feat: openvpn & cert manager

group_vars/vpn.yaml

@@ -3,3 +3,7 @@ checks :
     - { user : nobody, name : wireguard-darknet-rudi, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_rudi_darknet -w300,10% -c 1000,20%"}
     - { user : nobody, name : wireguard-darknet-hase, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_hase_darknet -w300,10% -c 1000,20%"}
 #    - { user : nobody, name : darknet-reachable, cmd : "/usr/lib/nagios/plugins/check_ping -H 10.100.100.100 -w300,10% -c 1000,20%"}
+
+openvpn_management_password: HISTORY_PURGED_SECRET
+openvpn_management_passfile: mgnt-pass.txt
+openvpn_management_port: 23000

playbook.yaml

@@ -45,6 +45,10 @@
   roles:
     - { role : vault-pki, tags : [ "pki_master", "vault" ] }
 
+- hosts: vpn
+  roles:
+    - { role : openvpn, tags : [ "openvpn", "vpn", "certificate-manager" ] }
+
 - hosts: timetracking
   roles:
     - { role : timetracking, tags : [ "timetracking", "kamai" ] }

roles/openvpn/tasks/main.yaml

@@ -0,0 +1,75 @@
+- name: Install VPNs
+  apt:
+    state: present
+    pkg:
+        - openvpn
+        - docker-compose
+
+- name: OpenVPN configs dirs
+  file:
+    name: "/etc/openvpn/{{ item }}"
+    state: directory
+  with_items:
+    - atlantishq
+
+- name: Deploy OpenVPN configs
+  template:
+    src: "{{ item }}.conf"
+    dest: "/etc/openvpn/{{ item }}/"
+  with_items:
+    - atlantishq
+
+- name: Openvpn Mgnt interface Pass file
+  copy:
+    content: "{{ openvpn_management_password }}"
+    dest: "/etc/openvpn/{{ openvpn_management_passfile }}"
+
+- name: Create data-dir
+  file:
+    name: /data/
+    state: directory
+
+- name: Create data-dir (client-config-dir)
+  file:
+    name: /data/certificate-manager/client-config-dir/
+    state: directory
+
+- name: Create opt-dir
+  file:
+    name: /opt/
+    state: directory
+
+- name: Certificate Manager Data Dir
+  file:
+    name: /data/certificate-manager/
+    state: directory
+
+- name: Cert Manager Config
+  template:
+    src: cert-manager-conf.py
+    dest: /data/certificate-manager/config.py
+  notify:
+    - reload async icinga settings
+
+- name: Create compose directories
+  file:
+    name: "/opt/certificate-manager/"
+    state: directory
+
+- name: Copy compose templates
+  template:
+    src: "certificate-manager.yaml"
+    dest: "/opt/certificate-manager/"
+
+- name: Log into private registry
+  docker_login:
+    registry: registry.atlantishq.de
+    username: docker
+    password: HISTORY_PURGED_SECRET
+
+- name: Deploy compose templates
+  community.docker.docker_compose:
+    project_src: "/opt/certificate-manager/"
+    pull: true
+    files:
+      - "certificate-manager.yaml"

roles/openvpn/templates/atlantishq.conf

@@ -0,0 +1,42 @@
+server 172.16.1.0 255.255.255.0
+#server-ipv6 fd2a:aef:608:1::/64
+
+dev athq_sheppyvpn
+dev-type tun
+
+proto tcp
+port 7012
+
+topology subnet
+client-to-client
+
+# disable logging
+#log /dev/null
+#status /dev/null
+
+script-security 2
+tls-server
+mode server
+#duplicate-cn
+
+persist-key
+persist-tun
+
+keepalive 10 60
+
+user nobody
+group nogroup
+
+auth SHA512
+cipher AES-256-CBC
+
+ca   atlantishq/ca.crt
+cert atlantishq/vpn.atlantishq.de.crt
+key  atlantishq/vpn.atlantishq.de.key
+dh   atlantishq/dhparam
+
+crl-verify /opt/data/certificate-manager/crl.pem
+
+client-config-dir /opt/certificate-manager/client-config-dir
+ccd-exclusive
+management 127.0.0.1 {{ openvpn_management_port }} {{ openvpn_management_passfile }}

roles/openvpn/templates/cert-manager-conf.py

@@ -0,0 +1,31 @@
+CA_KEY_SIZE = 2048
+CA_NAME     = "AtlantisHQv2"
+
+CRL_PATH  = "./data/crl.pem"
+KEYS_PATH = "./data/keys/"
+
+
+CA_KEY_PATH  = "./keys/ca.key"
+CA_CERT_PATH = "./keys/ca.crt"
+CA_CERT_PATH = "./keys/ca.crt"
+
+C_DEFAULT  = "DE"
+L_DEFAULT  = "Bavaria"
+ST_DEFAULT = "Erlangen"
+O_DEFAULT  = "AtlantisHQ"
+OU_DEFAULT = "Sheppy"
+
+SQLALCHEMY_DATABASE_URI  = "sqlite:///./data/sqlite.db"
+CREATE_CA_IF_NOT_EXISTS  = True
+LOAD_MISSING_CERTS_TO_DB = False
+
+VPN_CONFIG_DIR_PATH      = "./data/ccd/"
+ENABLE_VPN_CONNECTION    = False
+VPN_MANAGEMENT_HOST      = "host.docker.internal"
+VPN_MANAGEMENT_PORT      = {{ openvpn_management_port }}
+VPN_MANAGEMENT_PASSWORD  = "{{ openvpn_management_password }}"
+NGINX_CERT_MAPS_LOCATION = "./data/nginx_maps.j2"
+
+VPN_SERVER = "atlantishq.de"
+VPN_PORT   = 7012
+VPN_PROTO  = "tcp"

roles/openvpn/templates/certificate-manager.yaml

@@ -0,0 +1,9 @@
+certificate-manager:
+    image: registry.atlantishq.de/certificate-manager:latest
+    restart: always
+    ports:
+        - 5000:5000
+    volumes:
+        - /data/certificate-manager/:/app/data/
+    extra_hosts:
+        - host.docker.internal:host-gateway