ansible-lint + fix for openvpn_unified_client_profiles

tasks/assertions.yml

@@ -1,13 +1,13 @@
 ---
 
 - name: Check OS is supported
-  assert:
+  ansible.builtin.assert:
     that:
       - "ansible_os_family in ['Debian', 'RedHat']"
     msg: "{{ ansible_os_family }} is not supported"
 
 - name: Check use of deprecated variables
-  assert:
+  ansible.builtin.assert:
     that:
       - "not lookup('vars', _openvpn__deprecated_var.name, default='')"
     fail_msg: >-
@@ -22,4 +22,3 @@
         replacement: openpvpn_compression
       - name: openvpn_cipher
         replacement: openvpn_ncp_ciphers
-

tasks/authentication/ldap.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Setup LDAP
-  template:
+  ansible.builtin.template:
     src: authentication/auth-ldap.conf.j2
     dest: /etc/openvpn/auth-ldap.conf
     mode: 0o644

tasks/authentication/pam.yml

@@ -1,14 +1,14 @@
 ---
 
 - name: Setup PAM
-  template:
+  ansible.builtin.template:
     src: authentication/openvpn.pam.j2
     dest: /etc/pam.d/openvpn
     mode: 0o644
   when: openvpn_use_pam | bool
 
 - name: Configure users
-  htpasswd:
+  community.general.htpasswd:
     path: "{{ openvpn_etcdir }}/users"
     name: "{{ _openvpn__pam_user.name }}"
     password: "{{ _openvpn__pam_user.password }}"

tasks/authentication/simple.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Setup simple authentication
-  template:
+  ansible.builtin.template:
     src: authentication/auth-client.sh.j2
     dest: "{{ openvpn_etcdir }}/auth-client.sh"
     mode: 0o755

tasks/authentication/tls.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Generate tls-auth key
-  command:
+  ansible.builtin.command:
     openvpn --genkey --secret "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}"
   args:
     creates: "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}"

tasks/core/clients.yml

@@ -1,17 +1,17 @@
 ---
 
 - name: Generate client configurations
-  template:
+  ansible.builtin.template:
     src: "{{ openvpn_client_conf_template }}"
     dest: "{{ openvpn_etcdir }}/ovpns/{{ _openvpn__client }}.ovpn"
-    mode: 0o644
+    mode: "0600"
   loop: "{{ openvpn_clients }}"
   loop_control:
     loop_var: _openvpn__client
   register: openvpn_clients_changed
 
 - name: Pack clients
-  command: >-
+  ansible.builtin.command: >-
     zip -j
       {{ _openvpn__client }}.zip
       {{ openvpn_keydir }}/issued/{{ _openvpn__client }}.crt
@@ -28,9 +28,9 @@
   when: openvpn_clients_changed.results[index] is changed
 
 - name: Download client credentials
-  fetch:
+  ansible.builtin.fetch:
     src: "{{ openvpn_etcdir }}/ovpns/{{ _openvpn__client }}.zip"
-    dest: "{{ openvpn_download_dir }}"
+    dest: "{{ openvpn_download_dir }}/{{ openvpn_host }}/"
     flat: true
     validate_checksum: true
   loop: "{{ openvpn_clients }}"
@@ -40,10 +40,23 @@
   when: openvpn_download_clients | bool
   tags: openvpn-download
 
+- name: Create client directory before extraction on localhost
+  ansible.builtin.file:
+    path: "{{ openvpn_download_dir }}{{ openvpn_host }}/{{ _openvpn__client }}"
+    state: directory
+    mode: "0700"
+  loop: "{{ openvpn_clients }}"
+  loop_control:
+    loop_var: _openvpn__client
+  delegate_to: localhost
+  become: false
+  tags: openvpn-download
+  when: openvpn_download_clients | bool
+
 - name: Extract client credentials
-  unarchive:
-    src: "{{ openvpn_download_dir }}/{{ _openvpn__client }}.zip"
-    dest: "{{ openvpn_download_dir }}"
+  ansible.builtin.unarchive:
+    src: "{{ openvpn_download_dir }}{{ openvpn_host }}/{{ _openvpn__client }}.zip"
+    dest: "{{ openvpn_download_dir }}{{ openvpn_host }}/{{ _openvpn__client }}"
   loop: "{{ openvpn_clients }}"
   loop_control:
     loop_var: _openvpn__client
@@ -55,22 +68,22 @@
   tags: openvpn-download
 
 - name: Create ccd directory
-  file:
+  ansible.builtin.file:
     path: "{{ openvpn_ccd }}"
     state: directory
-    mode: 0o755
+    mode: "0700"
 
 - name: Upload ccd configs
-  copy:
+  ansible.builtin.copy:
     content: "{{ _openvpn__ccd_config.content }}"
     dest: "{{ openvpn_ccd }}/{{ _openvpn__ccd_config.name }}"
-    mode: 0o644
+    mode: "0o644"
   loop: "{{ openvpn_ccd_configs }}"
   loop_control:
     loop_var: _openvpn__ccd_config
 
 - name: Disable client-to-client at the IP layer
-  iptables:
+  ansible.builtin.iptables:
     chain: FORWARD
     in_interface: "{{ openvpn_dev }}+"
     out_interface: "{{ openvpn_dev }}+"

tasks/core/configure.yml

@@ -1,19 +1,19 @@
 ---
 
 - name: Ensure openvpn key dir has the right permission
-  file:
+  ansible.builtin.file:
     path: "{{ openvpn_keydir }}"
     state: directory
     mode: 0o700
     owner: "{{ openvpn_user }}"
 
 - name: Check if crl.pem exists
-  stat:
+  ansible.builtin.stat:
     path: "{{ openvpn_keydir }}/crl.pem"
   register: crl_pem_file
 
 - name: Configure server
-  template:
+  ansible.builtin.template:
     src: server.conf.j2
     dest: "{{ openvpn_etcdir }}/server.conf"
     mode: 0o644
@@ -23,7 +23,7 @@
 # here to avoid repeating it twice in both places where the tls and
 # client-config tasks are located.
 - name: Create client configuration directory
-  file:
+  ansible.builtin.file:
     path: "{{ openvpn_etcdir }}/ovpns"
     state: directory
     mode: 0o755

tasks/core/install/Debian.yml

@@ -1,19 +1,19 @@
 ---
 
 - name: Add OpenVPN repo GPG key
-  apt_key:
+  ansible.builtin.apt_key:
     id: E158C569
     url: https://swupdate.openvpn.net/repos/repo-public.gpg
   when: openvpn_use_external_repo | bool
 
 - name: Add OpenVPN repo sources
-  apt_repository:
+  ansible.builtin.apt_repository:
     filename: openvpn
     repo: deb http://swupdate.openvpn.net/apt "{{ ansible_lsb.codename }}" main
   when: openvpn_use_external_repo | bool
 
 - name: Install requirements
-  apt:
+  ansible.builtin.apt:
     name: "{{ requirements }}"
     update_cache: true
     force: true
@@ -25,7 +25,7 @@
       - zip
 
 - name: Install PAM dependencies
-  apt:
+  ansible.builtin.apt:
     name: "{{ dependencies }}"
     force: true
   when: openvpn_use_pam_users | length > 0
@@ -35,12 +35,12 @@
       - python-passlib
 
 - name: Install LDAP dependencies
-  apt:
+  ansible.builtin.apt:
     name: openvpn-auth-ldap
     force: true
   when: openvpn_use_ldap | bool
 
 - name: Install bridge dependencies
-  apt:
+  ansible.builtin.apt:
     name: bridge-utils
   when: openvpn_bridge | bool

tasks/core/install/RedHat.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Install requirements
-  yum:
+  ansible.builtin.yum:
     name: "{{ requirements }}"
     update_cache: true
   vars:
@@ -11,16 +11,16 @@
       - zip
 
 - name: Install PAM dependencies
-  yum:
+  ansible.builtin.yum:
     name: python-passlib
   when: openvpn_use_pam_users | length > 0
 
 - name: Install LDAP dependencies
-  yum:
+  ansible.builtin.yum:
     name: openvpn-auth-ldap
   when: openvpn_use_ldap | bool
 
 - name: Install bridge dependencies
-  yum:
+  ansible.builtin.yum:
     name: bridge-utils
   when: openvpn_bridge| bool

tasks/core/management.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Create management password file
-  copy:
+  ansible.builtin.copy:
     content: "{{ openvpn_management_pass }}"
     dest: "{{ openvpn_etcdir }}/mgmt.pw"
     owner: "{{ openvpn_user }}"
@@ -16,7 +16,7 @@
     }}
 
 - name: Add management directive to OpenVPN config
-  set_fact:
+  ansible.builtin.set_fact:
     openvpn_server_options:
       "{{ openvpn_server_options + _mgmt_option }}"
   vars:

tasks/core/read-client-files.yml

@@ -1,25 +1,23 @@
 ---
 - name: Read CA file
-  command: cat "{{ openvpn_keydir }}/ca.crt"
+  ansible.builtin.command: cat "{{ openvpn_keydir }}/ca.crt"
   no_log: true
   register: openvpn_read_ca_file_results
   changed_when: false
 
 - name: Read TLS-auth key
-  slurp:
+  ansible.builtin.slurp:
     src: "{{ openvpn_etcdir }}/ovpns/{{ openvpn_tls_key }}"
   no_log: true
   register: openvpn_read_tlsauth_file_results
   changed_when: false
   when: openvpn_tls_auth
 
 - name: Read client cert files
-  command: >-
+  ansible.builtin.command: >-
     sed -n
     '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p'
     {{ openvpn_keydir }}/issued/{{ _openvpn__client }}.crt
-  args:
-    warn: false
   no_log: true
   changed_when: false
   register: openvpn_read_client_cert_files_results
@@ -28,7 +26,7 @@
     loop_var: _openvpn__client
 
 - name: Read client key files
-  command: cat {{ openvpn_keydir }}/private/{{ _openvpn__client }}.key
+  ansible.builtin.command: cat {{ openvpn_keydir }}/private/{{ _openvpn__client }}.key
   no_log: true
   changed_when: false
   register: openvpn_read_client_key_files_results
@@ -37,7 +35,7 @@
     loop_var: _openvpn__client
 
 - name: Set client cert and CA info as fact
-  set_fact:
+  ansible.builtin.set_fact:
     openvpn_ca_file_contents:
       "{{ openvpn_read_ca_file_results.stdout }}"
     openvpn_client_cert_output:
@@ -46,7 +44,7 @@
       "{{ openvpn_read_client_key_files_results.results }}"
 
 - name: Set tls auth file contents as fact
-  set_fact:
+  ansible.builtin.set_fact:
     openvpn_tls_auth_file_contents: >-
       {{
         openvpn_read_tlsauth_file_results['content']

tasks/main.yml

@@ -1,5 +1,6 @@
 ---
 
-- import_tasks: openvpn.yml
+- name: Import tasks openvpn.yml
+  ansible.builtin.import_tasks: openvpn.yml
   when: openvpn_enabled | bool
   tags: openvpn