roles/ocserv/tasks/configure_ocserv.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

---
- name: "template out config"
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  loop:
    - src: ocserv.conf.j2
      dest: /var/reactance/ocserv/ocserv.conf 
    - src: ca.tmpl.j2 
      dest: /var/reactance/ocserv/certs/ca.tmpl
    - src: server.tmpl.j2
      dest: /var/reactance/ocserv/certs/server.tmpl
    - src: crl.tmpl.j2
      dest: /var/reactance/ocserv/certs/crl.tmpl

# generate ca, server certs, crl file
- name: "generate ca, server certs"
  ansible.builtin.shell: "{{ item }}"
  loop:
    - "certtool --generate-privkey --outfile /var/reactance/ocserv/certs/ca-key.pem"
    - "certtool --generate-self-signed --load-privkey /var/reactance/ocserv/certs/ca-key.pem --template /var/reactance/ocserv/certs/ca.tmpl --outfile /var/reactance/ocserv/certs/ca-cert.pem"
    - "certtool --generate-privkey --outfile /var/reactance/ocserv/certs/server-key.pem"
    - "certtool --generate-certificate --load-privkey /var/reactance/ocserv/certs/server-key.pem --load-ca-certificate /var/reactance/ocserv/certs/ca-cert.pem --load-ca-privkey /var/reactance/ocserv/certs/ca-key.pem --template /var/reactance/ocserv/certs/server.tmpl --outfile /var/reactance/ocserv/certs/server-cert.pem"
    - "certtool --generate-crl --load-ca-privkey /var/reactance/ocserv/certs/ca-key.pem --load-ca-certificate /var/reactance/ocserv/certs/ca-cert.pem --template /var/reactance/ocserv/certs/crl.tmpl --outfile /var/reactance/ocserv/certs/crl.pem"
  no_log: true

- name: "template out nat rules in pf.conf"
  ansible.builtin.blockinfile:
    path: /etc/pf.conf
    create: true
    backup: true
    marker: "### REACTANCE - Ocserv NAT - {mark} ###"
    insertafter: "EOF"
    block: |
      match out on {{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }} from {{ ocserv_network | default("172.16.16.0/24") }} to any nat-to ({{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }})
      match in on {{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }} from any to {{ ocserv_network | default("172.16.16.0/24") }} nat-to ({{ ansible_default_ipv4.interface|default(ansible_all_ipv4_addresses[0]) }})
# default(ansible_all_ipv4_addresses[0]) is added, in case a default route doesn't exist
      
- name: "generate public, private key pair"
  ansible.builtin.shell: "openssl req -x509 -newkey rsa:4096 -keyout /var/reactance/ocserv/certs/server-key.pem -out /var/reactance/ocserv/certs/server-cert.pem -sha256 -days 3650 -nodes -subj /CN=example &>/dev/null"