Created
May 13, 2020 23:58
-
-
Save cornfeedhobo/499c4809a4300747c0e22116ca08d963 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- hosts: "notforyou" | |
any_errors_fatal: true | |
pre_tasks: | |
- name: "Disable selinux" | |
become: true | |
selinux: | |
state: "disabled" | |
- name: "Manage sysctl settings" | |
become: true | |
sysctl: | |
name: "{{ item.name }}" | |
value: "{{ item.value }}" | |
sysctl_set: true | |
with_items: | |
# Enable IPv6 | |
- { name: "net.ipv6.conf.all.disable_ipv6", value: 0 } | |
- { name: "net.ipv6.conf.default.disable_ipv6", value: 0 } | |
# Enable dualstack IP Forwarding | |
- { name: "net.ipv4.ip_forward", value: 1 } # defaults to 0 | |
- { name: "net.ipv4.conf.all.forwarding", value: 1 } # defualts to 0 | |
- { name: "net.ipv6.conf.all.forwarding", value: 1 } # defaults to 0 | |
- { name: "net.ipv4.conf.all.accept_redirects", value: 0 } # defaults to 0 | |
- { name: "net.ipv6.conf.all.accept_redirects", value: 0 } # defaults to 1, afaik | |
tags: ["sysctl"] | |
roles: | |
- role: cornfeedhobo.openvpn | |
openvpn_install: true | |
openvpn_configure: true | |
openvpn_service: true | |
openvpn_config: | |
tls-server: "" | |
tls-crypt: "{{ lookup('file', 'tlsauth.key') }}" | |
key: "{{ lookup('file', 'host.key') }}" | |
cert: "{{ lookup('file', 'host.crt') }}" | |
ca: "{{ lookup('file', 'ca.crt') }}" | |
dh: "{{ lookup('file', 'dh.pem') }}" | |
remote-cert-eku: "\"TLS Web Client Authentication\"" | |
reneg-sec: "600" | |
dev: "tun" | |
persist-tun: "" | |
port: "1194" | |
proto: "udp6" | |
server: "192.168.42.0 255.255.255.240" | |
server-ipv6: "fd00::ffff:c0a8:2a00/112" | |
push: | |
- "\"redirect-gateway def1\"" | |
- "\"dhcp-option DNS 4.2.2.2\"" | |
- "\"dhcp-option DNS 2606:4700:4700::1111\"" | |
ifconfig-pool-persist: "ipp.txt" | |
max-clients: "10" | |
keepalive: "10 120" | |
comp-lzo: "yes" | |
client-to-client: "" | |
log-append: "/var/log/openvpn.log" | |
mute: 20 | |
verb: 3 | |
post_tasks: | |
- name: "Ensure openvpn can be reached" | |
become: true | |
firewalld: | |
service: "openvpn" | |
immediate: true | |
permanent: true | |
state: "enabled" | |
tags: ["firewalld", "openvpn"] | |
- name: "Ensure IPv4 masquerading is enabled for OpenVPN" | |
become: true | |
firewalld: | |
masquerade: yes | |
immediate: true | |
permanent: true | |
state: "enabled" | |
tags: ["firewalld", "openvpn"] | |
- name: "Ensure IPv6 masquerading is enabled for OpenVPN" | |
become: true | |
firewalld: | |
rich_rule: 'rule family=ipv6 masquerade' | |
immediate: true | |
permanent: true | |
state: "enabled" | |
tags: ["firewalld", "openvpn"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment