blob: 153b9722e605e014616eef0af0365d7b2a39d65b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
# Use the sspki role to create the credentials: the openvpn server certificate
# for the gateway, signed by the LEAP API endpoint+gateway CA.
- include_role:
name: sspki
vars:
sspki:
name: openvpn
ca: "{{ credentials_dir }}/common/api_ca.crt"
ca_key: "{{ credentials_dir }}/common/api_ca.key"
- name: Add the docker-openvpn user to the openvpn-sspki group
user:
name: docker-openvpn
groups: openvpn-sspki
append: yes
- name: Create cert and CA directories
file:
path: /etc/leap/ca
state: directory
group: docker-openvpn
mode: 0755
- name: Create credentials key directory
file:
path: /etc/leap/keys
state: directory
group: docker-openvpn
mode: 0750
- name: Install DH parameters
copy:
src: "{{ credentials_dir }}/x509/dhparam"
dest: /etc/leap/keys/dh.pem
group: docker-openvpn
mode: 0640
notify:
- "restart docker-openvpn-openvpn"
- name: Install client certificate generating and API endpoint CA bundle
copy:
content: "{{ lookup('file', '{{ credentials_dir }}/common/api_ca.crt') }}\n{{ lookup('file', '{{ credentials_dir }}/common/client_ca.crt') }}\n"
dest: /etc/leap/ca/leap_ca_bundle.crt
mode: 0444
notify:
- "restart docker-openvpn-openvpn"
- name: Restart openvpn because gateway certificate has changed
systemd:
name: docker-openvpn-openvpn.service
state: restarted
when: sspki_sign.changed
|