path: root/roles/openvpn/tasks/main.yml

---
- name: Ensure OpenVPN and OpenSSL are installed
  yum: name={{item}} state=present
  with_items:
    - openvpn
    - openssl

- name: copy openvpn logrotate config file
  copy: src="openvpn_logrotate.conf" dest="/etc/logrotate.d/openvpn.conf" owner="root" group="root" mode="0400"

- name: Copy CA certificate and the keys
  copy: src="{{ item }}" dest="{{openvpn_keydir}}/" owner="root" group="root" mode="0400"
  with_fileglob: 
    - ca/ca.crt
    - keys/*

- name: Check if OpenSSL certificate is already generated
  stat: path="{{ openvpn_keydir }}/node.crt" 
  register: result

- name: setup openvpn keys
  include: keys.yml
  when: result.stat.exists == False 

- name: Ensure CA key is removed
  file: path="{{openvpn_keydir}}/ca.key" state=absent

- name: setup openvpn configuration 
  include: config.yml

- name: Ensure OpenVPN service is enabled
  service: name="{{openvpn_service}}" enabled=yes

- name: Check if we already reconfigured SystemD Unit
  stat: path={{ item }}
  register: result
  vars:
     item: "/etc/systemd/system/{{openvpn_service}}"

- name: Copy SystemD Unit
  copy: src="/usr/lib/systemd/system/openvpn@.service" dest="{{ item }}" remote_src=true
  vars:
    item: "/etc/systemd/system/{{openvpn_service}}"
  when: result.stat.exists == False 

- name: Re-configure systemd to start OpenVPN after origin-node
  lineinfile: dest="/etc/systemd/system/{{openvpn_service}}" regexp="^After=" line="After=network.target origin-node.service" state=present
  notify: daemon-reload

- name: Ensure OpenVPN service is running
  service: name="{{openvpn_service}}" state=started

- name: Ensure firewalld is running
  service: name=firewalld state=started enabled=yes
  when: openvpn_servers in group_names

- name: Configure firewalld
  firewalld: port="{{openvpn_port}}/tcp"  state="enabled" permanent="true" immediate="true"
  notify:
    - firewalld
  when: openvpn_servers in group_names