thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

DRY in openvpn role and allow other rc.local tasks

Yannik Sembritzki 8 years ago
parent
c70a2fa774
commit
9ffe86b36d
3 changed files with 27 additions and 18 deletions
Split View Show Diff Stats
  1. 13
    0
      roles/vpn/files/rc.local
  2. 12
    10
      roles/vpn/tasks/openvpn.yml
  3. 2
    8
      roles/vpn/templates/rc.local_ansible_openvpn

+ 13
- 0
roles/vpn/files/rc.local View File 

@@ -0,0 +1,13 @@
1 
+#!/bin/sh -e
2 
+#
3 
+# rc.local
4 
+#
5 
+# This script is executed at the end of each multiuser runlevel.
6 
+# Make sure that the script will "exit 0" on success or any other
7 
+# value on error.
8 
+#
9 
+# In order to enable or disable this script just change the execution
10 
+# bits.
11 
+#
12 
+
13 
+exit 0

+ 12
- 10
roles/vpn/tasks/openvpn.yml View File 

@@ -119,20 +119,22 @@
119 119 
   command: openssl dhparam -out {{ openvpn_dhparam }} {{ openvpn_key_size }}
120 120 
            creates={{ openvpn_dhparam }}
121 121
122 
-- name: Copy rc.local with firewall and dnsmasq rules into place
123 
-  template: src=etc_rc.local dest=/etc/rc.local
122 
+- name: Add empty rc.local if it doesn't exist
123 
+  copy: src=rc.local dest=/etc/rc.local mode=700 owner=root group=root force=no
124 
+
125 
+- name: custom rc.local file with iptables rules
126 
+  template: src=rc.local_ansible_openvpn dest=/etc/rc.local_ansible_openvpn mode=700 owner=root group=root
127 
+
128 
+- name: Ensure custom rc.local file is included in rc.local
129 
+  lineinfile: dest=/etc/rc.local line='bash /etc/rc.local_ansible_openvpn' insertbefore='exit 0'
130 
+
131 
+- name: Run custom rc file
132 
+  command: bash /etc/rc.local_ansible_openvpn
133 
+  changed_when: False
124 134
125 135 
 - name: Enable IPv4 traffic forwarding
126 136 
   sysctl: name=net.ipv4.ip_forward value=1
127 137
128 
-- name: Allow OpenVPN through the firewall
129 
-  command: "{{ item }}"
130 
-  with_items:
131 
-    - iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
132 
-    - iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
133 
-    - iptables -A FORWARD -j REJECT
134 
-    - iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o {{ ansible_default_ipv4.interface }} -j MASQUERADE
135 
-
136 138 
 - name: Allow OpenVPN through ufw
137 139 
   ufw: rule=allow port={{ openvpn_port }} proto={{ openvpn_protocol }}
138 140 
   tags: ufw

roles/vpn/templates/etc_rc.local → roles/vpn/templates/rc.local_ansible_openvpn View File 

@@ -1,13 +1,7 @@
1 1 
 #!/bin/sh -e
2 
+# {{ ansible_managed }}
2 3 
 #
3 
-# rc.local
4 
-#
5 
-# This script is executed at the end of each multiuser runlevel.
6 
-# Make sure that the script will "exit 0" on success or any other
7 
-# value on error.
8 
-#
9 
-# In order to enable or disable this script just change the execution
10 
-# bits.
4 
+# This script should be included in your rc.local
11 5 
 #
12 6
13 7 
 iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

Write Preview
Loading…
Cancel
Save