talas-group/04_INFRA_DEPLOIEMENT/Ansible/roles/openvpn/tasks/main.yml

---
# file: roles/openvpn/tasks/main.yml

- name: "openvpn apt-key"
  apt_key:
    url: https://swupdate.openvpn.net/repos/repo-public.gpg
  when:
    - openvpn_version is defined
    - ansible_distribution_major_version is version('13', '<') or ansible_distribution != "Debian"
  tags: openvpn

- name: "repository from build.openvpn.net"
  apt_repository:
    repo: "deb http://build.openvpn.net/debian/openvpn/{{ openvpn_version }} {{ ansible_distribution_release }} main"
    filename: "openvpn"
    update_cache: true
  when: openvpn_version is defined
  tags: openvpn

- name: "dir {{ openvpn_ssl_root }}"
  file:
    path: "{{ openvpn_ssl_root }}/revoked"
    state: directory
  tags: openvpn

- name: "apt install openvpn socat"
  apt:
    name:
      - openvpn
      - socat
  tags: openvpn

- name: "{{ openvpn_dh }} (this takes a while)"
  command: "openssl dhparam -out {{ openvpn_dh }} 2048"
  args:
    creates: "{{ openvpn_dh }}"
  tags: openvpn

- name: "{{ openvpn_ca }}"
  copy:
    content: "{{ openvpn_tls_ca }}"
    dest: "{{ openvpn_ca }}"
    backup: true
  notify: restart openvpn
  tags: openvpn

- name: "{{ openvpn_cert }}"
  copy:
    content: "{{ openvpn_tls_cert }}"
    dest: "{{ openvpn_cert }}"
    backup: true
  notify: restart openvpn
  tags: openvpn

- name: "{{ openvpn_key }}"
  copy:
    content: "{{ openvpn_tls_key }}"
    dest: "{{ openvpn_key }}"
    mode: "0400"
    backup: true
  notify: restart openvpn
  tags: openvpn

- name: "package_facts to get the installed version of openvpn"
  package_facts:
  tags: openvpn

- name: "set_fact: openvpn_installed_version"
  set_fact:
    openvpn_installed_version: "{{ ansible_facts.packages['openvpn'][0]['version'] }}"
  tags: openvpn

- name: "openvpn-auth-ldap package"
  apt:
    name:
      - openvpn-auth-ldap
  notify: restart openvpn
  when: openvpn_ldap_auth
  tags: openvpn

- name: "openvpn config /etc/openvpn/{{ openvpn_proto }}-{{ openvpn_port }}.conf"
  template:
    src: openvpn-server.conf
    dest: "/etc/openvpn/{{ openvpn_proto }}-{{ openvpn_port }}.conf"
    backup: true
  notify: restart openvpn
  tags: openvpn

- name: "dir /etc/openvpn/auth-ldap"
  file:
    path: /etc/openvpn/auth-ldap
    state: directory
  when: openvpn_ldap_auth
  tags: openvpn

- name: "ldap conf /etc/openvpn/auth-ldap/auth-ldap.conf"
  template:
    src: auth-ldap.conf
    dest: /etc/openvpn/auth-ldap/auth-ldap.conf
    backup: true
  notify: restart openvpn
  when: openvpn_ldap_auth
  tags: openvpn

- name: "ccd: /etc/openvpn/topology-subnet folder"
  file:
    path: /etc/openvpn/topology-subnet
    state: directory
  when: openvpn_ccd
  tags: openvpn

- name: "import_tasks: scripts.yml"
  import_tasks: scripts.yml
  when: openvpn_client_scripts or openvpn_auth_user_pass_verify is defined
  tags:
    - openvpn
    - scripts

- name: "logrotate configuration at /etc/logrotate.d/openvpn"
  template:
    src: logrotate
    dest: /etc/logrotate.d/openvpn
  tags: openvpn

- name: "systemd openvpn@{{ openvpn_proto }}-{{ openvpn_port }}.service enabled"
  systemd:
    name: "openvpn@{{ openvpn_proto }}-{{ openvpn_port }}.service"
    enabled: true
  tags: openvpn

# Need to place it here, as the meta runs before the role and I don't have the defining variable
- name: "zabbix_agent configuration"
  block:
    - name: "set fact zabbix_template_assignment_systemd_service_list"
      set_fact:
        zabbix_template_assignment_list:
          - zabbix_name: Neox OpenVPN
            user_parameter: openvpn
        zabbix_template_assignment_systemd_service_list:
          - "openvpn@{{ openvpn_proto }}-{{ openvpn_port }}"

    - name: "import role zabbix_template_assignment"
      import_role:
        name: zabbix_template_assignment

    - name: "unset facts"
      set_fact:
        zabbix_template_assignment_list: []
        zabbix_template_assignment_script_list: []
        zabbix_template_assignment_systemd_list: []
  tags:
    - openvpn
    - zabbix