roles/OpenVPN-Client/tasks/copyCerts.yml

---- 
-- 
-  failed_when: "CAcert.stat.exists  == false"
-  name: "Check if CA certificate exist"
-  register: CAcert
-  stat: path=/etc/easy-rsa/2.0/keys/ca.crt
-  delegate_to: "{{ server }}"
-- 
-  synchronize: "src=/etc/easy-rsa/2.0/keys/ca.crt dest=/etc/openvpn/ca.crt  mode=push rsync_path='sudo rsync'"
+---
+-
+  copy: "src=/tmp/{{ inventory_hostname }}/ca.crt dest=/etc/openvpn/ca.crt  mode=644 owner=root group=root"
   name: "Copying CA certificate"
-  when: "CAcert.stat.exists  == true"
-  delegate_to: "{{ server }}"
-- 
-  failed_when: "ClientCert.stat.exists  == false"
-  name: "Check if Client certificate exist"
-  register: ClientCert
-  stat: "path=/etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.crt"
-  delegate_to: "{{ server }}"
-- 
-  synchronize: "src=/etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.crt dest=/etc/openvpn/{{ inventory_hostname }}.crt rsync_path='sudo rsync'  mode=push"
+  when: "client_ca_cert.stat.exists == false"
+-
+  copy: "src=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.crt dest=/etc/openvpn/{{ inventory_hostname }}.crt mode=644 owner=root group=root"
   name: "Copying Client certificate"
-  when: "ClientCert.stat.exists  == true"
-  delegate_to: "{{ server }}"
-- 
-  failed_when: "ClientKey.stat.exists  == false"
-  name: "Check if Server key exist"
-  register: ClientKey
-  stat: "path=/etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.key"
-  delegate_to: "{{ server }}"
-- 
-  synchronize: "src=/etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.key dest=/etc/openvpn/{{ inventory_hostname }}.key  mode=push rsync_path='sudo rsync'"
+  when: "client_sign_cert.stat.exists == false"
+-
+  copy: "src=/tmp/{{ inventory_hostname }}/{{ inventory_hostname }}.key dest=/etc/openvpn/{{ inventory_hostname }}.key  mode=600 owner=root group=root"
   name: "Copying Client key"
-  when: "ClientKey.stat.exists  == true"
-  delegate_to: "{{ server }}"
-- 
-  copy: "src=client.conf dest=/etc/openvpn/client.conf owner=root group=root mode=644"
-  name: "Copying client.conf to the OpenVPN client"
-- 
-  name: "Editing client.conf: Replacing Server Name"
-  replace: "dest=/etc/openvpn/client.conf regexp=vm-server replace={{ server | mandatory }}"
-- 
-  name: "Editing client.conf: Replacing Client Name"
-  replace: "dest=/etc/openvpn/client.conf regexp=vm-server replace={{ inventory_hostname }}"
-- 
-  name: "Starting openvpn"
-  service: "name=openvpn enabled=yes state=started"
+  when: "client_key.stat.exists == false"
+
+- name: "Copying client.conf to the OpenVPN client"
+  template: src={{ item }} dest=/etc/openvpn/client.conf
+  with_first_found:
+    - files:
+      - client.conf.j2
+      - userConfig
+      - defaultConfig
+      paths:
+        - ../templates/
+        - ../files/
+  notify: restart openvpn
+
+- name: "Removing Cert Directory"
+  local_action: "command rm -rf /tmp/{{ inventory_hostname }}"
+  when: "client_ca_cert.stat.exists == false or client_key.stat.exists == false or client_sign_cert.stat.exists == false"
+

roles/OpenVPN-Client/tasks/installOpenVPN.yml

---- 
-- 
-  name: "Install OpenVPN"
+---
+- name: "Install OpenVPN"
   yum: "name=openvpn state=present"
+  become: true
+  notify: restart openvpn
+
+- name: "Copying client.conf to the OpenVPN client"
+  template: "src=client.conf.j2 dest=/etc/openvpn/client.conf"
+  become: true
+  notify: restart openvpn
+

roles/OpenVPN-Client/tasks/main.yml

 ---
 -
  include: installOpenVPN.yml
--
- include: copyCerts.yml
+
+- name: "Start OpenVPN"
+  service: name=openvpn state=started enabled=yes
+  become: true
+

roles/OpenVPN-Client/templates/client.conf.j2

+##############################################
+# Sample client-side OpenVPN 2.0 config file #
+# for connecting to multi-client server.     #
+#                                            #
+# This configuration can be used by multiple #
+# clients, however each client should have   #
+# its own cert and key files.                #
+#                                            #
+# On Windows, you might want to rename this  #
+# file so it has a .ovpn extension           #
+##############################################
+
+# Specify that we are a client and that we
+# will be pulling certain config file directives
+# from the server.
+client
+
+# Use the same setting as you are using on
+# the server.
+# On most systems, the VPN will not function
+# unless you partially or fully disable
+# the firewall for the TUN/TAP interface.
+;dev tap
+dev tun
+
+# Windows needs the TAP-Win32 adapter name
+# from the Network Connections panel
+# if you have more than one.  On XP SP2,
+# you may need to disable the firewall
+# for the TAP adapter.
+;dev-node MyTap
+
+# Are we connecting to a TCP or
+# UDP server?  Use the same setting as
+# on the server.
+;proto tcp
+proto udp
+
+# The hostname/IP and port of the server.
+# You can have multiple remote entries
+# to load balance between the servers.
+{% for item in openvpn_servers %}
+remote {{ item }} 1194
+{% endfor %}
+
+# Choose a random host from the remote
+# list for load-balancing.  Otherwise
+# try hosts in the order specified.
+;remote-random
+
+# Keep trying indefinitely to resolve the
+# host name of the OpenVPN server.  Very useful
+# on machines which are not permanently connected
+# to the internet such as laptops.
+resolv-retry infinite
+
+# Most clients don't need to bind to
+# a specific local port number.
+nobind
+
+# Downgrade privileges after initialization (non-Windows only)
+;user nobody
+;group nobody
+
+# Try to preserve some state across restarts.
+persist-key
+persist-tun
+
+# If you are connecting through an
+# HTTP proxy to reach the actual OpenVPN
+# server, put the proxy server/IP and
+# port number here.  See the man page
+# if your proxy server requires
+# authentication.
+;http-proxy-retry # retry on connection failures
+;http-proxy [proxy server] [proxy port #]
+
+# Wireless networks often produce a lot
+# of duplicate packets.  Set this flag
+# to silence duplicate packet warnings.
+;mute-replay-warnings
+
+# SSL/TLS parms.
+# See the server config file for more
+# description.  It's best to use
+# a separate .crt/.key file pair
+# for each client.  A single ca
+# file can be used for all clients.
+ca {{ x509_cacert_file }}
+cert {{ x509_cert_file }}
+key {{ x509_key_file }}
+
+# Verify server certificate by checking
+# that the certicate has the nsCertType
+# field set to "server".  This is an
+# important precaution to protect against
+# a potential attack discussed here:
+#  http://openvpn.net/howto.html#mitm
+#
+# To use this feature, you will need to generate
+# your server certificates with the nsCertType
+# field set to "server".  The build-key-server
+# script in the easy-rsa folder will do this.
+ns-cert-type server
+
+# If a tls-auth key is used on the server
+# then every client must also have the key.
+;tls-auth ta.key 1
+
+# Select a cryptographic cipher.
+# If the cipher option is used on the server
+# then you must also specify it here.
+cipher BF-CBC
+
+# Enable compression on the VPN link.
+# Don't enable this unless it is also
+# enabled in the server config file.
+comp-lzo
+
+# Set log file verbosity.
+verb 3
+
+log openvpn.log
+
+# Silence repeating messages
+;mute 20

roles/OpenVPN-Client/vars/main.yml

+readme.txt
\ No newline at end of file

roles/OpenVPN-Client/vars/readme.txt

+---
+x509_csr_args: ""
+x509_cacert_file: "/etc/ssl/certs/cacert.crt"
+x509_key_file: "/etc/ssl/private/client.key"
+x509_cert_file: "/etc/ssl/certs/client.crt"
+x509_common_name: "{{ ansible_fqdn }}_OpenVPN_Client"

roles/OpenVPN-Server/handlers/main.yml

+---
+  - name: restart openvpn
+    service: name=openvpn state=restarted
+    become: true

roles/OpenVPN-Server/meta/main.yml

+---
+dependencies:
+  - { role: easy-rsa-certificate, x509_csr_args: "--server" }

roles/OpenVPN-Server/tasks/copyCerts.yml

---- 
-- 
-  failed_when: "CAcert.stat.exists  == false"
-  name: "Checking if CA certificate exist"
-  register: CAcert
-  stat: path="/etc/easy-rsa/2.0/keys/ca.crt"
-- 
-  name: "Copying CA certificate"
-  shell: "cp -rpvf /etc/easy-rsa/2.0/keys/ca.crt /etc/openvpn/"
-  when: "CAcert.stat.exists  == true"
-- 
-  failed_when: "ServerCert.stat.exists  == false"
-  name: "Check if Server certificate exist"
-  register: ServerCert
-  stat: "path=/etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.crt"
-- 
-  name: "Copying Server certificate"
-  shell: "cp -rpvf /etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.crt /etc/openvpn/"
-  when: "ServerCert.stat.exists  == true"
-- 
-  failed_when: "ServerKey.stat.exists  == false"
-  name: "Check if Server key exist"
-  register: ServerKey
-  stat: "path=/etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.key"
-- 
-  name: "Copying Server key"
-  shell: "cp -rpvf /etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.key /etc/openvpn/"
-  when: "ServerKey.stat.exists  == true"
-- 
-  file: "src=/etc/easy-rsa/2.0/keys/dh512.pem dest=/etc/openvpn/dh512.pem state=link"
-  name: "Create symlink for Diffie Hellman"
-- 
-  copy: "src=server.conf dest=/etc/openvpn/server.conf owner=root group=root mode=644"
-  name: "Copying server.conf to the OpenVPN server"
-- 
-  name: "Editing server.conf"
-  replace: "dest=/etc/openvpn/server.conf regexp=vm-server replace={{ inventory_hostname }}"
-- 
-  name: "Starting openvpn"
-  service: "name=openvpn enabled=yes state=started"
-

roles/OpenVPN-Server/tasks/installOpenVPN.yml

---- 
-- 
-  name: "Install OpenVPN"
+---
+- name: "Install OpenVPN"
   yum: "name=openvpn state=present"
+  notify: "restart openvpn"
+  become: true
+
+- name: Create path
+  shell: mkdir -p {{ dhparms_file | dirname }}
+  args:
+    creates: "{{ dhparms_file | dirname }}"
+  become: true
+
+- name: "Generate DH parameters"
+  shell: openssl dhparam -out {{ dhparms_file }} 512
+  args:
+    creates: "{{ dhparms_file }}"
+  become: true
+
+- name: "Configure OpenVPN Server"
+  template: "src=server.conf.j2 dest=/etc/openvpn/server.conf"
+  notify: "restart openvpn"
+  become: true

roles/OpenVPN-Server/tasks/main.yml

 ---
 -
  include: installOpenVPN.yml
--
- include: copyCerts.yml
+
+- name: "Start OpenVPN"
+  service: name=openvpn state=started enabled=yes
+  become: true

roles/OpenVPN-Server/files/server.conf → roles/OpenVPN-Server/templates/server.conf.j2

@@ -22,7 +22,7 @@
 
 # Which local IP address should OpenVPN
 # listen on? (optional)
-local vm-server
+local {{ inventory_hostname }} 
 
 # Which TCP/UDP port should OpenVPN listen on?
 # If you want to run multiple OpenVPN instances
@@ -32,8 +32,8 @@ local vm-server
 port 1194
 
 # TCP or UDP server?
-proto tcp
-;proto udp
+;proto tcp
+proto udp
 
 # "dev tun" will create a routed IP tunnel,
 # "dev tap" will create an ethernet tunnel.
@@ -75,16 +75,16 @@ dev tun
 # Any X509 key management system can be used.
 # OpenVPN can also use a PKCS #12 formatted key file
 # (see "pkcs12" directive in man page).
-ca ca.crt
-cert vm-server.crt
-key vm-server.key  # This file should be kept secret
+ca {{ x509_cacert_file }}
+cert {{ x509_cert_file }}
+key {{ x509_key_file }}
 
 # Diffie hellman parameters.
 # Generate your own with:
 #   openssl dhparam -out dh1024.pem 1024
 # Substitute 2048 for 1024 if you are using
 # 2048 bit keys. 
-dh dh512.pem
+dh {{ dhparms_file }}
 
 # Configure server mode and supply a VPN subnet
 # for OpenVPN to draw client addresses from.
@@ -93,7 +93,7 @@ dh dh512.pem
 # Each client will be able to reach the server
 # on 10.8.0.1. Comment this line out if you are
 # ethernet bridging. See the man page for more info.
-server 10.8.0.0 255.255.255.0
+server {{ server_network }} {{ server_netmask }}
 
 # Maintain a record of client <-> virtual IP address
 # associations in this file.  If OpenVPN goes down or
@@ -201,7 +201,7 @@ ifconfig-pool-persist ipp.txt
 # To force clients to only see the server, you
 # will also need to appropriately firewall the
 # server's TUN/TAP interface.
-;client-to-client
+client-to-client
 
 # Uncomment this directive if multiple clients
 # might connect with the same certificate/key

roles/OpenVPN-Server/vars/main.yml

+readme.txt
\ No newline at end of file

roles/OpenVPN-Server/vars/readme.txt

+---
+x509_csr_args: "--server"
+x509_cacert_file: "/etc/ssl/certs/ca.crt"
+x509_key_file: "/etc/openvpn/private/server.key"
+x509_cert_file: "/etc/openvpn/certs/server.crt"
+x509_common_name: "{{ ansible_fqdn }}_OpenVPN_Server"
+dhparms_file: "/etc/openvpn/private/dh.pem"
+server_network: "10.8.0.0"
+server_netmask: "255.255.255.0"

roles/SSHKnownHosts/tasks/main.yml

+- name: install known hosts file
+  copy: src=files/ssh_known_hosts dest=/etc/ssh/ssh_known_hosts owner=root mode=644
+  become: true
+  become_user: root

roles/additional_paths/tasks/main.yml

+- name: setup additiona PATHs in /etc/profile.d
+  template:
+    src: additional_paths.sh.j2
+    dest: /etc/profile.d/additional_paths.sh
+  become: true
+  when: additional_paths is defined

roles/additional_paths/templates/additional_paths.sh.j2

+export PATH=$PATH:{{ additional_paths|join(":") }}

roles/allow_stale_nfs/tasks/main.yml

+---
+- name: place /usr/local/ last in the PATH in /etc/profile
+  lineinfile:
+  args:
+    dest: "/etc/profile"
+    insertbefore: BOF
+    line: "PATH=/bin:/usr/bin:/usr/local/bin"
+  become: true
+  become_user: root
+
+- name: remove old line
+  lineinfile:
+  args:
+    dest: "/etc/profile"
+    regexp: "^PATH=/usr/local/bin:/bin:/usr/bin$"
+    state: absent
+  become: true
+  become_user: root
+
+- name: remove /usr/local/ from the PATH in /etc/profile
+  lineinfile:
+  args:
+    dest: "/etc/profile"
+    regexp: ".*pathmunge /usr/local.*"
+    state: absent
+  become: true
+  become_user: root
+
+- name: dont execute abrt-cli on login
+  file: path=/etc/profile.d/abrt-console-notification.sh state=absent
+  become: true
+  become_user: root