Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #результат работы
- *******************
- root@ap01:/etc/ansible# ansible-playbook installovpn.yml
- PLAY [ubuntu] *****************************************************************
- GATHERING FACTS ***************************************************************
- ok: [10.3.0.99]
- TASK: [installovpn | installing openvpn] **************************************
- changed: [10.3.0.99]
- TASK: [installovpn | change AUTOSTART is all] *********************************
- changed: [10.3.0.99]
- TASK: [installovpn | be sure openvpn is running and enabled] ******************
- ok: [10.3.0.99]
- PLAY [localhost] **************************************************************
- GATHERING FACTS ***************************************************************
- ok: [127.0.0.1]
- TASK: [run script] ************************************************************
- changed: [127.0.0.1 -> 127.0.0.1]
- PLAY [ubuntu] *****************************************************************
- GATHERING FACTS ***************************************************************
- ok: [10.3.0.99]
- TASK: [copyconfigovpn | copy config ovpn] *************************************
- changed: [10.3.0.99]
- NOTIFIED: [copyconfigovpn | restart openvpn] **********************************
- changed: [10.3.0.99]
- PLAY RECAP ********************************************************************
- 10.3.0.99 : ok=7 changed=4 unreachable=0 failed=0
- 127.0.0.1 : ok=2 changed=1 unreachable=0 failed=0
- ******************************
- #генерим пару ролей. одна будет устанавливать овпн и делать прочие настройки удаленного хоста, а вторая локально на серваке с ansible заливать на удаленный хост генерированый конфиг опенвпна с именем равным переменной группы
- root@ap01:/etc/ansible# ansible-galaxy init copyconfigovpn
- root@ap01:/etc/ansible# ansible-galaxy init installovpn
- #пишем плейбук
- root@ap01:/etc/ansible# cat installovpn.yml
- ---
- - hosts: ubuntu
- sudo: yes
- roles:
- - installovpn
- - hosts: localhost
- connection: local
- tasks:
- - name: run script
- local_action: shell /etc/ansible/installovpn/files/genclientconfig {{hostvars[groups["ubuntu"][0]].hostname}}
- - hosts: ubuntu
- sudo: yes
- roles:
- - copyconfigovpn
- # определяем группы хостов
- root@ap01:/etc/ansible# cat hosts
- [ubuntu]
- 10.3.0.99
- [localhost]
- 127.0.0.1
- ***********************
- #На сервере с Ansible генерируем ключи для сервера openvpn.
- #создаем корневой ключ СА
- openssl genrsa -out ca.key 2048
- #создаем корневой сертификат
- openssl req -x509 -new -key ca.key -days 10000 -out ca.crt
- #генерируем ключ
- openssl genrsa -out server.key 2048
- # запрос на сертификат
- openssl req -new -key server.key -out server.csr -subj "/C=RU/ST=IRKregion/L=Irkutsk/O=OpenVPN/OU=Itotdel/CN=example.com/emailAddress="root@example.com""
- #Подписываем
- openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 5000
- ********************************************
- # пишем скрипт, который на сервере с ansible будет генерить конфиг овпн для клиента
- root@ap01:/etc/ansible/installovpn/files# cat genclientconfig
- #!/bin/bash
- # $1 target host name
- cd /etc/ansible/installovpn/files/
- touch $1.ovpn
- echo "client" >> $1.ovpn
- echo "nobind" >> $1.ovpn
- echo "dev tun" >> $1.ovpn
- echo "remote-cert-tls server" >> $1.ovpn
- echo "remote 8.8.8.8 88 udp" >> $1.ovpn
- echo "<key>" >> $1.ovpn
- openssl genrsa -out $1.key 2048
- openssl req -new -key $1.key -out $1.csr -subj "/C=RU/ST=IRKregion/L=Irkutsk/O=$1/OU=Itotdel/CN=$1/emailAddress="client@example.com""
- cat $1.key >> $1.ovpn
- echo "</key>" >> $1.ovpn
- echo "<cert>" >> $1.ovpn
- openssl x509 -req -in $1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $1.crt -days 365
- cat $1.crt >> $1.ovpn
- echo "</cert>" >> $1.ovpn
- echo "<ca>" >> $1.ovpn
- cat ca.crt >> $1.ovpn
- echo "</ca>" >> $1.ovpn
- echo "<tls-auth>" >> $1.ovpn
- cat tun0.key >> $1.ovpn
- echo "</tls-auth>" >> $1.ovpn
- echo "key-direction 1" >> $1.ovpn
- echo "comp-lzo" >> $1.ovpn
- rm $1.key $1.csr $1.crt
- *********************
- #складываем скрипт и необходимые для его работы сертификаты в /etc/ansible/installovpn/files/
- root@ap01:/etc/ansible/installovpn/files# ls -la /etc/ansible/installovpn/files
- итого 76
- drwxr-xr-x 2 root root 4096 сен 11 12:35 .
- drwxr-xr-x 9 root root 4096 сен 10 09:33 ..
- -rw-r--r-- 1 root root 1428 сен 10 20:13 ca.crt
- -rw-r--r-- 1 root root 1679 сен 10 20:11 ca.key
- -rw-r--r-- 1 root root 17 сен 11 12:35 ca.srl
- -rw-r--r-- 1 root root 1306 сен 10 20:37 client.crt
- -rw-r--r-- 1 root root 1054 сен 10 20:37 client.csr
- -rw-r--r-- 1 root root 1679 сен 10 20:36 client.key
- -rw-r--r-- 1 root root 465 сен 10 20:39 client.ovpn
- -rwxr-xr-x 1 root root 894 сен 10 21:49 genclientconfig
- -rw-r--r-- 1 root root 1310 сен 10 20:22 server.crt
- -rw-r--r-- 1 root root 1058 сен 10 20:21 server.csr
- -rw-r--r-- 1 root root 1679 сен 10 20:20 server.key
- -rw------- 1 root root 636 сен 10 21:07 tun0.key
- -rw-r--r-- 1 root root 5215 сен 11 12:35 ubuntu_client.ovpn
- -rw-r--r-- 1 root root 10402 сен 11 12:32 ubuntu.ovpn
- **************
- #создаем групповые переменные, на основании которой скрипт будет называть конфиг клиент и менять subj клиентского сертификата
- root@ap01:/etc/ansible/group_vars# cat ubuntu
- hostname: ubuntu_client
- **************
- #пишем таски и хендлеры в ролях
- root@ap01:/etc/ansible/installovpn/tasks# cat /etc/ansible/installovpn/tasks/main.yml
- ---
- # tasks file for installovpn
- - name: installing openvpn
- apt: pkg=openvpn
- - name: change AUTOSTART is all
- lineinfile: dest=/etc/default/openvpn regexp='^AUTOSTART="all"' insertafter='^#AUTOSTART="all"' line='AUTOSTART="all"'
- - name: be sure openvpn is running and enabled
- service: name=openvpn state=started enabled=yesroot@ap01:/etc/ansible/installovpn/tasks#
- root@ap01:/etc/ansible/installovpn/tasks# cat /etc/ansible/copyconfigovpn/tasks/main.yml
- ---
- # tasks file for copyconfigovpn
- - name: copy config ovpn
- copy: src=/etc/ansible/installovpn/files/{{hostvars[groups["ubuntu"][0]].hostname}}.ovpn dest=/etc/openvpn/{{hostvars[groups["ubuntu"][0]].hostname}}.ovpn owner=root group=root mode=644
- notify:
- - restart openvpn
- root@ap01:/etc/ansible/installovpn/tasks# cat /etc/ansible/copyconfigovpn/handlers/main.yml
- ---
- # handlers file for copyconfigovpn
- - name: restart openvpn
- service: name=openvpn state=restarted
- *****************
- # для подключения по ssh и работы sudo я не стал использовать ключи (я знаю что зря) и в ролях прописал переменные
- root@ap01:/etc/ansible/installovpn/vars# cat /etc/ansible/installovpn/vars/main.yml
- ---
- # vars file for installovpn
- ansible_connection: ssh
- ansible_ssh_user: wolf
- ansible_ssh_pass: 123
- ansible_sudo_pass: "123"
- root@ap01:/etc/ansible/installovpn/vars# cat /etc/ansible/copyconfigovpn/vars/main.yml
- ---
- # vars file for installovpn
- ansible_connection: ssh
- ansible_ssh_user: wolf
- ansible_ssh_pass: 123
- ansible_sudo_pass: "123"
Add Comment
Please, Sign In to add comment