Skip to content

Latest commit



105 lines (83 loc) · 8.06 KB

File metadata and controls

105 lines (83 loc) · 8.06 KB

What is this?

This is a collection of Ansible roles I created to run my own automations for living.

Available Roles


Ansible >= 2.8 is required.

Don't forget to set the `DO_API_TOKEN' environment variable before firing up Ansible for this.

If you wish to use SSH keys, which you probably do, you have to set the digital_ocean_droplet_ssh_keys Ansible variable to the array containing ids of your ssh key[s]. For example:

ansible_playbook digital_ocean_openvpn.yml -e 'digital_ocean_droplet_ssh_keys="[12345]"'

Where 12345 is the identifier of your SSH key. You can get ids of the SSH keys you uploaded to Digital Ocean using the following command

curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Bearer API_TOKEN" "" | python -m json.tool

Make sure to replace API_TOKEN with your actual DO API token. You can also append | grep -E '"(id|name)"' to the command provided above to limit the output to ids and names only. There are other params such as image name, region, and vm size which can accept only predefined values. To list those values, refer to Another option is to use doctl, e.g.

doctl compute ssh-key ls

doctl compute image list-distribution

doctl compute region ls

Supported variables and their default values

Variable Default Description
digital_ocean_droplet_name mydroplet Name of your brand-new droplet
digital_ocean_droplet_size s-1vcpu-1gb Size of your droplet
doctl compute size ls
digital_ocean_droplet_image debian-10-x64 Digital Ocean image to be used for droplet creation
doctl compute image list-distribution
digital_ocean_droplet_region sgp1 Digital Ocean data center to run the droplet in
doctl compute region ls
digital_ocean_droplet_ipv6 no IPv6 support
digital_ocean_droplet_backups no Enable backups
digital_ocean_droplet_monitoring no Enable additional monitoring
digital_ocean_droplet_unique_name no Enable unique names
digital_ocean_droplet_private_networking no Enable private networking
digital_ocean_droplet_tags [] Tags the droplet will be tagged with
digital_ocean_droplet_volumes [] Additional volumes to attach to the droplet
digital_ocean_droplet_ssh_keys [] SSH keys to add to the root user's authorized_keys
doctl compute ssh-key ls
digital_ocean_droplet_user_data User data to initialise the droplet with
digital_ocean_droplet_wait yes Wait for droplet creation
digital_ocean_droplet_wait_timeout 600 Max number of seconds to wait for droplet upon its creation


Ansible >= 2.4 is required.

This role installs and configures OpenVPN server. It also installs and configures nftables if /etc/nftables.conf doesn't exist.

So far, I've tested this role on Digital Ocean only. Other cloud providers may or may not be tested in the future but should work with this role anyway. It was tested with Debian 10 only for now.

This role doesn't rely on the version of EasyRSA shipped by your operating system. Instead, it downloads EasyRSA distro from Github. Also, upon successful completion this role downloads OpenVPN client configuration file to the openvpn_server_config_download_path directory which is openvpn_conf by default. That configuration file contains all required key and cert data inlined.

Supported variables and their default values

Variable Default Description
openvpn_server_port 1488 Port OpenVPN server will be listening on
openvpn_server_protocol udp Protocol to be used for VPN connections, udp or tcp
openvpn_server_dev tun Driver to be used for VPN connections
openvpn_server_mtu 1400 MTU
openvpn_server_openvpn_dir /etc/openvpn Directory to store OpenVPN configuration files
openvpn_server_log_dir /var/log/openvpn Directory to store OpenVPN log data
openvpn_server_easyrsa_dir /etc/easy-rsa Directory to use for easyrsa data
openvpn_server_easyrsa_dist_url EasyRSA-unix-v3.0.6.tgz Easyrsa distro
openvpn_server_easyrsa_dist_checksum SHA256 hash here Easyrsa distro checksum
openvpn_server_dh {{ openvpn_server_easyrsa_dir }}/keys/dh4096.pem Location of Diffie–Hellman pem
openvpn_server_dh_bits 2048 Size of Diffie–Hellman parameters
openvpn_server_ca_cert {{ openvpn_server_easyrsa_dir }}/keys/ca.crt Location of CA certificate
openvpn_server_ca_key {{ openvpn_server_easyrsa_dir }}/keys/ca.key Location of CA key
openvpn_server_ca_cert_days 3652 Lenght of validity of CA certificate
openvpn_server_pki_dir {{ openvpn_server_easyrsa_dir }}/pki Directory containing PKI data
openvpn_server_csr {{ openvpn_server_easyrsa_dir }}/keys/server.csr Location of OpenVPN server CSR
openvpn_server_cert {{ openvpn_server_easyrsa_dir }}/keys/server.crt Location of OpenVPN server cert
openvpn_server_cert_days 3652 Lenght of validity of server certificate
openvpn_server_key {{ openvpn_server_easyrsa_dir }}/keys/server.key Location of OpenVPN server key
openvpn_server_key_bits 4096 Size of OpenVPN server key
openvpn_server_conf {{ openvpn_server_openvpn_dir }}/server.conf Path to OpenVPN server configuration file
openvpn_server_network IPv4 network to be used for VPN
openvpn_server_mask Netmask of the network specified above
openvpn_server_status_log {{ openvpn_server_log_dir }}/server-status.log OpenVPN server status log ifle
openvpn_server_log {{ openvpn_server_log_dir }}/server.log OpenVPN server log file
openvpn_server_verb 3 OpenVPN server log ffile verbosity
openvpn_server_cipher AES-256-GCM Cipher to be used for VPN connections
openvpn_server_reneg_bytes 64000000 Renegatiate after every number of bytes
openvpn_server_keepalive "10 120" OpenVPN server keepalive settings
openvpn_server_client_csr {{ openvpn_server_easyrsa_dir }}/keys/client-{{ ansible_default_ipv4.address }}.csr File client CSR will be stored in
openvpn_server_client_cert {{ openvpn_server_easyrsa_dir }}/keys/client-{{ ansible_default_ipv4.address }}.crt Where to store client certificate
openvpn_server_client_cert_days 3652 Lenght of validity of client certificate
openvpn_server_client_key {{ openvpn_server_easyrsa_dir }}/keys/client-{{ ansible_default_ipv4.address }}.key File to store client key data
openvpn_server_client_key_bits 4096 Size of OpenVPN client key
openvpn_server_client_conf {{ openvpn_server_openvpn_dir }}/client-{{ ansible_default_ipv4.address }}.conf Path OpenVPN client config will be stored in
openvpn_server_nftables_config_file /etc/nftables.conf Path to nftables.conf
openvpn_server_config_download_path openvpn_conf/ Local directory to fetch OpenVPN client configuration file to; if you want it it to be a file and overwritten at each run, remove the trailing slash and, optionally, append an extension.
openvpn_server_enable_tls_auth yes Enable tls-auth settings
openvpn_server_tls_auth_key {{ openvpn_server_openvpn_dir }}/tls-auth.key Path to store tls-auth key data
openvpn_server_enable_management yes Enable OpenVPN server management interface
openvpn_server_management_port 9999 OpenVPN server management interface port
openvpn_server_client_enable_management no Enable OpenVPN client management interface
openvpn_server_client_management_port 9999 OpenVPN client management interface port