn_ca_cert: |
+          {{ ovpn_ca_cert_result.certificate | indent(2) }}
+        vault_ovpn_keys:
         {% for host in play_hosts %}
           {{ host }}: |
-            {{ hostvars[host].ovpn_mgmt_key_result.privatekey | indent(4) }}
+            {{ hostvars[host].ovpn_key_result.privatekey | indent(4) }}
         {% endfor %}
-        vault_ovpn_mgmt_certs:
+        vault_ovpn_certs:
         {% for host in play_hosts %}
           {{ host }}: |
-            {{ hostvars[host].ovpn_mgmt_cert_result.certificate | indent(4) }}
+            {{ hostvars[host].ovpn_cert_result.certificate | indent(4) }}
         {% endfor %}
 
   - pause:
-- 
cgit v1.2.3