Skip to content

Commit

Permalink
Sending credentials by mail, revoking clients again. Closes Stouts#160
Browse files Browse the repository at this point in the history
  • Loading branch information
ulvida committed May 17, 2020
1 parent a54ed12 commit f185d23
Show file tree
Hide file tree
Showing 2 changed files with 95 additions and 3 deletions.
64 changes: 61 additions & 3 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -125,12 +125,70 @@ openvpn_route_ranges: []
openvpn_dns_servers: []
# }}}
# Clients {{{
openvpn_clients:
- client
# Make clients certificate

openvpn_send_credentials: false
# Whether to send credentials to users - this variable is set to false for backwards compatibility

openvpn_sender:
host: smtp.mydomain.org
port: 587
username: user
password: put_it_outside_code
secure: starttls
from: [email protected]
# Data needed to send mails

openvpn_send_credentials_subject: "VPN credentials"
# Subject for email sending credentials

openvpn_send_credentials_body: |
Hello {{ openvpn_person.fullName }},
You will find attached the {{ openvpn_person.name }}.zip archive, with your credentials, configuration file and CA certificate
to configure your VPN access.
You must first install OpenVPN in your operating system and then configure your VPN access.
Regards,
the IT team
openvpn_users:
- name: client1
email: [email protected]
fullName: Full Name1
- name: client2
email: [email protected]
fullName: Full Name2
# Users data to make clients certificates and send them bye email

# openvpn_clients: "{{ openvpn_users | json_query('[*].name') }}"
openvpn_clients: "{{ openvpn_users | map(attribute='name') | list }}"
# Make clients certificate - this variable remains for backwards compatibility
# If openvpn_send_credentials is set to false, openvpn_users is not specifically needed and only openvpn_clients can be defined as:
# openvpn_clients:
# - client1
# - client2

# Remember your easy_rsa must create clients credentials.
# If you are using nkakouros.easyrsa role, you can define:
## If you use the openvpn_users structure hereabove:
# easyrsa_clients: "{{ openvpn_users | json_query('[*].{name: name}') }}"
## If you don't send credentials by mail and use directly the openvpn_clients structure hereabove:
# easyrsa_clients: "{{ openvpn_clients | json_query('[*].{name: @}') }}"

openvpn_send_force: []
# List of client names that request to be sent their credentials
# openvpn_send_force:
# - client1

openvpn_clients_revoke: []
# Revoke clients certificates
# openvpn_clients_revoke:
# - name: my_old_client
# reason: superseded
# 'reason' can have the values listed here: https://security.stackexchange.com/questions/174327/definitions-for-crl-reasons
# Only .ovpn files are now managed, as credentials are managed by easy_rsa
# If you use nkakouros.easyrsa, you can define for this role:
# easyrsa_revoked: "{{ openvpn_clients_revoke }}"

openvpn_client_options: []
# Additional client options. These will be placed in the ovpn files of all the
Expand Down
34 changes: 34 additions & 0 deletions tasks/core/clients.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,14 @@
loop: "{{ openvpn_clients }}"
register: openvpn_clients_changed

- name: Revoke clients requested for
file:
path: "{{ openvpn_etcdir }}/ovpns/{{ revoked_client.name }}.ovpn"
state: absent
loop: "{{ openvpn_clients_revoke }}"
loop_control:
loop_var: revoked_client

- name: Pack clients
command: >-
zip -j
Expand Down Expand Up @@ -67,3 +75,29 @@
comment: drop-client-to-client
notify: openvpn save iptables
when: openvpn_client_to_client_via_ip | bool

- name: Send credentials to users by email
mail:
host: "{{ openvpn_sender.host }}"
port: "{{ openvpn_sender.port | default(587) }}"
username: "{{ openvpn_sender.username | default( omit ) }}"
password: "{{ openvpn_sender.password | default( omit ) }}"
secure: "{{ openvpn_sender.secure | default( omit ) }}"
from: "{{ openvpn_sender.from | default( omit ) }}"
to: "{{ openvpn_person.fullName }} <{{ openvpn_person.email }}>"
subject: "{{ openvpn_send_credentials_subject }}"
body: "{{ openvpn_send_credentials_body }}"
attach:
- "{{ openvpn_etcdir }}/ovpns/{{ openvpn_person.name }}.zip"
# delegate_to: localhost
# become: no
loop: "{{ openvpn_users }}"
loop_control:
index_var: index
loop_var: openvpn_person
when:
- openvpn_send_credentials
- openvpn_clients_changed.results[index] is changed or openvpn_person.name in openvpn_send_force
- openvpn_person.email is defined

...

0 comments on commit f185d23

Please sign in to comment.