| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113 |
- ---
- - name: Enable EPEL repo
- dnf:
- name: epel-release
- state: present
- when:
- - ansible_distribution == "CentOS"
- - name: Install openvpn
- dnf:
- name: openvpn
- state: present
- - name: Create openvpn scripts directory
- file:
- path: /etc/openvpn/scripts
- owner: root
- group: openvpn
- mode: '0750'
- state: directory
- - name: Install update-resolv-conf script
- template:
- src: update-resolv-conf.j2
- dest: /etc/openvpn/scripts/update-resolv-conf
- owner: root
- group: openvpn
- mode: '0750'
- - name: Install ProtonVPN Config files
- template:
- src: "{{ file.src }}"
- dest: /etc/openvpn/client/{{ file.dest }}
- owner: root
- group: openvpn
- mode: "{{ file.mode }}"
- loop_control:
- label: "{{ file.dest }}"
- loop_var: file
- loop:
- - { src: 'proton.conf.j2', dest: 'proton.conf', mode: '0640' }
- - { src: 'proton-credentials.j2', dest: 'proton-credentials', mode: '0600' }
- register: configs
- - name: Add service to auto configure Unbound on VPN restarts
- template:
- src: auto-configure-unbound.service.j2
- dest: /etc/systemd/system/auto-configure-unbound.service
- owner: root
- group: root
- mode: '0640'
- register: auto_configure_unbound_service_file
- when:
- - ansible_hostname == 'gateway'
- - name: Ensure openvpn-client service.d folder exists
- file:
- path: /etc/systemd/system/openvpn-client@.service.d/
- state: directory
- owner: root
- group: root
- mode: '0750'
- when:
- - ansible_hostname == 'gateway'
- - name: Add dependencies to openvpn service to fire off auto-configure-unbound.service
- copy:
- src: auto-configure-unbound.conf
- dest: /etc/systemd/system/openvpn-client@.service.d/auto-configure-unbound.conf
- owner: root
- group: root
- mode: '0640'
- register: openvpn_auto_unbound_conf
- when:
- - ansible_hostname == 'gateway'
- - name: Add IP masquerading to drop zone
- firewalld:
- zone: drop
- masquerade: 'yes' # requires quotes to keep from converting to type bool
- permanent: yes
- immediate: yes
- state: enabled
- when:
- - ansible_hostname == 'gateway'
- - name: Add tun0 interface to drop zone
- firewalld:
- zone: drop
- interface: tun0
- permanent: yes
- immediate: yes
- state: enabled
- - name: Tweak kernel parameters
- sysctl:
- name: "{{ item }}"
- value: '1'
- state: present
- reload: yes
- loop:
- - net.ipv6.conf.all.disable_ipv6
- - net.ipv6.conf.default.disable_ipv6
- - net.ipv4.ip_forward
- - name: Restart/enable openvpn service
- systemd:
- name: openvpn-client@proton
- daemon_reload: yes
- state: restarted
- enabled: yes
- when: configs.changed or auto_configure_unbound_service_file.changed or openvpn_auto_unbound_conf.changed
|
