Browse Source

openvpn: implement clients retirement

Fixes: main/infrastructure#197
keep-around/76c7f2716acf6efa114ca67a24637de01469ea9c
Loïc Dachary 11 months ago
committed by Loic Dachary
parent
commit
76c7f2716a
Signed by: dachary GPG Key ID: 992D23B392F9E4F2
  1. 11
      docs/services/VPN.rst
  2. 7
      inventory/group_vars/all/openvpn.yml
  3. 3
      playbooks/openvpn/inventory/group_vars/openvpn-service-group.yml
  4. 21
      playbooks/openvpn/openvpn-client-playbook.yml
  5. 3
      playbooks/openvpn/roles/openvpn/tasks/openvpn.yml
  6. 1
      playbooks/openvpn/roles/openvpn/templates/server.conf.j2
  7. 7
      playbooks/openvpn/tests/test_openvpn_retired.py

11
docs/services/VPN.rst

@ -20,8 +20,8 @@ The `OpenVPN <https://openvpn.net/>`__ server is configured with
variables (see `the documentation
<https://lab.enough.community/main/infrastructure/blob/master/playbooks/openvpn/roles/openvpn/defaults/main.yml>`__).
VPN Clients
-----------
VPN Clients creation
--------------------
The certificates for clients to connect to the VPN will be created
from the list in the `openvpn_active_clients` variable in
@ -47,3 +47,10 @@ will contain the credentials.
On Debian GNU/Linux the `.tar.gz` can be extracted in a `vpn`
directory and the `.conf` file it contains imported using the `Network
=> VPN` system settings.
VPN Clients retirement
----------------------
When a client should no longer be allowed in the VPN, it must be added
in the `openvpn_retired_clients` list, using `this example
<https://lab.enough.community/main/infrastructure/blob/master/inventory/group_vars/all/openvpn.yml>`__.

7
inventory/group_vars/all/openvpn.yml

@ -12,3 +12,10 @@ openvpn_local_directory: "{{ enough_domain_config_directory }}/openvpn"
# List of active openvpn clients
#
openvpn_active_clients: []
#
#############################################
#
# List of retired openvpn clients, previously found in
# openvpn_active_clients
#
openvpn_retired_clients: []

3
playbooks/openvpn/inventory/group_vars/openvpn-service-group.yml

@ -1,5 +1,8 @@
---
openvpn_active_clients:
- localhost
- retired
openvpn_retired_clients:
- retired
openvpn_server_conf: |
push "route {{ openstack_internal_network_prefix }}.0 255.255.255.0"

21
playbooks/openvpn/openvpn-client-playbook.yml

@ -9,7 +9,7 @@
state: directory
path: "{{ openvpn_local_directory }}"
- name: create openvpn clients
- name: create and retire openvpn clients
hosts: openvpn-service-group
become: true
@ -28,3 +28,22 @@
dest: "{{ openvpn_local_directory }}/{{ item }}.tar.gz"
flat: yes
loop: "{{ openvpn_active_clients }}"
- name: retire clients
shell: |
set -ex
if test -f /etc/openvpn/easy-rsa/pki/issued/{{ item }}.crt ; then
cd /etc/openvpn/easy-rsa
./easyrsa --batch revoke {{ item }}
cp pki/crl.pem /etc/openvpn
echo Updated {{ item }}
fi
loop: "{{ openvpn_retired_clients }}"
register: retire
changed_when: '"Updated" in retire.stdout'
- name: when at least one client was retired systemctl restart openvpn@server
systemd:
name: openvpn@server
state: restarted
when: retire is changed

3
playbooks/openvpn/roles/openvpn/tasks/openvpn.yml

@ -128,7 +128,8 @@
echo yes | ./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey --secret ta.key
cp ta.key pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem /etc/openvpn/
./easyrsa gen-crl
cp pki/crl.pem ta.key pki/ca.crt pki/private/server.key pki/issued/server.crt pki/dh.pem /etc/openvpn
args:
creates: /etc/openvpn/server.key
chdir: /etc/openvpn/easy-rsa

1
playbooks/openvpn/roles/openvpn/templates/server.conf.j2

@ -5,6 +5,7 @@ ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh.pem
crl-verify crl.pem
server {{ openvpn_server_ip_range }}
keepalive 10 120
tls-auth ta.key 0 # This file is secret

7
playbooks/openvpn/tests/test_openvpn_retired.py

@ -0,0 +1,7 @@
testinfra_hosts = ['ansible://website-host']
def test_retirement(host):
with host.sudo():
assert host.file("/etc/openvpn/easy-rsa/pki/issued/localhost.crt").exists
assert not host.file("/etc/openvpn/easy-rsa/pki/issued/retired.crt").exists
Loading…
Cancel
Save