sheppy/no-secrets-athq-ansible
1
0
Fork 0
mirror of https://github.com/FAUSheppy/no-secrets-athq-ansible synced 2025-12-06 19:01:36 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: openvpn & cert manager

Browse Source
This commit is contained in:
Johnathen Sheppard
2023-05-29 12:33:06 +00:00
parent 5cb291bdfd
commit 3347feee8f
6 changed files with 165 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
group_vars/vpn.yaml
View File

@@ -3,3 +3,7 @@ checks :
- { user : nobody, name : wireguard-darknet-rudi, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_rudi_darknet -w300,10% -c 1000,20%"} - { user : nobody, name : wireguard-darknet-rudi, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_rudi_darknet -w300,10% -c 1000,20%"}
- { user : nobody, name : wireguard-darknet-hase, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_hase_darknet -w300,10% -c 1000,20%"} - { user : nobody, name : wireguard-darknet-hase, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_hase_darknet -w300,10% -c 1000,20%"}
# - { user : nobody, name : darknet-reachable, cmd : "/usr/lib/nagios/plugins/check_ping -H 10.100.100.100 -w300,10% -c 1000,20%"} # - { user : nobody, name : darknet-reachable, cmd : "/usr/lib/nagios/plugins/check_ping -H 10.100.100.100 -w300,10% -c 1000,20%"}
openvpn_management_password: HISTORY_PURGED_SECRET
openvpn_management_passfile: mgnt-pass.txt
openvpn_management_port: 23000

4
playbook.yaml
View File

@@ -45,6 +45,10 @@
roles: roles:
- { role : vault-pki, tags : [ "pki_master", "vault" ] } - { role : vault-pki, tags : [ "pki_master", "vault" ] }
- hosts: vpn
roles:
- { role : openvpn, tags : [ "openvpn", "vpn", "certificate-manager" ] }
- hosts: timetracking - hosts: timetracking
roles: roles:
- { role : timetracking, tags : [ "timetracking", "kamai" ] } - { role : timetracking, tags : [ "timetracking", "kamai" ] }

75
roles/openvpn/tasks/main.yaml Normal file
View File

@@ -0,0 +1,75 @@
- name: Install VPNs
apt:
state: present
pkg:
- openvpn
- docker-compose
- name: OpenVPN configs dirs
file:
name: "/etc/openvpn/{{ item }}"
state: directory
with_items:
- atlantishq
- name: Deploy OpenVPN configs
template:
src: "{{ item }}.conf"
dest: "/etc/openvpn/{{ item }}/"
with_items:
- atlantishq
- name: Openvpn Mgnt interface Pass file
copy:
content: "{{ openvpn_management_password }}"
dest: "/etc/openvpn/{{ openvpn_management_passfile }}"
- name: Create data-dir
file:
name: /data/
state: directory
- name: Create data-dir (client-config-dir)
file:
name: /data/certificate-manager/client-config-dir/
state: directory
- name: Create opt-dir
file:
name: /opt/
state: directory
- name: Certificate Manager Data Dir
file:
name: /data/certificate-manager/
state: directory
- name: Cert Manager Config
template:
src: cert-manager-conf.py
dest: /data/certificate-manager/config.py
notify:
- reload async icinga settings
- name: Create compose directories
file:
name: "/opt/certificate-manager/"
state: directory
- name: Copy compose templates
template:
src: "certificate-manager.yaml"
dest: "/opt/certificate-manager/"
- name: Log into private registry
docker_login:
registry: registry.atlantishq.de
username: docker
password: HISTORY_PURGED_SECRET
- name: Deploy compose templates
community.docker.docker_compose:
project_src: "/opt/certificate-manager/"
pull: true
files:
- "certificate-manager.yaml"

42
roles/openvpn/templates/atlantishq.conf Normal file
View File

@@ -0,0 +1,42 @@
server 172.16.1.0 255.255.255.0
#server-ipv6 fd2a:aef:608:1::/64
dev athq_sheppyvpn
dev-type tun
proto tcp
port 7012
topology subnet
client-to-client
# disable logging
#log /dev/null
#status /dev/null
script-security 2
tls-server
mode server
#duplicate-cn
persist-key
persist-tun
keepalive 10 60
user nobody
group nogroup
auth SHA512
cipher AES-256-CBC
ca atlantishq/ca.crt
cert atlantishq/vpn.atlantishq.de.crt
key atlantishq/vpn.atlantishq.de.key
dh atlantishq/dhparam
crl-verify /opt/data/certificate-manager/crl.pem
client-config-dir /opt/certificate-manager/client-config-dir
ccd-exclusive
management 127.0.0.1 {{ openvpn_management_port }} {{ openvpn_management_passfile }}

31
roles/openvpn/templates/cert-manager-conf.py Normal file
View File

@@ -0,0 +1,31 @@
CA_KEY_SIZE = 2048
CA_NAME = "AtlantisHQv2"
CRL_PATH = "./data/crl.pem"
KEYS_PATH = "./data/keys/"
CA_KEY_PATH = "./keys/ca.key"
CA_CERT_PATH = "./keys/ca.crt"
CA_CERT_PATH = "./keys/ca.crt"
C_DEFAULT = "DE"
L_DEFAULT = "Bavaria"
ST_DEFAULT = "Erlangen"
O_DEFAULT = "AtlantisHQ"
OU_DEFAULT = "Sheppy"
SQLALCHEMY_DATABASE_URI = "sqlite:///./data/sqlite.db"
CREATE_CA_IF_NOT_EXISTS = True
LOAD_MISSING_CERTS_TO_DB = False
VPN_CONFIG_DIR_PATH = "./data/ccd/"
ENABLE_VPN_CONNECTION = False
VPN_MANAGEMENT_HOST = "host.docker.internal"
VPN_MANAGEMENT_PORT = {{ openvpn_management_port }}
VPN_MANAGEMENT_PASSWORD = "{{ openvpn_management_password }}"
NGINX_CERT_MAPS_LOCATION = "./data/nginx_maps.j2"
VPN_SERVER = "atlantishq.de"
VPN_PORT = 7012
VPN_PROTO = "tcp"

9
roles/openvpn/templates/certificate-manager.yaml Normal file
View File

@@ -0,0 +1,9 @@
certificate-manager:
image: registry.atlantishq.de/certificate-manager:latest
restart: always
ports:
- 5000:5000
volumes:
- /data/certificate-manager/:/app/data/
extra_hosts:
- host.docker.internal:host-gateway