From a4b890e443418dfbb706f228cd01dd986086df83 Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <christian.elberfeld@adesso.de>
Date: Sun, 3 Feb 2019 00:39:33 +0100
Subject: [PATCH] Vorstand in Verwaltung umbenannt, Openvpn Tunnel
 restrukturiert

---
 common/openvpn/handlers/main.yml              | 12 ++++
 common/openvpn/tasks/main.yml                 | 60 +++++++++++++++++++
 common/openvpn/templates/logrotate            |  7 +++
 common/openvpn/templates/openvpn-common       | 12 ++++
 .../templates/verwaltung-client-webs.conf     | 12 ++++
 .../templates/verwaltung-server-zone.conf     | 11 ++++
 .../webserver-server-verwaltung.conf          | 11 ++++
 .../templates/webserver-server-zone.conf      | 11 ++++
 host_vars/{vorstand => verwaltung}            | 15 +++++
 host_vars/warpsrvint                          |  6 ++
 host_vars/webserver                           | 15 ++++-
 hosts                                         |  2 +-
 site.yml                                      |  2 +-
 {vorstand => verwaltung}/Documentation.md     |  0
 .../docker_gitea/tasks/main.yml               |  0
 .../docker_gitea/templates/docker-compose.yml |  0
 .../docker_mysql/tasks/main.yml               |  0
 .../docker_mysql/templates/docker-compose.yml |  0
 .../docker_mysql/templates/tuning.cnf         |  0
 .../git/handlers/main.yml                     |  0
 {vorstand => verwaltung}/git/tasks/main.yml   |  0
 .../jameica/tasks/main.yml                    |  0
 ...et.JVerein.rmi.JVereinDBService.properties |  0
 ....jameica.hbci.rmi.HBCIDBService.properties |  0
 .../jameica/templates/jameica.sh              |  0
 {vorstand => verwaltung}/main.yml             |  3 +-
 {vorstand => verwaltung}/user/tasks/main.yml  |  0
 .../x2goserver/tasks/main.yml                 |  0
 webserver/main.yml                            |  2 +-
 webserver/openvpn/handlers/main.yml           |  3 -
 webserver/openvpn/tasks/main.yml              | 34 -----------
 webserver/openvpn/templates/warpzone-up.sh    |  6 --
 webserver/openvpn/templates/warpzone.conf     | 20 -------
 33 files changed, 176 insertions(+), 68 deletions(-)
 create mode 100644 common/openvpn/handlers/main.yml
 create mode 100644 common/openvpn/tasks/main.yml
 create mode 100644 common/openvpn/templates/logrotate
 create mode 100644 common/openvpn/templates/openvpn-common
 create mode 100644 common/openvpn/templates/verwaltung-client-webs.conf
 create mode 100644 common/openvpn/templates/verwaltung-server-zone.conf
 create mode 100644 common/openvpn/templates/webserver-server-verwaltung.conf
 create mode 100644 common/openvpn/templates/webserver-server-zone.conf
 rename host_vars/{vorstand => verwaltung} (80%)
 rename {vorstand => verwaltung}/Documentation.md (100%)
 rename {vorstand => verwaltung}/docker_gitea/tasks/main.yml (100%)
 rename {vorstand => verwaltung}/docker_gitea/templates/docker-compose.yml (100%)
 rename {vorstand => verwaltung}/docker_mysql/tasks/main.yml (100%)
 rename {vorstand => verwaltung}/docker_mysql/templates/docker-compose.yml (100%)
 rename {vorstand => verwaltung}/docker_mysql/templates/tuning.cnf (100%)
 rename {vorstand => verwaltung}/git/handlers/main.yml (100%)
 rename {vorstand => verwaltung}/git/tasks/main.yml (100%)
 rename {vorstand => verwaltung}/jameica/tasks/main.yml (100%)
 rename {vorstand => verwaltung}/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties (100%)
 rename {vorstand => verwaltung}/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties (100%)
 rename {vorstand => verwaltung}/jameica/templates/jameica.sh (100%)
 rename {vorstand => verwaltung}/main.yml (87%)
 rename {vorstand => verwaltung}/user/tasks/main.yml (100%)
 rename {vorstand => verwaltung}/x2goserver/tasks/main.yml (100%)
 delete mode 100644 webserver/openvpn/handlers/main.yml
 delete mode 100644 webserver/openvpn/tasks/main.yml
 delete mode 100644 webserver/openvpn/templates/warpzone-up.sh
 delete mode 100644 webserver/openvpn/templates/warpzone.conf

diff --git a/common/openvpn/handlers/main.yml b/common/openvpn/handlers/main.yml
new file mode 100644
index 00000000..8153a482
--- /dev/null
+++ b/common/openvpn/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+- name: restart openvpn server
+  service: name=openvpn-server@{{ item }}.service state=restarted
+  with_items:
+    - "{{ openvpn_server }}"
+  when: openvpn_server is defined and openvpn_server > 0
+
+- name: restart openvpn clients
+  service: name=openvpn-client@{{ item }}.service state=restarted
+  with_items:
+    - "{{ openvpn_clients }}"
+  when: openvpn_clients is defined and openvpn_clients > 0
diff --git a/common/openvpn/tasks/main.yml b/common/openvpn/tasks/main.yml
new file mode 100644
index 00000000..3b50290e
--- /dev/null
+++ b/common/openvpn/tasks/main.yml
@@ -0,0 +1,60 @@
+# Pakete installieren
+- name: openvpn installieren
+  apt:
+    pkg: "{{ packages }}"
+    update_cache: yes
+    state: present
+  vars:
+    packages:
+      - logrotate
+      - openvpn
+
+# Log-Verzeichnis erstellen 
+
+- name: create folder struct for openvpn
+  file:
+    path: "/var/log/openvpn/"
+    state: "directory"
+
+# Konfigurationsdateien erstellen (ohne Keys)
+
+- name: Konfigurationen (server) erstellen 
+  template: src={{ inventory_hostname }}-{{ item }}.conf dest=/etc/openvpn/server/{{ item }}.conf
+  with_items:
+    - "{{ openvpn_server }}"
+  notify: restart openvpn server
+  when: openvpn_server is defined and openvpn_server > 0
+
+- name: Konfigurationen (clients) erstellen 
+  template: src={{ inventory_hostname }}-{{ item }}.conf dest=/etc/openvpn/client/{{ item }}.conf
+  with_items:
+    - "{{ openvpn_clients }}"
+  notify: restart openvpn clients
+  when: openvpn_clients is defined and openvpn_clients > 0
+
+- name: OpenVpn LogRotate config erstellen 
+  template: 
+    src: logrotate 
+    dest: /etc/logrotate.d/openvpn
+
+# Enable service 
+
+- name: enable openvpn systemd service (server) 
+  systemd:
+    name: "openvpn-server@{{ item }}.service"
+    state: started
+    enabled: True
+    daemon_reload: yes
+  with_items:
+    - "{{ openvpn_server }}"
+  when: openvpn_server is defined and openvpn_server > 0
+
+- name: enable openvpn systemd service (client)
+  systemd:
+    name: "openvpn-client@{{ item }}.service"
+    state: started
+    enabled: True
+    daemon_reload: yes
+  with_items:
+    - "{{ openvpn_clients }}"
+  when: openvpn_clients is defined and openvpn_clients > 0
diff --git a/common/openvpn/templates/logrotate b/common/openvpn/templates/logrotate
new file mode 100644
index 00000000..6c724764
--- /dev/null
+++ b/common/openvpn/templates/logrotate
@@ -0,0 +1,7 @@
+/var/log/openvpn/*.log {
+  rotate 12
+  monthly
+  compress
+  missingok
+  notifempty
+}
diff --git a/common/openvpn/templates/openvpn-common b/common/openvpn/templates/openvpn-common
new file mode 100644
index 00000000..2fbc51ef
--- /dev/null
+++ b/common/openvpn/templates/openvpn-common
@@ -0,0 +1,12 @@
+
+persist-tun
+persist-key
+
+cipher AES-256-CBC
+auth SHA256
+
+comp-lzo adaptive
+keepalive 10 60
+ping-timer-rem
+
+verb 3
diff --git a/common/openvpn/templates/verwaltung-client-webs.conf b/common/openvpn/templates/verwaltung-client-webs.conf
new file mode 100644
index 00000000..7c73ed3c
--- /dev/null
+++ b/common/openvpn/templates/verwaltung-client-webs.conf
@@ -0,0 +1,12 @@
+
+dev tun1
+remote {{ hostvars['webserver'].ext_ip4 }} 1197 udp
+resolv-retry infinite
+
+ifconfig 10.44.1.2 10.44.1.1
+route 10.42.1.1 255.255.255.255
+
+secret /etc/openvpn/client/client-webs.key 
+log /var/log/openvpn/client-webs.log
+
+{% include "openvpn-common" %}
diff --git a/common/openvpn/templates/verwaltung-server-zone.conf b/common/openvpn/templates/verwaltung-server-zone.conf
new file mode 100644
index 00000000..58756971
--- /dev/null
+++ b/common/openvpn/templates/verwaltung-server-zone.conf
@@ -0,0 +1,11 @@
+
+dev tun0
+port 1196
+
+ifconfig 10.43.2.1 10.43.2.2
+route 192.168.0.0 255.255.255.0
+
+secret /etc/openvpn/server/server-zone.key 
+log /var/log/openvpn/server-zone.log
+
+{% include "openvpn-common" %}
diff --git a/common/openvpn/templates/webserver-server-verwaltung.conf b/common/openvpn/templates/webserver-server-verwaltung.conf
new file mode 100644
index 00000000..54edd1f2
--- /dev/null
+++ b/common/openvpn/templates/webserver-server-verwaltung.conf
@@ -0,0 +1,11 @@
+
+dev tun1
+port 1197
+
+ifconfig 10.44.1.1 10.44.1.2
+route 10.42.2.1 255.255.255.255
+
+secret /etc/openvpn/server/server-verwaltung.key 
+log /var/log/openvpn/server-verwaltung.log
+
+{% include "openvpn-common" %}
diff --git a/common/openvpn/templates/webserver-server-zone.conf b/common/openvpn/templates/webserver-server-zone.conf
new file mode 100644
index 00000000..0056c4c6
--- /dev/null
+++ b/common/openvpn/templates/webserver-server-zone.conf
@@ -0,0 +1,11 @@
+
+dev tun0
+port 1196
+
+ifconfig 10.43.1.1 10.43.1.2
+route 192.168.0.0 255.255.255.0
+
+secret /etc/openvpn/server/server-zone.key 
+log /var/log/openvpn/server-zone.conf
+
+{% include "openvpn-common" %}
diff --git a/host_vars/vorstand b/host_vars/verwaltung
similarity index 80%
rename from host_vars/vorstand
rename to host_vars/verwaltung
index bd03105b..6b6fedb4 100644
--- a/host_vars/vorstand
+++ b/host_vars/verwaltung
@@ -20,6 +20,12 @@ debian_keys_url:
   - "https://repos.influxdata.com/influxdb.key"
 
 
+# Primäre IP Adressen des Hosts 
+ext_ip4: 89.163.231.227
+ext_ip6: 2001:4ba0:ffff:007c::227
+int_ip4: 10.42.2.1
+
+
 # Art des Hosts: physical, vm, docker 
 host_type: "vm"
 
@@ -29,6 +35,14 @@ webserver_domains:
   - "verwaltung-git.warpzone.ms"
 
 
+#OpenVPN Konfigurationen 
+openvpn_server:
+  - "server-zone"
+
+openvpn_clients:
+  - "client-webs"
+
+
 administratorenteam:
   - "sandhome"
   - "void"
@@ -39,3 +53,4 @@ vorstandteam:
   - "ole"
   - "larsm"
   - "reverend"
+
diff --git a/host_vars/warpsrvint b/host_vars/warpsrvint
index 6c512169..92756249 100644
--- a/host_vars/warpsrvint
+++ b/host_vars/warpsrvint
@@ -21,6 +21,12 @@ debian_keys_url:
   - "https://repos.influxdata.com/influxdb.key"
 
 
+# Primäre IP Adressen des Hosts 
+#ext_ip4: <keine>
+#ext_ip6: <keine>
+int_ip4: 10.42.3.1
+
+
 # Art des Hosts: physical, vm, docker 
 host_type: "physical"
 
diff --git a/host_vars/webserver b/host_vars/webserver
index da8dec92..7f1ec3c5 100644
--- a/host_vars/webserver
+++ b/host_vars/webserver
@@ -20,6 +20,12 @@ debian_keys_url:
   - "https://repos.influxdata.com/influxdb.key"
 
 
+# Primäre IP Adressen des Hosts 
+ext_ip4: 89.163.231.226
+ext_ip6: 2001:4ba0:ffff:007c::2
+int_ip4: 10.42.1.1
+
+
 # Art des Hosts: physical, vm, docker 
 host_type: "vm"
 
@@ -42,13 +48,20 @@ webserver_domains:
   - "wiki.warpzone.ms"
   - "www.warpzone.ms"
 
+
+#OpenVPN Konfigurationen 
+openvpn_server:
+  - "server-zone"
+  - "server-verwaltung"
+
 administratorenteam:
   - "void"
   - "dray"
   - "sandhome"
   - "commander1024"
   
-  # Definition von Borgbackup Repositories 
+
+# Definition von Borgbackup Repositories 
 borgbackup_repos:
   
   warpsrvext: 
diff --git a/hosts b/hosts
index 34b8aa57..15134d09 100644
--- a/hosts
+++ b/hosts
@@ -19,7 +19,7 @@ webserver   ansible_ssh_host=89.163.231.226
 # Vorstands-VM
 # VM auf dem Webtropia-Server
 # Auch erreichbar unter werwaltung.warpzone.ms
-vorstand ansible_ssh_host=89.163.231.227
+verwaltung ansible_ssh_host=89.163.231.227
 
 
 # Raspberry-PI Server
diff --git a/site.yml b/site.yml
index bcd3576c..558c9b27 100644
--- a/site.yml
+++ b/site.yml
@@ -2,7 +2,7 @@
 # Hauptdatei, includiert lediglich die einzelnen Playbooks 
 
 - import_playbook: all/main.yml 
-- import_playbook: vorstand/main.yml 
+- import_playbook: verwaltung/main.yml 
 - import_playbook: warphab/main.yml 
 - import_playbook: warpsrvint/main.yml 
 - import_playbook: warpsrvext/main.yml 
diff --git a/vorstand/Documentation.md b/verwaltung/Documentation.md
similarity index 100%
rename from vorstand/Documentation.md
rename to verwaltung/Documentation.md
diff --git a/vorstand/docker_gitea/tasks/main.yml b/verwaltung/docker_gitea/tasks/main.yml
similarity index 100%
rename from vorstand/docker_gitea/tasks/main.yml
rename to verwaltung/docker_gitea/tasks/main.yml
diff --git a/vorstand/docker_gitea/templates/docker-compose.yml b/verwaltung/docker_gitea/templates/docker-compose.yml
similarity index 100%
rename from vorstand/docker_gitea/templates/docker-compose.yml
rename to verwaltung/docker_gitea/templates/docker-compose.yml
diff --git a/vorstand/docker_mysql/tasks/main.yml b/verwaltung/docker_mysql/tasks/main.yml
similarity index 100%
rename from vorstand/docker_mysql/tasks/main.yml
rename to verwaltung/docker_mysql/tasks/main.yml
diff --git a/vorstand/docker_mysql/templates/docker-compose.yml b/verwaltung/docker_mysql/templates/docker-compose.yml
similarity index 100%
rename from vorstand/docker_mysql/templates/docker-compose.yml
rename to verwaltung/docker_mysql/templates/docker-compose.yml
diff --git a/vorstand/docker_mysql/templates/tuning.cnf b/verwaltung/docker_mysql/templates/tuning.cnf
similarity index 100%
rename from vorstand/docker_mysql/templates/tuning.cnf
rename to verwaltung/docker_mysql/templates/tuning.cnf
diff --git a/vorstand/git/handlers/main.yml b/verwaltung/git/handlers/main.yml
similarity index 100%
rename from vorstand/git/handlers/main.yml
rename to verwaltung/git/handlers/main.yml
diff --git a/vorstand/git/tasks/main.yml b/verwaltung/git/tasks/main.yml
similarity index 100%
rename from vorstand/git/tasks/main.yml
rename to verwaltung/git/tasks/main.yml
diff --git a/vorstand/jameica/tasks/main.yml b/verwaltung/jameica/tasks/main.yml
similarity index 100%
rename from vorstand/jameica/tasks/main.yml
rename to verwaltung/jameica/tasks/main.yml
diff --git a/vorstand/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties b/verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties
similarity index 100%
rename from vorstand/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties
rename to verwaltung/jameica/templates/de.jost_net.JVerein.rmi.JVereinDBService.properties
diff --git a/vorstand/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties b/verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties
similarity index 100%
rename from vorstand/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties
rename to verwaltung/jameica/templates/de.willuhn.jameica.hbci.rmi.HBCIDBService.properties
diff --git a/vorstand/jameica/templates/jameica.sh b/verwaltung/jameica/templates/jameica.sh
similarity index 100%
rename from vorstand/jameica/templates/jameica.sh
rename to verwaltung/jameica/templates/jameica.sh
diff --git a/vorstand/main.yml b/verwaltung/main.yml
similarity index 87%
rename from vorstand/main.yml
rename to verwaltung/main.yml
index 3f13121d..717c073c 100644
--- a/vorstand/main.yml
+++ b/verwaltung/main.yml
@@ -1,11 +1,12 @@
 ---
 
-- hosts: vorstand
+- hosts: verwaltung
   remote_user: root
   roles:
     - { role: ../common/telegraf, tags: telegraf }
     - { role: ../common/docker, tags: docker }
     - { role: ../common/nginx, tags: nginx }
+    - { role: ../common/openvpn, tags: openvpn }
     - { role: docker_gitea, tags: gitea }
     - { role: docker_mysql, tags: mysql }
     - { role: user, tags: user }
diff --git a/vorstand/user/tasks/main.yml b/verwaltung/user/tasks/main.yml
similarity index 100%
rename from vorstand/user/tasks/main.yml
rename to verwaltung/user/tasks/main.yml
diff --git a/vorstand/x2goserver/tasks/main.yml b/verwaltung/x2goserver/tasks/main.yml
similarity index 100%
rename from vorstand/x2goserver/tasks/main.yml
rename to verwaltung/x2goserver/tasks/main.yml
diff --git a/webserver/main.yml b/webserver/main.yml
index e7be0116..e640968d 100644
--- a/webserver/main.yml
+++ b/webserver/main.yml
@@ -7,7 +7,7 @@
     - { role: ../common/docker, tags: docker }
     - { role: ../common/telegraf, tags: telegraf }
     - { role: ../common/nginx, tags: nginx }
-    - { role: openvpn, tags: openvpn }
+    - { role: ../common/openvpn, tags: openvpn }
     - { role: docker_alerta, tags: alerta }
     - { role: docker_dokuwiki, tags: dokuwiki }
     - { role: docker_etherpad, tags: etherpad }
diff --git a/webserver/openvpn/handlers/main.yml b/webserver/openvpn/handlers/main.yml
deleted file mode 100644
index 99893c1c..00000000
--- a/webserver/openvpn/handlers/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- name: restart openvpn
-  service: name=openvpn-client@warpzone.service state=restarted
diff --git a/webserver/openvpn/tasks/main.yml b/webserver/openvpn/tasks/main.yml
deleted file mode 100644
index 9e78e87c..00000000
--- a/webserver/openvpn/tasks/main.yml
+++ /dev/null
@@ -1,34 +0,0 @@
-# Pakete installieren
-- name: openvpn installieren
-  apt:
-    name: "{{ packages }}"
-    update_cache: yes
-    state: present
-  vars:
-    packages:
-      - openvpn
-
-# Log-Verzeichnis erstellen 
-
-- name: create folder struct for openvpn
-  file:
-    path: "/var/log/openvpn/"
-    state: "directory"
-
-# Konfigurationsdateien erstellen (ohne Keys)
-
-- name: Konfiguration erstellen 
-  template: src=warpzone.conf dest=/etc/openvpn/client/warpzone.conf
-  notify: restart openvpn
-
-- name: Konfiguration erstellen 
-  template: src=warpzone-up.sh dest=/etc/openvpn/client/warpzone-up.sh mode=o+x
-  notify: restart openvpn
-
-# Enable service 
-
-- name: enable openvpn systemd servise 
-  systemd:
-    name: openvpn-client@warpzone.service
-    state: started
-    enabled: True
diff --git a/webserver/openvpn/templates/warpzone-up.sh b/webserver/openvpn/templates/warpzone-up.sh
deleted file mode 100644
index 2a0ca208..00000000
--- a/webserver/openvpn/templates/warpzone-up.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/sh
-# the interface name is passed as first argument ($1)
-
-#modprobe ip_tables
-#iptables -t nat -I PREROUTING -p tcp -d {{ ldap_ip_ext }}/32 --dport 389 -j DNAT --to-destination 127.0.0.1:389
-#iptables -t nat -I PREROUTING -p tcp -d {{ ldap_ip_ext }}/32 --dport 636 -j DNAT --to-destination 127.0.0.1:636
diff --git a/webserver/openvpn/templates/warpzone.conf b/webserver/openvpn/templates/warpzone.conf
deleted file mode 100644
index 989f7d4d..00000000
--- a/webserver/openvpn/templates/warpzone.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-
-dev tun
-persist-tun
-persist-key
-cipher AES-256-CBC
-auth SHA1
-tls-client
-client
-resolv-retry infinite
-remote 212.124.34.242 1195 udp
-verify-x509-name "OpenVPN Server" name
-pkcs12 /etc/openvpn/client/warpzone.p12
-tls-auth /etc/openvpn/client/warpzone.key 1
-comp-lzo adaptive
-
-script-security 2
-up /etc/openvpn/client/warpzone-up.sh
-
-log /var/log/openvpn/warpzone.log
-verb 3
-- 
GitLab