Finish role_deploy_temp_openvpn-server.

roles/role_deploy_openvpn-server/tasks/main.yml

@@ -78,7 +78,29 @@
 - name: Create openvpn-server container
   containers.podman.podman_container:
     name: openvpn-server
-    image: "{{ private_registry_domain }}/openvpn-server:2d2f032441"
+    image: "{{ private_registry_domain }}/openvpn:176450680a"
+    command:
+      - --mode server
+      - --topology subnet
+      - --proto udp
+      - --port 1194
+      - --dev tun
+      - --server 192.168.102.0 255.255.255.0 nopool
+      - --ifconfig-pool 192.168.102.50 192.168.102.254
+      - --push route 192.168.102.0 255.255.255.0
+      - --client-to-client
+      - --keepalive 10 120
+      - --persist-tun
+      - --persist-key
+      - --comp-lzo yes
+      - --remote-cert-tls client
+      - --cipher AES-256-CBC
+      - --ca /etc/openvpn/server/keys/ca.crt
+      - --cert /etc/openvpn/server/keys/server.crt
+      - --dh /etc/openvpn/server/keys/dh1024.pem
+      - --key /etc/openvpn/server/keys/server.key
+      - --client-config-dir /etc/openvpn/server/ccd
+      - --config /etc/openvpn/server/server.conf
     state: present
     cap_add:
       - NET_ADMIN

roles/role_deploy_temp_openvpn-server/tasks/main.yml

@@ -1,70 +1,9 @@
 ---
-# Everything in this volume comes from Git. No need to back it up.
-- name: Create /mnt/volumes/temp_openvpn-server_conf directory
+- name: Create /usr/local/docker-mounted-files/temp-openvpn-server directory
   ansible.builtin.file:
-    path: "/mnt/volumes/temp_openvpn-server_conf"
+    path: "/usr/local/docker-mounted-files/temp-openvpn-server"
     state: directory
-    mode: '0750'
-  become: true
-
-- name: Remove temp directory
-  ansible.builtin.file:
-    path: "{{ remote_workdir }}/temp_openvpn-server_conf"
-    state: absent
-  changed_when: false
-  become: true
-
-- name: Create temp directory
-  ansible.builtin.file:
-    path: "{{ remote_workdir }}/temp_openvpn-server_conf/keys"
-    state: directory
-    recurse: yes
-  changed_when: false
-  become: true
-
-- name: Extract openvpn keys from secrets.tar.gz.enc
-  shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 4 {{ item.name }}"
-  changed_when: false
-  with_items:
-    - name: secrets/docker-OpenVPN-server-stack/conf/server_keys/
-      dir: "{{ remote_workdir }}/temp_openvpn-server_conf/keys"
-  environment:
-    SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
-  become: true
-
-- name: Copy openvpn keys
-  ansible.builtin.copy:
-    src: "{{ remote_workdir }}/temp_openvpn-server_conf/keys"
-    dest: "/mnt/volumes/temp_openvpn-server_conf/"
-    remote_src: yes
-  become: true
-
-- name: Retrieve config repo
-  ansible.builtin.git:
-    repo: "ssh://git@git.scimetis.net:2222/yohan/config.git"
-    dest: "{{ remote_workdir }}/config"
-    version: master
-    accept_hostkey: true
-    force: true
-  changed_when: false
-
-- name: Copy openvpn config
-  ansible.builtin.copy:
-    src: "{{ remote_workdir }}/config/docker-temp-OpenVPN-server-stack/{{ item }}"
-    dest: "/mnt/volumes/temp_openvpn-server_conf/"
-    remote_src: yes
-  become: true
-  with_items:
-    - ccd
-    - server.conf
-
-- name: Fix permissions
-  ansible.builtin.file:
-    path: "/mnt/volumes/temp_openvpn-server_conf"
-    owner: root
-    group: root
-    mode: "u=rwX,g=rX,o="
-    recurse: yes
+    mode: '0755'
   become: true
 
 - name: Login to {{ private_registry_domain }} and create ${XDG_RUNTIME_DIR}/containers/auth.json
@@ -75,15 +14,49 @@
   changed_when: false
   become: true
 
+- name: Generate temporary P2P shared key
+  ansible.builtin.command:
+    cmd: "podman run --rm -i {{ private_registry_domain }}/openvpn:176450680a --genkey secret"
+  register: openvpn_genkey_result
+  become: true
+
+- name: Template key file
+  ansible.builtin.template:
+    src: "{{ item }}.j2"
+    dest: "/usr/local/docker-mounted-files/temp-openvpn-server/{{ item }}"
+    mode: '0755'
+    seuser: system_u
+    serole: object_r
+    setype: container_file_t
+  become: true
+  with_items:
+    - temp-p2p-shared.key
+  vars:
+    temp_p2p_shared_key: "{{ openvpn_genkey_result.stdout }}"
+
 - name: Create temp-openvpn-server container
   containers.podman.podman_container:
     name: temp-openvpn-server
-    image: "{{ private_registry_domain }}/openvpn-server:2d2f032441"
+    image: "{{ private_registry_domain }}/openvpn:176450680a"
+    command:
+      - --mode p2p
+      - --topology p2p
+      - --proto udp
+      - --port 1194
+      - --dev tun
+      - --ifconfig 192.168.103.1 192.168.103.2
+      - --keepalive 10 120
+      - --persist-tun
+      - --persist-key
+      - --comp-lzo yes
+      - --cipher AES-256-CBC
+      - --config /etc/openvpn/server/server.conf
+      - --secret /etc/openvpn/temp-p2p-shared.key
     cap_add:
       - NET_ADMIN
     device: /dev/net/tun
     network:
       - host
     volume:
-      - /mnt/volumes/temp_openvpn-server_conf:/etc/openvpn/server:Z
+      - /usr/local/docker-mounted-files/temp-openvpn-server/temp-p2p-shared.key:/etc/openvpn/server/temp-p2p-shared.key:Z
   become: true

roles/role_deploy_temp_openvpn-server/templates/temp-p2p-shared.key.j2

@@ -0,0 +1 @@
+{{ temp_p2p_shared_key }}