From fbb84c573f3088d22d7edb4b62a03f33b220d905 Mon Sep 17 00:00:00 2001
From: alex <alex@limbox.ru>
Date: Wed, 25 Mar 2026 23:37:03 +0300
Subject: [PATCH] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=B8=D1=82?=
 =?UTF-8?q?=D1=8C=20ansible.yml?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ansible.yml | 194 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 194 insertions(+)
 create mode 100644 ansible.yml

diff --git a/ansible.yml b/ansible.yml
new file mode 100644
index 0000000..4370225
--- /dev/null
+++ b/ansible.yml
@@ -0,0 +1,194 @@
+---
+- hosts: all
+  become: true
+  tasks:
+
+    - name: update 
+      apt:
+        update_cache: yes 
+
+    - name: install openvpn
+      apt:
+        name: openvpn
+        state: present
+
+    - name: install iperf3
+      apt:
+        name: iperf3
+        state: present
+
+
+- hosts: vpn-server
+  become: true
+  tasks:
+
+    - name: install easy-rsa
+      apt:
+        name: easy-rsa
+        state: present
+  
+    - name: create cert dir openvpn
+      file:
+        path: /etc/openvpn/keys
+        state: directory
+        mode: '0755'
+
+    - name: create vars for cert
+      copy:
+        dest: /usr/share/easy-rsa/vars
+        content: |
+          set_var EASYRSA_DIGEST        "sha512"
+          set_var EASYRSA_REQ_COUNTRY   "RU"
+          set_var EASYRSA_REQ_PROVINCE  "Moscow"
+          set_var EASYRSA_REQ_CITY      "Moscow"
+          set_var EASYRSA_REQ_ORG       "Pupkin And Co"
+          set_var EASYRSA_REQ_EMAIL     "help@mail.ru"
+          set_var EASYRSA_REQ_OU        "IT"
+          set_var EASYRSA_CA_EXPIRE     3650
+          set_var EASYRSA_CERT_EXPIRE   365
+          set_var EASYRSA_CA_CN         "ca"
+
+    - name: create ca and server cert
+      shell: |
+        cd /usr/share/easy-rsa/
+        ./easyrsa init-pki
+        echo "ca" | ./easyrsa build-ca nopass
+        ./easyrsa gen-dh
+        echo "vpn-server" | ./easyrsa  gen-req vpn-server nopass
+        echo "yes" | ./easyrsa  sign-req server vpn-server
+        
+    - name: create user cert
+      shell: |
+        cd /usr/share/easy-rsa/
+        echo "{{ item }}" | ./easyrsa gen-req {{ item }} nopass
+        echo "yes" | ./easyrsa sign-req client {{ item }}
+      loop:
+        - client01
+        - client02
+        - client03
+
+    - name: copy public cert to openvpn dir
+      copy: 
+        src: /usr/share/easy-rsa/pki/issued/{{ item }}.crt
+        dest: /etc/openvpn/keys/
+        remote_src: yes
+      loop: 
+        - vpn-server
+        - client01
+        - client02
+        - client03
+
+    - name: copy private key cert to openvpn dir
+      copy: 
+        src: /usr/share/easy-rsa/pki/private/{{ item }}.key
+        dest: /etc/openvpn/keys/{{ item }}.key
+        remote_src: yes
+      loop: 
+        - vpn-server
+        - client01
+        - client02
+        - client03
+
+    - name: copy dh.pem and ca to openvpn dir
+      copy: 
+        src: /usr/share/easy-rsa/pki/{{ item }}
+        dest: /etc/openvpn/keys/{{ item }}
+        remote_src: yes
+      loop: 
+        - dh.pem 
+        - ca.crt
+
+    - name: create conf openvpn
+      copy:
+        dest: /etc/openvpn/server.conf
+        content: |
+          port 8810
+          proto udp
+          dev tun
+          server 172.16.10.0 255.255.255.0
+          keepalive 10 120
+          ca /etc/openvpn/keys/ca.crt
+          cert /etc/openvpn/keys/vpn-server.crt
+          key /etc/openvpn/keys/vpn-server.key
+          dh /etc/openvpn/keys/dh.pem
+          client-to-client
+          persist-key
+          persist-tun
+          status /var/log/openvpn/openvpn-status.log
+          log-append /var/log/openvpn/openvpn.log
+          verb 4
+          mute 20
+          daemon
+          mode server
+          tls-server
+          comp-lzo
+      notify: restart openvpn
+
+    - name: copy cert
+      fetch:
+        src: "/etc/openvpn/keys/{{ item }}"
+        dest: "./{{ item }}"
+        flat: yes
+      loop:
+        - ca.crt 
+        - client01.crt
+        - client02.crt
+        - client03.crt
+        - client01.key
+        - client02.key
+        - client03.key
+
+  handlers:
+    - name: restart openvpn
+      systemd:
+        name: openvpn@server
+        state: restarted
+
+- hosts: vpn-client
+  become: true
+  tasks:
+
+    - name: create cert dir openvpn
+      file:
+        path: /etc/openvpn/keys
+        state: directory
+        mode: '0755'
+
+    - name: copy client01 cert
+      copy:
+        src: "./{{ item }}"
+        dest: "/etc/openvpn/keys/{{ item }}"
+      loop:
+        - ca.crt 
+        - client01.crt
+        - client01.key
+
+    - name: create conf clietn openvpn
+      copy:
+        dest: /etc/openvpn/client.conf
+        content: |
+          client
+          resolv-retry infinite
+          nobind
+          proto udp
+          dev tun
+          remote 10.10.1.10 8810
+          keepalive 10 120
+          ca /etc/openvpn/keys/ca.crt
+          cert /etc/openvpn/keys/client01.crt
+          key /etc/openvpn/keys/client01.key
+          persist-key
+          persist-tun
+          status /var/log/openvpn/openvpn-status.log
+          log-append /var/log/openvpn/openvpn.log
+          verb 4
+          tls-client
+          comp-lzo
+          float
+      notify: restart openvpn
+
+  handlers:
+    - name: restart openvpn
+      systemd:
+        name: openvpn@client
+        state: restarted
\ No newline at end of file