1 files changed, 63 insertions, 0 deletions

diff --git a/roles/ocserv/tasks/install_ocserv.yaml b/roles/ocserv/tasks/install_ocserv.yaml
new file mode 100644
index 00000000..a31a2ee5
--- /dev/null
+++ b/roles/ocserv/tasks/install_ocserv.yaml
@@ -0,0 +1,63 @@
+---
+# ocserv has built-in chroot functionality
+
+# it's fine here, other roles won't be running any pkg_add
+- name: "install ocserv"
+  community.general.openbsd_pkg:
+    name: ocserv--
+    state: present
+
+- name: "create directory"
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: _vpn
+    group: _vpn
+    mode: 0700
+  loop:
+    - /var/reactance/ocserv
+    - /var/reactance/ocserv/run
+    - /var/reactance/ocserv/certs
+
+- name: "create log file"
+  ansible.builtin.file:
+    path: /var/log/ocserv.log
+    state: touch
+    mode: "0600"
+  changed_when: false
+
+- name: "create temporary directory"
+  ansible.builtin.tempfile:
+    state: directory
+    suffix: temp
+  register: ocserv_tempdir
+  notify:
+    - remove_ocserv_tempdir
+
+- name: "template out config"
+  ansible.builtin.template:
+    src: ocserv.conf.j2
+    dest: /var/reactance/ocserv/ocserv.conf
+
+- name: "template out init script"
+  ansible.builtin.template:
+    src: ocserv.rc.j2
+    dest: "{{ ocserv_tempdir.path }}/ocserv.rc"
+
+# will fail without it
+- name: "copy ocserv-worker"
+  ansible.builtin.copy:
+    owner: _vpn
+    group: _vpn
+    remote_src: true
+    src: /usr/local/sbin/ocserv-worker
+    dest: /var/reactance/ocserv/ocserv-worker
+    mode: 0770
+
+- name: "install init script"
+  ansible.builtin.shell: "install -m 755 -g bin {{ ocserv_tempdir.path }}/ocserv.rc /etc/rc.d/ocserv && rm -rf /var/reactance/ocserv/ocserv.rc"
+
+- name: "remove /etc/ocserv (we are using /var/reactance/ocserv)"
+  ansible.builtin.file:
+    path: /etc/ocserv
+    state: absent