Merge pull request #13 from l1ll1/add_sudo

OpenVPN roles

roles/easy-rsa-CA-server/tasks/buildServerCert.yml

---- 
-- name: "Creating Server certificate"
-  shell: "cd /etc/easy-rsa/2.0; source ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA/pkitool\" --server {{ server }} creates=/etc/easy-rsa/2.0/keys/{{ server }}.crt"
-
-- name: "Generating Diffie-Hellman Parameters"
-  shell: "cd /etc/easy-rsa/2.0; source ./vars; ./build-dh"
-  args:
-    chdir: /etc/easy-rsa/2.0/keys/
-    creates: dh512.pem

roles/easy-rsa-CA-server/tasks/main.yml

---- 
-- 
-  include: buildServerCert.yml

roles/easy-rsa-CA/meta/main.yml

 ---
-depdenencies:
-  - {role: easy-rsa-common }
+allow_duplicates: yes
+dependencies:
+  - { role: easy-rsa-common }
 

roles/easy-rsa-CA/tasks/buildCA.yml

@@ -3,4 +3,5 @@
   name: "Building the CA Certificate"
   shell: ' cd /etc/easy-rsa/2.0; source ./vars; ./clean-all;  export EASY_RSA="${EASY_RSA:-.}"; "$EASY_RSA/pkitool" --initca $*'
   args:
-    creates: /etc/easy-rsa/2.0/keys
+    creates: /etc/easy-rsa/2.0/keys/ca.crt
+  sudo: True

roles/easy-rsa-CA-server/meta/main.yml → roles/easy-rsa-certificate/meta/main.yml

 ---
-depdenencies:
+dependencies:
   - {role: easy-rsa-common }
 

roles/easy-rsa-certificate/tasks/buildCert.yml

+--- 
+- name: "Check client ca certificate"
+  register: ca_cert
+  stat: "path={{ x509_cacert_file }}"
+
+- name: "Check certificate and key"
+  shell: (openssl x509 -noout -modulus -in {{ x509_cert_file }}  | openssl md5 ; openssl rsa -noout -modulus -in {{ x509_key_file }} | openssl md5) | uniq | wc -l
+  register: certcheck
+  sudo: true
+
+- name: "Check certificate"
+  register: cert
+  stat: "path={{ x509_cert_file }}"
+  sudo: true
+
+- name: "Check key"
+  register: key
+  stat: "path={{ x509_key_file }}"
+  sudo: true
+
+- name: "Default: we don't need a new certificate"
+  set_fact: needcert=False
+
+- name: "Set need cert if key is missing"
+  set_fact: needcert=True
+  when: key.stat.exists == false
+
+- name: "set needcert if cert is missing"
+  set_fact: needcert=True
+  when: cert.stat.exists == false
+
+- name: "set needcert if cert doesn't match key"
+  set_fact: needcert=True
+  when: certcheck.stdout == '2'
+
+
+- name: "Creating Keypair"
+  shell: "echo noop when using easy-rsa"
+  when: needcert
+
+- name: "Creating CSR"
+  shell: " cd /etc/easy-rsa/2.0; source ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA\"/pkitool --csr {{ x509_csr_args }} {{ x509_common_name }}"
+  args:
+    creates: "/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.key"
+  when: needcert
+  sudo: true
+
+- name: "Copy CSR to ansible host"
+  fetch: "src=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.csr dest=/tmp/ fail_on_missing=yes validate_md5=yes flat=yes"
+  sudo: true
+  when: needcert
+
+- name: "Copy CSR to CA"
+  delegate_to: "{{ x509_ca_server }}"
+  copy: "src=/tmp/{{ x509_common_name }}.csr dest=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.csr force=yes"
+  when: needcert
+  sudo: true
+
+- name: "Sign Certificate"
+  delegate_to: "{{ x509_ca_server }}"
+  shell:    "source ./vars; export EASY_RSA=\"${EASY_RSA:-.}\" ;\"$EASY_RSA\"/pkitool --sign {{ x509_sign_args }} {{ x509_common_name }}"
+  args:
+    chdir: "/etc/easy-rsa/2.0"
+    creates: "/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.crt"
+  sudo: true
+
+- name: "Copy the Certificate to ansible host"
+  delegate_to: "{{ x509_ca_server }}"
+  fetch: "src=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.crt dest=/tmp/ fail_on_missing=yes validate_md5=yes flat=yes"
+  sudo: true
+  when: needcert
+
+- name: "Copy the CA Certificate to the ansible host"
+  delegate_to: "{{ x509_ca_server }}"
+  fetch: "src=/etc/easy-rsa/2.0/keys/ca.crt dest=/tmp/ca.crt fail_on_missing=yes validate_md5=yes flat=yes"
+  sudo: true
+  when: "ca_cert.stat.exists == false"
+
+- name: "Make sure the path to the certificate exists"
+  shell: "mkdir -p `dirname {{ x509_cert_file }}` ; chmod 755  `dirname {{ x509_cert_file }}`"
+  sudo: true
+
+- name: "Copy the certificate to the node"
+  copy: "src=/tmp/{{ x509_common_name }}.crt dest={{ x509_cert_file }} force=yes"
+  sudo: true
+  when: needcert
+
+- name: "Copy the CA certificate to the node"
+  copy: "src=/tmp/ca.crt dest={{ x509_cacert_file }}"
+  sudo: true
+  when: "ca_cert.stat.exists == false"
+
+- name: "Copy the key to the correct location"
+  shell: "mkdir -p `dirname {{ x509_key_file }}` ; chmod 700 `dirname {{ x509_key_file }}` ; cp /etc/easy-rsa/2.0/keys/{{ x509_common_name }}.key {{ x509_key_file }}"
+  sudo: true
+  when: needcert

roles/easy-rsa-certificate/tasks/main.yml

+--- 
+- 
+  include: buildCert.yml

roles/easy-rsa-certificate/vars/main.yml

+---
+x509_key_file: "/etc/ssl/private/server.key"
+x509_cert_file: "/etc/ssl/certs/server.crt"
+x509_cacert_file: "/etc/ssl/certs/ca.crt"
+x509_csr_args: ""
+x509_sign_args: "{{ x509_csr_args }}"
+x509_common_name: "{{ ansible_fqdn }}"

roles/easy-rsa-common/tasks/copyConfigurationFile.yml

@@ -10,3 +10,11 @@
         - ../../../templates/easy-rsa/
         - ../files/
 
+  sudo: True
+
+- name: "Initialise easy-rsa"
+  shell: " source ./vars ; ./clean-all"
+  args:
+    chdir: "/etc/easy-rsa/2.0"
+    creates: "/etc/easy-rsa/2.0/keys"
+  sudo: true

roles/easy-rsa-common/tasks/installEasyRsa.yml

@@ -2,8 +2,10 @@
 - 
   name: "Installing easy-rsa"
   yum: "name=easy-rsa state=latest"
+  sudo: True
 - 
   name: "Moving easy-rsa to /etc"
   shell: "cp -rf /usr/share/easy-rsa /etc/"
   args:
     creates: /etc/easy-rsa
+  sudo: True

topplay.yml

+---
+
+- hosts: '*'
+  roles:
+  - etcHosts
+
+- hosts: 'x509_ca'
+  vars:
+  roles:
+  - { role: easy-rsa-CA }
+
+- hosts: 'OpenVPN-Server'
+  vars:
+    x509_ca_server: "{{ groups['x509_ca'][0] }}"
+  roles:
+  - { role: OpenVPN-Server }
+
+- hosts: 'OpenVPN-Client'
+  vars:
+    x509_ca_server: "{{ groups['x509_ca'][0] }}"
+    openvpn_servers: "{{ groups['OpenVPN-Server'] }}"
+  roles:
+  - { role: OpenVPN-Client }