Update to 2021-12-01 19:13

2025-07-26 15:55:56 +02:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/openvpn/templates/openvpn.conf.j2
+++ b/roles/openvpn/templates/openvpn.conf.j2
@@ -0,0 +1,111 @@
+###########################################################
+## {{ ansible_managed }}
+###########################################################
+
+
+port {{ item.port }}
+dev {{ item.dev + item.name }}
+persist-tun
+persist-key
+{% if item.ifconfig is defined %}
+ifconfig {{ item.ifconfig }}
+{% else %}
+topology {{ item.topology }}
+{% endif %}
+{% if item.type == 'server' %}
+proto {{ (item.proto == 'tcp') | ternary('tcp-server',item.proto) }}
+{% for route in item.push_routes %}
+route {{ route.net }} {{ route.mask }}
+{% endfor %}
+{% else %}
+resolv-retry infinite
+nobind
+proto {{ (item.proto == 'tcp') | ternary('tcp-client',item.proto) }}
+{%   if item.remote is string %}
+remote {{ item.remote | string }}
+{%   elif item.remote is iterable %}
+{%     for remote in item.remote %}
+remote {{ remote }}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+
+{% if item.auth == 'cert' %}
+{%   if item.remote_cn is defined %}
+verify-x509-name {{ item.remote_cn }} name
+{%   endif %}
+tls-{{ item.type }}
+{%   if item.type == 'server' %}
+remote-cert-tls client
+{%     if item.duplicate_dn %}
+duplicate-cn
+{%     endif %}
+dh /etc/openvpn/{{ item }}.sh
+{%   elif item.type == 'client' %}
+remote-cert-tls server
+{%     if item.pull %}
+pull
+{%     endif %}
+{%   endif %}
+
+{%   if item.pkcs12 is defined %}
+<pkcs12>
+{{ item.pkcs12 }}
+</pkcs12>
+{%   elif item.ca is defined and item.cert is defined and item.key is defined %}
+<ca>
+{{ item.ca }}
+</ca>
+<cert>
+{{ item.cert }}
+</cert>
+<key>
+{{ item.key }}
+</key>
+{%   endif %}
+{% if item.tls_crypt %}
+<tls-crypt>
+{{ item.tls_crypt }}
+</tls-crypt>
+{% elif item.tls_auth %}
+<tls-auth>
+{{ item.tls_auth }}
+</tls-auth>
+key-direction {{ (item.type == 'server') | ternary('0','1') }}
+{% endif %}
+{% elif item.auth == 'psk' %}
+<secret>
+{{ item.secret }}
+</secret>
+{% endif %}
+
+{% if item.cipher != 'default' %}
+cipher {{ item.cipher }}
+{% endif %}
+{% if item.auth_hash is defined %}
+auth {{ item.auth_hash }}
+{% endif %}
+passtos
+{% if item.compress != 'default' %}
+compress {{ item.compress }}
+{% endif %}
+
+{% for route in item.routes %}
+route {{ route.net }} {{ route.mask }}
+{% endfor %}
+
+keepalive 10 60
+{% if item.proto == 'udp' %}
+mtu-test
+{% endif %}
+
+{% if item.rcvbuf is defined %}
+rcvbuf {{ item.rcvbuf }}
+{% endif %}
+{% if item.sndbuf is defined %}
+sndbuf {{ item.sndbuf }}
+{% endif %}
+
+{% if item.proto == 'udp' %}
+fast-io
+{% endif %}
--- a/roles/openvpn/templates/openvpn@.service.j2
+++ b/roles/openvpn/templates/openvpn@.service.j2
@@ -0,0 +1,24 @@
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+
+[Service]
+Type=notify
+PrivateTmp=true
+WorkingDirectory=/etc/openvpn/
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --config %i.conf
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+LimitNPROC=10
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
+ProtectSystem=true
+ProtectHome=true
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
+