Browse Source

openvpn: implement the openvpnclient role

and use it to document libvirt <-> OpenStack interconnection
keep-around/f414bbc488afa8a42c71458083554059dd4cedf3
Loïc Dachary 3 months ago
parent
commit
f414bbc488
Signed by: dachary GPG Key ID: 992D23B392F9E4F2
  1. 44
      docs/user-guide.rst
  2. 2
      enough-playbook.yml
  3. 3
      inventory/services.yml
  4. 1
      playbooks/openvpn/inventory/group_vars/openvpn-service-group.yml
  5. 2
      playbooks/openvpn/inventory/host_vars/bind-host.yml
  6. 4
      playbooks/openvpn/inventory/services.yml
  7. 8
      playbooks/openvpn/openvpnclient-playbook.yml
  8. 10
      playbooks/openvpn/openvpnclient-test-playbook.yml
  9. 2
      playbooks/openvpn/playbook.yml
  10. 11
      playbooks/openvpn/roles/openvpnclient/files/nftables.conf
  11. 2
      playbooks/openvpn/roles/openvpnclient/tasks/main.yml
  12. 43
      playbooks/openvpn/roles/openvpnclient/tasks/openvpnclient.yml
  13. 9
      playbooks/openvpn/tests/test_openvpnclient.py

44
docs/user-guide.rst

@ -194,6 +194,9 @@ instances can communicate.
The `libvirt` hypervisor is also a client of the VPN so that system
administration can be done remotely.
Configuring the libvirt hypervisor as a VPN client
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Assuming the `libvirt` hypervisor client is defined in
`~/.enough/example.com/inventory/group_vars/all/openvpn.yml` as follows:
@ -233,6 +236,47 @@ Finally it must be started as follows:
$ systemctl start openvpn-client@hypervisor
Configuring the libvirt bind-host as a VPN client
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Assuming the `lan` client is defined in
`~/.enough/example.com/inventory/group_vars/all/openvpn.yml` as follows:
.. code::
---
#
#############################################
# List of active openvpn clients
#
openvpn_active_clients:
- lan
After running the VPN service as follows:
.. code::
$ enough --domain example.com service create --host bind-host openvpn
The file `~/.enough/example.com/openvpn/lan.tar.gz` is created
and must be manually copied from `example.com` to `lan.example.com` in
the file `~/.enough/lan.example.com/lan.tar.gz`.
The `lan` client is associated with `some-host` in
`~/.enough/example.com/inventory/host_vars/some-host/openvpn.yml` as follows:
.. code::
---
openvpnclient_name: lan
Finally it can be setup and run on `some-host` as follows:
.. code::
$ enough --domain lan.example.com service create --host some-host openvpnclient
Create or update a service
--------------------------

2
enough-playbook.yml

@ -26,6 +26,8 @@
when: (groups['openvpn-service-group'] | length) > 0
- import_playbook: "{{ '$SHARE_DIR/playbooks/openvpn/openvpn-client-playbook.yml' | expandvars }}"
when: (groups['openvpn-service-group'] | length) > 0
- import_playbook: "{{ '$SHARE_DIR/playbooks/openvpn/openvpnclient-playbook.yml' | expandvars }}"
when: (groups['openvpnclient-service-group'] | length) > 0
- import_playbook: "{{ '$SHARE_DIR/playbooks/psono/psono-playbook.yml' | expandvars }}"
when: (groups['psono-service-group'] | length) > 0
- import_playbook: "{{ '$SHARE_DIR/enough-after-playbook.yml' | expandvars }}"

3
inventory/services.yml

@ -161,6 +161,9 @@ pad-service-hosts:
pad-service-group:
essential-service-group:
openvpnclient-service-group:
hosts: {}
openvpn-service-group:
hosts: {}

1
playbooks/openvpn/inventory/group_vars/openvpn-service-group.yml

@ -2,6 +2,7 @@
openvpn_active_clients:
- localhost
- retired
- lan
openvpn_retired_clients:
- retired
openvpn_server_conf: |

2
playbooks/openvpn/inventory/host_vars/bind-host.yml

@ -0,0 +1,2 @@
---
openvpnclient_name: lan

4
playbooks/openvpn/inventory/services.yml

@ -3,6 +3,10 @@ icinga-service-group:
hosts:
icinga-host:
openvpnclient-service-group:
hosts:
bind-host:
openvpn-service-group:
hosts:
website-host:

8
playbooks/openvpn/openvpnclient-playbook.yml

@ -0,0 +1,8 @@
- name: install openvpnclient
hosts: openvpnclient-service-group
become: true
roles:
- role: openvpnclient

10
playbooks/openvpn/openvpnclient-test-playbook.yml

@ -0,0 +1,10 @@
---
- name: install the lan VPN credentials
hosts: localhost
become: true
tasks:
- name: copy lan credentials
copy:
src: "{{ openvpn_local_directory }}/lan.tar.gz"
dest: "{{ enough_domain_config_directory }}/lan.tar.gz"

2
playbooks/openvpn/playbook.yml

@ -9,4 +9,6 @@
- import_playbook: openvpn-server-playbook.yml
- import_playbook: openvpn-monitoring-playbook.yml
- import_playbook: openvpn-client-playbook.yml
- import_playbook: openvpnclient-test-playbook.yml
- import_playbook: openvpnclient-playbook.yml
- import_playbook: localhost-playbook.yml

11
playbooks/openvpn/roles/openvpnclient/files/nftables.conf

@ -0,0 +1,11 @@
flush ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
masquerade
}
}

2
playbooks/openvpn/roles/openvpnclient/tasks/main.yml

@ -0,0 +1,2 @@
---
- import_tasks: openvpnclient.yml

43
playbooks/openvpn/roles/openvpnclient/tasks/openvpnclient.yml

@ -0,0 +1,43 @@
---
- name: apt-get install openvpn nftables
apt:
name: [openvpn, nftables]
state: present
- name: net.ipv4.ip_forward=1
shell: |
set -ex
sed -i -e '/net.ipv4.ip_forward/s/.*/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sysctl -p
- name: nftables
copy:
src: nftables.conf
dest: /etc/nftables.conf
- name: systemctl enable nftables
systemd:
name: nftables
enabled: yes
- name: nft -f /etc/nftables.conf
shell:
nft -f /etc/nftables.conf
changed_when: False
- name: copy VPN credentials
copy:
src: "{{ enough_domain_config_directory }}/{{ openvpnclient_name }}.tar.gz"
dest: "/etc/openvpn/client/{{ openvpnclient_name }}.tar.gz"
- name: expand credentials
shell: |
tar zxvf {{ openvpnclient_name }}.tar.gz
args:
chdir: "/etc/openvpn/client"
- name: systemctl enable openvpn-client@{{ openvpnclient_name }}
service:
name: "openvpn-client@{{ openvpnclient_name }}"
enabled: yes
state: started

9
playbooks/openvpn/tests/test_openvpnclient.py

@ -0,0 +1,9 @@
testinfra_hosts = ['ansible://bind-host']
def test_openvpnclient(host):
cmd = host.run("systemctl list-units --all openvpn*")
print(cmd.stdout)
print(cmd.stderr)
assert cmd.rc == 0
assert 'client@lan' in cmd.stdout
Loading…
Cancel
Save