Sending credentials by mail, revoking clients again. Closes Stouts#160 …

…Stouts#161

defaults/main.yml

@@ -125,12 +125,71 @@ openvpn_route_ranges: []
 openvpn_dns_servers: []
 # }}}
 # Clients {{{
-openvpn_clients:
-  - client
+
+openvpn_send_credentials: false
+# Whether to send credentials to users
+
+openvpn_sender:
+  host: smtp.mydomain.org
+  port: 587
+  username: user
+  password: put_it_outside_code
+  secure: starttls
+  from: [email protected]
+# Data needed to send mails 
+
+openvpn_send_credentials_subject: "VPN credentials"
+# Subject for email sending credentials
+
+openvpn_send_credentials_body: |
+  Hello {{ openvpn_person.fullName }},
+  You will find attached the {{ openvpn_person.name }}.zip archive, with your credentials, configuration file and CA certificate
+  to configure your VPN access. 
+
+  You must first install OpenVPN in your operating system and then configure your VPN access. 
+
+  Regards,
+  the IT team
+
+openvpn_users:
+  - name: client1
+    email: [email protected]
+    fullName: Full Name1
+  - name: client2
+    email: [email protected]
+    fullName: Full Name2
+# Users data to make clients certificates and send them bye email
+
+# openvpn_clients: "{{ openvpn_users | json_query('[*].name') }}"
+openvpn_clients: "{{ openvpn_users | map(attribute='name') | list }}"
 # Make clients certificate
 
+# If openvpn_send_credentials is set to false, Only openvpn_clients can be defined as:
+# openvpn_clients:
+#   - client1
+#   - client2
+
+# Remember your easy_rsa must create clients credentials. 
+# If you are using nkakouros.easyrsa role, you can define: 
+## If you use the openvpn_users structure hereabove: 
+# easyrsa_clients: "{{ openvpn_users | json_query('[*].{name: name}') }}"
+## If you don't send credentials by mail and use directly the openvpn_clients structure hereabove: 
+# easyrsa_clients: "{{ openvpn_clients | json_query('[*].{name: @}') }}"
+
+openvpn_send_force: []
+# List of client names that request to be sent their credentials
+# openvpn_send_force:
+#   - client1
+
 openvpn_clients_revoke: []
 # Revoke clients certificates
+# Only .ovpn file is now managed, as credentials are managed by easy_rsa
+# If you use nkakouros.easyrsa, you can define: 
+# easyrsa_revoked: "{{ openvpn_clients_revoke }}"
+# openvpn_clients_revoke:
+#   - name: my_old_client
+#     reason: superseded
+# 'reason' can have these values: https://security.stackexchange.com/questions/174327/definitions-for-crl-reasons
 
 openvpn_client_options: []
 # Additional client options. These will be placed in the ovpn files of all the

tasks/core/clients.yml

@@ -7,6 +7,14 @@
   loop: "{{ openvpn_clients }}"
   register: openvpn_clients_changed
 
+- name: Revoke clients requested for
+  file: 
+    path: "{{ openvpn_etcdir }}/ovpns/{{ revoked_client.name }}.ovpn"
+    state: absent
+  loop: "{{ openvpn_clients_revoke }}"
+  loop_control:
+    loop_var: revoked_client
+
 - name: Pack clients
   command: >-
     zip -j
@@ -67,3 +75,29 @@
     comment: drop-client-to-client
   notify: openvpn save iptables
   when: openvpn_client_to_client_via_ip | bool
+
+- name: Send credentials to users by email
+  mail: 
+    host: "{{ openvpn_sender.host }}"
+    port: "{{ openvpn_sender.port | default(587) }}"
+    username: "{{ openvpn_sender.username | default( omit ) }}"
+    password: "{{ openvpn_sender.password | default( omit ) }}"
+    secure: "{{ openvpn_sender.secure  | default( omit ) }}"
+    from: "{{ openvpn_sender.from  | default( omit ) }}"
+    to: "{{ openvpn_person.fullName }} <{{ openvpn_person.email }}>"
+    subject: "{{ openvpn_send_credentials_subject }}"
+    body: "{{ openvpn_send_credentials_body }}"
+    attach:
+    -  "{{ openvpn_etcdir }}/ovpns/{{ openvpn_person.name }}.zip"
+  # delegate_to: localhost
+  # become: no
+  loop: "{{ openvpn_users }}"
+  loop_control:
+    index_var: index
+    loop_var: openvpn_person
+  when: 
+  - openvpn_send_credentials 
+  - openvpn_clients_changed.results[index] is changed or openvpn_person.name in openvpn_send_force
+  - openvpn_person.email is defined
+
+...