From 3347feee8f21f139b1bfd0344f45e03820fd5bc0 Mon Sep 17 00:00:00 2001 From: Sheppy Date: Mon, 29 May 2023 12:33:06 +0000 Subject: [PATCH] feat: openvpn & cert manager --- group_vars/vpn.yaml | 4 + playbook.yaml | 4 + roles/openvpn/tasks/main.yaml | 75 +++++++++++++++++++ roles/openvpn/templates/atlantishq.conf | 42 +++++++++++ roles/openvpn/templates/cert-manager-conf.py | 31 ++++++++ .../templates/certificate-manager.yaml | 9 +++ 6 files changed, 165 insertions(+) create mode 100644 roles/openvpn/tasks/main.yaml create mode 100644 roles/openvpn/templates/atlantishq.conf create mode 100644 roles/openvpn/templates/cert-manager-conf.py create mode 100644 roles/openvpn/templates/certificate-manager.yaml diff --git a/group_vars/vpn.yaml b/group_vars/vpn.yaml index 57c119d..b789054 100644 --- a/group_vars/vpn.yaml +++ b/group_vars/vpn.yaml @@ -3,3 +3,7 @@ checks : - { user : nobody, name : wireguard-darknet-rudi, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_rudi_darknet -w300,10% -c 1000,20%"} - { user : nobody, name : wireguard-darknet-hase, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_hase_darknet -w300,10% -c 1000,20%"} # - { user : nobody, name : darknet-reachable, cmd : "/usr/lib/nagios/plugins/check_ping -H 10.100.100.100 -w300,10% -c 1000,20%"} + +openvpn_management_password: HISTORY_PURGED_SECRET +openvpn_management_passfile: mgnt-pass.txt +openvpn_management_port: 23000 diff --git a/playbook.yaml b/playbook.yaml index fd051bb..3dae451 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -45,6 +45,10 @@ roles: - { role : vault-pki, tags : [ "pki_master", "vault" ] } +- hosts: vpn + roles: + - { role : openvpn, tags : [ "openvpn", "vpn", "certificate-manager" ] } + - hosts: timetracking roles: - { role : timetracking, tags : [ "timetracking", "kamai" ] } diff --git a/roles/openvpn/tasks/main.yaml b/roles/openvpn/tasks/main.yaml new file mode 100644 index 0000000..8cfa95c --- /dev/null +++ b/roles/openvpn/tasks/main.yaml @@ -0,0 +1,75 @@ +- name: Install VPNs + apt: + state: present + pkg: + - openvpn + - docker-compose + +- name: OpenVPN configs dirs + file: + name: "/etc/openvpn/{{ item }}" + state: directory + with_items: + - atlantishq + +- name: Deploy OpenVPN configs + template: + src: "{{ item }}.conf" + dest: "/etc/openvpn/{{ item }}/" + with_items: + - atlantishq + +- name: Openvpn Mgnt interface Pass file + copy: + content: "{{ openvpn_management_password }}" + dest: "/etc/openvpn/{{ openvpn_management_passfile }}" + +- name: Create data-dir + file: + name: /data/ + state: directory + +- name: Create data-dir (client-config-dir) + file: + name: /data/certificate-manager/client-config-dir/ + state: directory + +- name: Create opt-dir + file: + name: /opt/ + state: directory + +- name: Certificate Manager Data Dir + file: + name: /data/certificate-manager/ + state: directory + +- name: Cert Manager Config + template: + src: cert-manager-conf.py + dest: /data/certificate-manager/config.py + notify: + - reload async icinga settings + +- name: Create compose directories + file: + name: "/opt/certificate-manager/" + state: directory + +- name: Copy compose templates + template: + src: "certificate-manager.yaml" + dest: "/opt/certificate-manager/" + +- name: Log into private registry + docker_login: + registry: registry.atlantishq.de + username: docker + password: HISTORY_PURGED_SECRET + +- name: Deploy compose templates + community.docker.docker_compose: + project_src: "/opt/certificate-manager/" + pull: true + files: + - "certificate-manager.yaml" diff --git a/roles/openvpn/templates/atlantishq.conf b/roles/openvpn/templates/atlantishq.conf new file mode 100644 index 0000000..e79b596 --- /dev/null +++ b/roles/openvpn/templates/atlantishq.conf @@ -0,0 +1,42 @@ +server 172.16.1.0 255.255.255.0 +#server-ipv6 fd2a:aef:608:1::/64 + +dev athq_sheppyvpn +dev-type tun + +proto tcp +port 7012 + +topology subnet +client-to-client + +# disable logging +#log /dev/null +#status /dev/null + +script-security 2 +tls-server +mode server +#duplicate-cn + +persist-key +persist-tun + +keepalive 10 60 + +user nobody +group nogroup + +auth SHA512 +cipher AES-256-CBC + +ca atlantishq/ca.crt +cert atlantishq/vpn.atlantishq.de.crt +key atlantishq/vpn.atlantishq.de.key +dh atlantishq/dhparam + +crl-verify /opt/data/certificate-manager/crl.pem + +client-config-dir /opt/certificate-manager/client-config-dir +ccd-exclusive +management 127.0.0.1 {{ openvpn_management_port }} {{ openvpn_management_passfile }} diff --git a/roles/openvpn/templates/cert-manager-conf.py b/roles/openvpn/templates/cert-manager-conf.py new file mode 100644 index 0000000..67cd941 --- /dev/null +++ b/roles/openvpn/templates/cert-manager-conf.py @@ -0,0 +1,31 @@ +CA_KEY_SIZE = 2048 +CA_NAME = "AtlantisHQv2" + +CRL_PATH = "./data/crl.pem" +KEYS_PATH = "./data/keys/" + + +CA_KEY_PATH = "./keys/ca.key" +CA_CERT_PATH = "./keys/ca.crt" +CA_CERT_PATH = "./keys/ca.crt" + +C_DEFAULT = "DE" +L_DEFAULT = "Bavaria" +ST_DEFAULT = "Erlangen" +O_DEFAULT = "AtlantisHQ" +OU_DEFAULT = "Sheppy" + +SQLALCHEMY_DATABASE_URI = "sqlite:///./data/sqlite.db" +CREATE_CA_IF_NOT_EXISTS = True +LOAD_MISSING_CERTS_TO_DB = False + +VPN_CONFIG_DIR_PATH = "./data/ccd/" +ENABLE_VPN_CONNECTION = False +VPN_MANAGEMENT_HOST = "host.docker.internal" +VPN_MANAGEMENT_PORT = {{ openvpn_management_port }} +VPN_MANAGEMENT_PASSWORD = "{{ openvpn_management_password }}" +NGINX_CERT_MAPS_LOCATION = "./data/nginx_maps.j2" + +VPN_SERVER = "atlantishq.de" +VPN_PORT = 7012 +VPN_PROTO = "tcp" diff --git a/roles/openvpn/templates/certificate-manager.yaml b/roles/openvpn/templates/certificate-manager.yaml new file mode 100644 index 0000000..7b07d4e --- /dev/null +++ b/roles/openvpn/templates/certificate-manager.yaml @@ -0,0 +1,9 @@ +certificate-manager: + image: registry.atlantishq.de/certificate-manager:latest + restart: always + ports: + - 5000:5000 + volumes: + - /data/certificate-manager/:/app/data/ + extra_hosts: + - host.docker.internal:host-gateway