summaryrefslogtreecommitdiff
path: root/roles/ocserv/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/ocserv/tasks')
-rw-r--r--roles/ocserv/tasks/check_ocserv_exists.yaml16
-rw-r--r--roles/ocserv/tasks/configure_ocserv.yaml40
-rw-r--r--roles/ocserv/tasks/create_users_ocserv.yaml18
-rw-r--r--roles/ocserv/tasks/install_ocserv.yaml63
-rw-r--r--roles/ocserv/tasks/main.yaml3
-rw-r--r--roles/ocserv/tasks/setup_ocserv.yaml8
6 files changed, 148 insertions, 0 deletions
diff --git a/roles/ocserv/tasks/check_ocserv_exists.yaml b/roles/ocserv/tasks/check_ocserv_exists.yaml
new file mode 100644
index 00000000..bb4734ce
--- /dev/null
+++ b/roles/ocserv/tasks/check_ocserv_exists.yaml
@@ -0,0 +1,16 @@
+---
+- name: "Check if ocserv is already installed"
+ ansible.builtin.stat:
+ path: /var/reactance/ocserv
+ register: ocserv_directory
+
+- name: "Install ocserv if directory doesn't exist"
+ ansible.builtin.include_tasks: install_ocserv.yaml
+ when: ocserv_directory.stat.exists == false
+
+- name: "Configure ocserv"
+ ansible.builtin.include_tasks: configure_ocserv.yaml
+ when: ocserv_directory.stat.exists == false
+
+- name: "Create ocserv users"
+ ansible.builtin.include_tasks: create_users_ocserv.yaml
diff --git a/roles/ocserv/tasks/configure_ocserv.yaml b/roles/ocserv/tasks/configure_ocserv.yaml
new file mode 100644
index 00000000..53e771c0
--- /dev/null
+++ b/roles/ocserv/tasks/configure_ocserv.yaml
@@ -0,0 +1,40 @@
+---
+- name: "template out config"
+ ansible.builtin.template:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ loop:
+ - src: ocserv.conf.j2
+ dest: /var/reactance/ocserv/ocserv.conf
+ - src: ca.tmpl.j2
+ dest: /var/reactance/ocserv/certs/ca.tmpl
+ - src: server.tmpl.j2
+ dest: /var/reactance/ocserv/certs/server.tmpl
+ - src: crl.tmpl.j2
+ dest: /var/reactance/ocserv/certs/crl.tmpl
+
+# generate ca, server certs, crl file
+- name: "generate ca, server certs"
+ ansible.builtin.shell: "{{ item }}"
+ loop:
+ - "certtool --generate-privkey --outfile /var/reactance/ocserv/certs/ca-key.pem"
+ - "certtool --generate-self-signed --load-privkey /var/reactance/ocserv/certs/ca-key.pem --template /var/reactance/ocserv/certs/ca.tmpl --outfile /var/reactance/ocserv/certs/ca-cert.pem"
+ - "certtool --generate-privkey --outfile /var/reactance/ocserv/certs/server-key.pem"
+ - "certtool --generate-certificate --load-privkey /var/reactance/ocserv/certs/server-key.pem --load-ca-certificate /var/reactance/ocserv/certs/ca-cert.pem --load-ca-privkey /var/reactance/ocserv/certs/ca-key.pem --template /var/reactance/ocserv/certs/server.tmpl --outfile /var/reactance/ocserv/certs/server-cert.pem"
+ - "certtool --generate-crl --load-ca-privkey /var/reactance/ocserv/certs/ca-key.pem --load-ca-certificate /var/reactance/ocserv/certs/ca-cert.pem --template /var/reactance/ocserv/certs/crl.tmpl --outfile /var/reactance/ocserv/certs/crl.pem"
+ no_log: true
+
+- name: "template out nat rules in pf.conf"
+ ansible.builtin.blockinfile:
+ path: /etc/pf.conf
+ create: true
+ backup: true
+ marker: "### REACTANCE - Ocserv NAT - {mark} ###"
+ insertafter: "EOF"
+ block: |
+ match out on {{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }} from {{ ocserv_network | default("172.16.16.0/24") }} to any nat-to ({{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }})
+ match in on {{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }} from any to {{ ocserv_network | default("172.16.16.0/24") }} nat-to ({{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }})
+# default(ansible_all_ipv4_addresses[0]) is added, in case a default route doesn't exist
+
+- name: "generate public, private key pair"
+ ansible.builtin.shell: "openssl req -x509 -newkey rsa:4096 -keyout /var/reactance/ocserv/certs/server-key.pem -out /var/reactance/ocserv/certs/server-cert.pem -sha256 -days 3650 -nodes -subj /CN=example &>/dev/null"
diff --git a/roles/ocserv/tasks/create_users_ocserv.yaml b/roles/ocserv/tasks/create_users_ocserv.yaml
new file mode 100644
index 00000000..12748e7a
--- /dev/null
+++ b/roles/ocserv/tasks/create_users_ocserv.yaml
@@ -0,0 +1,18 @@
+---
+- name: "ocserv user management"
+ ocserv:
+ users: "{{ all_users|default([]) + ocserv_users|default([]) }}"
+ notify:
+ - restart_ocserv
+# no_log: true
+ register: ocserv_user_pass_dict
+
+- name: "make temp dir"
+ ansible.builtin.file:
+ path: /var/reactance/.temp/
+ state: directory
+
+- name: "add ocserv user password pair to dict"
+ ansible.builtin.copy:
+ content: "{{ ocserv_user_pass_dict['msg']|default({}) | to_json }}"
+ dest: /var/reactance/.temp/ocserv_user_pass_dict
diff --git a/roles/ocserv/tasks/install_ocserv.yaml b/roles/ocserv/tasks/install_ocserv.yaml
new file mode 100644
index 00000000..a31a2ee5
--- /dev/null
+++ b/roles/ocserv/tasks/install_ocserv.yaml
@@ -0,0 +1,63 @@
+---
+# ocserv has built-in chroot functionality
+
+# it's fine here, other roles won't be running any pkg_add
+- name: "install ocserv"
+ community.general.openbsd_pkg:
+ name: ocserv--
+ state: present
+
+- name: "create directory"
+ ansible.builtin.file:
+ path: "{{ item }}"
+ state: directory
+ owner: _vpn
+ group: _vpn
+ mode: 0700
+ loop:
+ - /var/reactance/ocserv
+ - /var/reactance/ocserv/run
+ - /var/reactance/ocserv/certs
+
+- name: "create log file"
+ ansible.builtin.file:
+ path: /var/log/ocserv.log
+ state: touch
+ mode: "0600"
+ changed_when: false
+
+- name: "create temporary directory"
+ ansible.builtin.tempfile:
+ state: directory
+ suffix: temp
+ register: ocserv_tempdir
+ notify:
+ - remove_ocserv_tempdir
+
+- name: "template out config"
+ ansible.builtin.template:
+ src: ocserv.conf.j2
+ dest: /var/reactance/ocserv/ocserv.conf
+
+- name: "template out init script"
+ ansible.builtin.template:
+ src: ocserv.rc.j2
+ dest: "{{ ocserv_tempdir.path }}/ocserv.rc"
+
+# will fail without it
+- name: "copy ocserv-worker"
+ ansible.builtin.copy:
+ owner: _vpn
+ group: _vpn
+ remote_src: true
+ src: /usr/local/sbin/ocserv-worker
+ dest: /var/reactance/ocserv/ocserv-worker
+ mode: 0770
+
+- name: "install init script"
+ ansible.builtin.shell: "install -m 755 -g bin {{ ocserv_tempdir.path }}/ocserv.rc /etc/rc.d/ocserv && rm -rf /var/reactance/ocserv/ocserv.rc"
+
+- name: "remove /etc/ocserv (we are using /var/reactance/ocserv)"
+ ansible.builtin.file:
+ path: /etc/ocserv
+ state: absent
diff --git a/roles/ocserv/tasks/main.yaml b/roles/ocserv/tasks/main.yaml
new file mode 100644
index 00000000..4ed25a48
--- /dev/null
+++ b/roles/ocserv/tasks/main.yaml
@@ -0,0 +1,3 @@
+---
+- name: "setup ocserv"
+ include_tasks: check_ocserv_exists.yaml
diff --git a/roles/ocserv/tasks/setup_ocserv.yaml b/roles/ocserv/tasks/setup_ocserv.yaml
new file mode 100644
index 00000000..d2a9bb59
--- /dev/null
+++ b/roles/ocserv/tasks/setup_ocserv.yaml
@@ -0,0 +1,8 @@
+---
+- name: "generate server cert and key"
+ ansible.builtin.shell: "openssl req -x509 -newkey rsa:4096 -keyout /var/reactance/ocserv/certs/server-key.pem -out /var/reactance/ocserv/certs/server-cert.pem -sha256 -days 3650 -nodes -subj '/CN=JohnDane'"
+
+- name: "template out ocserv config"
+ ansible.builtin.template:
+ src: ocserv.conf.j2
+ dest: /var/reactance/ocserv/ocserv.conf
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-27 22:56:49 +0000