summaryrefslogtreecommitdiff
path: root/roles/ocserv/tasks/configure_ocserv.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/ocserv/tasks/configure_ocserv.yaml')
-rw-r--r--roles/ocserv/tasks/configure_ocserv.yaml40
1 files changed, 40 insertions, 0 deletions
diff --git a/roles/ocserv/tasks/configure_ocserv.yaml b/roles/ocserv/tasks/configure_ocserv.yaml
new file mode 100644
index 00000000..53e771c0
--- /dev/null
+++ b/roles/ocserv/tasks/configure_ocserv.yaml
@@ -0,0 +1,40 @@
+---
+- name: "template out config"
+ ansible.builtin.template:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ loop:
+ - src: ocserv.conf.j2
+ dest: /var/reactance/ocserv/ocserv.conf
+ - src: ca.tmpl.j2
+ dest: /var/reactance/ocserv/certs/ca.tmpl
+ - src: server.tmpl.j2
+ dest: /var/reactance/ocserv/certs/server.tmpl
+ - src: crl.tmpl.j2
+ dest: /var/reactance/ocserv/certs/crl.tmpl
+
+# generate ca, server certs, crl file
+- name: "generate ca, server certs"
+ ansible.builtin.shell: "{{ item }}"
+ loop:
+ - "certtool --generate-privkey --outfile /var/reactance/ocserv/certs/ca-key.pem"
+ - "certtool --generate-self-signed --load-privkey /var/reactance/ocserv/certs/ca-key.pem --template /var/reactance/ocserv/certs/ca.tmpl --outfile /var/reactance/ocserv/certs/ca-cert.pem"
+ - "certtool --generate-privkey --outfile /var/reactance/ocserv/certs/server-key.pem"
+ - "certtool --generate-certificate --load-privkey /var/reactance/ocserv/certs/server-key.pem --load-ca-certificate /var/reactance/ocserv/certs/ca-cert.pem --load-ca-privkey /var/reactance/ocserv/certs/ca-key.pem --template /var/reactance/ocserv/certs/server.tmpl --outfile /var/reactance/ocserv/certs/server-cert.pem"
+ - "certtool --generate-crl --load-ca-privkey /var/reactance/ocserv/certs/ca-key.pem --load-ca-certificate /var/reactance/ocserv/certs/ca-cert.pem --template /var/reactance/ocserv/certs/crl.tmpl --outfile /var/reactance/ocserv/certs/crl.pem"
+ no_log: true
+
+- name: "template out nat rules in pf.conf"
+ ansible.builtin.blockinfile:
+ path: /etc/pf.conf
+ create: true
+ backup: true
+ marker: "### REACTANCE - Ocserv NAT - {mark} ###"
+ insertafter: "EOF"
+ block: |
+ match out on {{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }} from {{ ocserv_network | default("172.16.16.0/24") }} to any nat-to ({{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }})
+ match in on {{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }} from any to {{ ocserv_network | default("172.16.16.0/24") }} nat-to ({{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }})
+# default(ansible_all_ipv4_addresses[0]) is added, in case a default route doesn't exist
+
+- name: "generate public, private key pair"
+ ansible.builtin.shell: "openssl req -x509 -newkey rsa:4096 -keyout /var/reactance/ocserv/certs/server-key.pem -out /var/reactance/ocserv/certs/server-cert.pem -sha256 -days 3650 -nodes -subj /CN=example &>/dev/null"
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-27 19:48:16 +0000