alex/homework35
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Добавить ansible.yml

Browse Source
This commit is contained in:
alex
2026-03-25 23:37:03 +03:00
commit fbb84c573f
1 changed files with 194 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

194
ansible.yml Normal file
View File

@@ -0,0 +1,194 @@
---
- hosts: all
become: true
tasks:
- name: update
apt:
update_cache: yes
- name: install openvpn
apt:
name: openvpn
state: present
- name: install iperf3
apt:
name: iperf3
state: present
- hosts: vpn-server
become: true
tasks:
- name: install easy-rsa
apt:
name: easy-rsa
state: present
- name: create cert dir openvpn
file:
path: /etc/openvpn/keys
state: directory
mode: '0755'
- name: create vars for cert
copy:
dest: /usr/share/easy-rsa/vars
content: |
set_var EASYRSA_DIGEST "sha512"
set_var EASYRSA_REQ_COUNTRY "RU"
set_var EASYRSA_REQ_PROVINCE "Moscow"
set_var EASYRSA_REQ_CITY "Moscow"
set_var EASYRSA_REQ_ORG "Pupkin And Co"
set_var EASYRSA_REQ_EMAIL "help@mail.ru"
set_var EASYRSA_REQ_OU "IT"
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 365
set_var EASYRSA_CA_CN "ca"
- name: create ca and server cert
shell: |
cd /usr/share/easy-rsa/
./easyrsa init-pki
echo "ca" | ./easyrsa build-ca nopass
./easyrsa gen-dh
echo "vpn-server" | ./easyrsa gen-req vpn-server nopass
echo "yes" | ./easyrsa sign-req server vpn-server
- name: create user cert
shell: |
cd /usr/share/easy-rsa/
echo "{{ item }}" | ./easyrsa gen-req {{ item }} nopass
echo "yes" | ./easyrsa sign-req client {{ item }}
loop:
- client01
- client02
- client03
- name: copy public cert to openvpn dir
copy:
src: /usr/share/easy-rsa/pki/issued/{{ item }}.crt
dest: /etc/openvpn/keys/
remote_src: yes
loop:
- vpn-server
- client01
- client02
- client03
- name: copy private key cert to openvpn dir
copy:
src: /usr/share/easy-rsa/pki/private/{{ item }}.key
dest: /etc/openvpn/keys/{{ item }}.key
remote_src: yes
loop:
- vpn-server
- client01
- client02
- client03
- name: copy dh.pem and ca to openvpn dir
copy:
src: /usr/share/easy-rsa/pki/{{ item }}
dest: /etc/openvpn/keys/{{ item }}
remote_src: yes
loop:
- dh.pem
- ca.crt
- name: create conf openvpn
copy:
dest: /etc/openvpn/server.conf
content: |
port 8810
proto udp
dev tun
server 172.16.10.0 255.255.255.0
keepalive 10 120
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/vpn-server.crt
key /etc/openvpn/keys/vpn-server.key
dh /etc/openvpn/keys/dh.pem
client-to-client
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 4
mute 20
daemon
mode server
tls-server
comp-lzo
notify: restart openvpn
- name: copy cert
fetch:
src: "/etc/openvpn/keys/{{ item }}"
dest: "./{{ item }}"
flat: yes
loop:
- ca.crt
- client01.crt
- client02.crt
- client03.crt
- client01.key
- client02.key
- client03.key
handlers:
- name: restart openvpn
systemd:
name: openvpn@server
state: restarted
- hosts: vpn-client
become: true
tasks:
- name: create cert dir openvpn
file:
path: /etc/openvpn/keys
state: directory
mode: '0755'
- name: copy client01 cert
copy:
src: "./{{ item }}"
dest: "/etc/openvpn/keys/{{ item }}"
loop:
- ca.crt
- client01.crt
- client01.key
- name: create conf clietn openvpn
copy:
dest: /etc/openvpn/client.conf
content: |
client
resolv-retry infinite
nobind
proto udp
dev tun
remote 10.10.1.10 8810
keepalive 10 120
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client01.crt
key /etc/openvpn/keys/client01.key
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 4
tls-client
comp-lzo
float
notify: restart openvpn
handlers:
- name: restart openvpn
systemd:
name: openvpn@client
state: restarted