Skip to content

Commit

Permalink
Fixes tests
Browse files Browse the repository at this point in the history
  • Loading branch information
nkakouros committed Feb 8, 2020
1 parent 5c388ef commit fcbeab7
Show file tree
Hide file tree
Showing 11 changed files with 52 additions and 19 deletions.
4 changes: 1 addition & 3 deletions .travis.yml
Original file line number Diff line number Diff line change
@@ -1,15 +1,13 @@
---

language: python
python: "2.7"

env:
- MOLECULE_DISTRO=ubuntu1404
- MOLECULE_DISTRO=ubuntu1604
- MOLECULE_DISTRO=ubuntu1804
- MOLECULE_DISTRO=debian8 MOLECULE_INIT_CMD=/lib/systemd/systemd
- MOLECULE_DISTRO=debian9 MOLECULE_INIT_CMD=/lib/systemd/systemd
- MOLECULE_DISTRO=centos7 MOLECULE_INIT_CMD=/lib/systemd/systemd
- MOLECULE_DISTRO=debian10 MOLECULE_INIT_CMD=/lib/systemd/systemd
install:
- pip install docker molecule

Expand Down
3 changes: 3 additions & 0 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,9 @@ openvpn_management_pass: ~
# Set to true to make the vpn server NAT incoming traffic
openvpn_route_traffic: false

# Whether to create an iptables rule to allow connections to the openvpn server.
openvpn_open_firewall: true

# The interface that traffic will come in from. This is used when creating
# firewall rules to allow the vpn server to successfully forward traffic (see
# `openvpn_route_traffic`). The interface you specify here will limit these
Expand Down
1 change: 1 addition & 0 deletions meta/beats/elasticsearch-ingest-pipelines.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ pipeline:
field: message
ignore_failure: true
patterns:
# yamllint disable-line rule:line-length
- "%{TIMESTAMP:openvpn.date} %{DATA} \\[%{DATA:openvpn.common_name}\\] Peer Connection Initiated with \\[AF_INET\\]%{IP:openvpn.host}:%{POSINT:openvpn.port}"
pattern_definitions:
TIMESTAMP: "%{DAY} %{MONTH} ?%{MONTHDAY} %{TIME} %{YEAR}"
Expand Down
1 change: 1 addition & 0 deletions meta/beats/heartbeat-monitors.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# vi: ft=yaml.ansible.jinja2
# yamllint disable rule:braces
---

- name: OpenVPN host up
Expand Down
9 changes: 9 additions & 0 deletions molecule/default/molecule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,21 @@ platforms:
command: ${MOLECULE_INIT_CMD-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
sysctls:
net.ipv4.ip_forward: 1
privileged: true
pre_build_image: true
provisioner:
name: ansible
lint:
name: ansible-lint
options:
exclude:
- meta/beats
options:
vvv: true
env:
IN_MOLECULE: 'true'
scenario:
name: default
verifier:
Expand Down
11 changes: 9 additions & 2 deletions molecule/default/playbook.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,21 @@

# OpenVPN
openvpn_keydir: "{{ easyrsa_pki_dir }}"
openvpn_clients: "{{ easyrsa_clients }}"
openvpn_download_clients: true
openvpn_clients: "{{ easyrsa_clients | map(attribute='name') | list }}"
openvpn_download_dir: /tmp/
openvpn_ccd_configs:
- name: client1
content: '# pass'
- name: client2
content: '# pass'

# Enabled them
openvpn_download_clients: false
openvpn_open_firewall: false
openvpn_route_traffic: false
openvpn_unified_client_profiles: false
openvpn_management_enable: false
openvpn_client_to_client_via_ip: false
roles:
- role: nkakouros.easyrsa
- role: Stouts.openvpn
1 change: 1 addition & 0 deletions tasks/core/clients.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,3 +71,4 @@
jump: "{{ openvpn_client_to_client_via_ip | ternary('ALLOW', 'DROP') }}"
comment: drop-client-to-client
notify: openvpn save iptables
when: openvpn_client_to_client_via_ip | bool
9 changes: 8 additions & 1 deletion tasks/openvpn.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,14 @@

- include_tasks: system/forwarding.yml

- include_tasks: system/firewall.yml
- include_tasks: system/firewall-deps.yml
when:
openvpn_open_firewall | bool
or openvpn_route_traffic | bool
or openvpn_client_to_client_via_ip | bool

- include_tasks: system/open-firewall.yml
when: openvpn_open_firewall | bool

- include_tasks: system/routing.yml
when: openvpn_route_traffic | bool
Expand Down
18 changes: 5 additions & 13 deletions tasks/system/firewall.yml → tasks/system/firewall-deps.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,11 @@
packages:
- iptables
- iptables-persistent
- module-init-tools

- name: Install more firewall deps
apt:
name: module-init-tools
when: ansible_distribution_release == 'jessie'

- name: Read existing iptable rules
shell: iptables -L
Expand All @@ -25,15 +29,3 @@
- skip_ansible_lint
register: iptables_nat_rules
changed_when: false

- name: Allow connections to the OpenVPN server
iptables:
chain: INPUT
in_interface: "{{ openvpn_out_interface | default(omit, true) }}"
ctstate: NEW
protocol: udp
destination_port: "{{ openvpn_port }}"
jump: ACCEPT
comment: incoming_openvpn
notify: openvpn save iptables
when: iptables_rules.stdout.find("incoming_openvpn") == -1
13 changes: 13 additions & 0 deletions tasks/system/firewall-open.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---

- name: Allow connections to the OpenVPN server
iptables:
chain: INPUT
in_interface: "{{ openvpn_out_interface | default(omit, true) }}"
ctstate: NEW
protocol: "{{ openvpn_proto }}"
destination_port: "{{ openvpn_port }}"
jump: ACCEPT
comment: incoming_openvpn
notify: openvpn save iptables
when: iptables_rules.stdout.find("incoming_openvpn") == -1
1 change: 1 addition & 0 deletions tasks/system/forwarding.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,4 @@
sysctl_set: true
state: present
reload: true
when: not lookup('env', 'IN_MOLECULE') | d(true, true) | bool

This comment has been minimized.

Copy link
@ulvida

ulvida May 14, 2020

To configure a VPN server, I just executed in a playbook a fork of this role and with this condition, the corresponding task, which is needed for the VPN server to be a router (forward IP traffic), was not executed.
I understand that the environment variable IN_MOLECULE is present and set to true when executing molecule ansible test environement. And I understand that you don't want to execute the task in such environement. But, when deploying an openvpn server, it should be executed. Therefore the whole condition should be:

when: ( not lookup('env', 'IN_MOLECULE') ) | d(true, true) | bool

(I have to check if ti works. It should.). Or, which is semantically less clear:

when: not lookup('env', 'IN_MOLECULE') | d(false, true) | bool

This comment has been minimized.

Copy link
@nkakouros

nkakouros May 14, 2020

Author Collaborator

Thanks for the feedback. I could you open an issue or PR with this information? I am afraid this will get lost here. I just saw you already have.

This comment has been minimized.

Copy link
@ulvida

ulvida May 15, 2020

It will come with a global PR, with other features as IPv6. The issue and this commet is if you want to fix it before.

Thinking better, I understand my first proposal will not work for molecule, as, as documented here with the second 'true' it will "use the default value when variables evaluate to false or an empty string", so the whole will return 'true'. So I'll use the second proposal, even if less readable.

0 comments on commit fcbeab7

Please sign in to comment.