Further permission asserts

tasks/centralpoint.yml

@@ -9,10 +9,18 @@
   notify:
     -  Enable and start OpenVPN service
 
+- name: Fix permissions to Diffie-Hellman parameters
+  file:
+    path: "{{ INDIGOVR_CERT_DIR }}/dh2048.pem"
+    group: "{{ INDIGOVR_USER }}"
+    mode: 0644
+
 - name: Copy CRL to OpenVPN
   copy:
     src: "{{ INDIGOVR_CA_DIR }}/crl.pem"
     dest: "{{ INDIGOVR_CERT_DIR }}/crl.pem"
+    group: "{{ INDIGOVR_USER }}"
+    mode: 0644
     remote_src: yes
   notify:
     -  Enable and start OpenVPN service
@@ -21,6 +29,8 @@
   copy:
     src: "{{ INDIGOVR_CA_DIR }}/ca.crt"
     dest: "{{ INDIGOVR_CERT_DIR }}/ca.crt"
+    group: "{{ INDIGOVR_USER }}"
+    mode: 0644
     remote_src: yes
   notify:
     -  Enable and start OpenVPN service
@@ -29,9 +39,9 @@
   file:
     path: /etc/openvpn/ccd
     state: directory
-    mode: 0700
+    mode: 0755
     owner: root
-    group: root
+    group: "{{ INDIGOVR_USER }}"
   notify:
     -  Enable and start OpenVPN service
 
@@ -53,6 +63,8 @@
   copy:
     src: "{{ INDIGOVR_CA_DIR }}/certs/{{ INDIGOVR_CERT_NAME }}.crt"
     dest: "{{ INDIGOVR_CERT_DIR }}/{{ INDIGOVR_CERT_NAME }}.crt"
+    group: "{{ INDIGOVR_USER }}"
+    mode: 0644
     remote_src: yes
   notify:
     -  Enable and start OpenVPN service

tasks/standalone.yml

@@ -45,8 +45,12 @@
   copy:
     src: "/tmp/._indigovr_tmp_{{ INDIGOVR_CERT_NAME }}.crt"
     dest: "{{ INDIGOVR_CERT_DIR }}/{{ INDIGOVR_CERT_NAME }}.crt"
+    group: "{{ INDIGOVR_USER }}"
+    mode: 0644
 
 - name: Copy CA certificate to OpenVPN
   copy:
     src: "/tmp/.indigovr_tmp_ca.crt"
     dest: "{{ INDIGOVR_CERT_DIR }}/ca.crt"
+    group: "{{ INDIGOVR_USER }}"
+    mode: 0644

tasks/vrouter.yml

@@ -4,44 +4,53 @@
 
 - name: Fetch CSR
   fetch:
-    src: "{{ INDIGOVR_CA_DIR }}/certs/{{ INDIGOVR_CERT_NAME }}.csr"
+    src: "{{ INDIGOVR_CERT_DIR }}/{{ INDIGOVR_CERT_NAME }}.csr"
     dest: "/tmp/._indigovr_tmp_{{ INDIGOVR_CERT_NAME }}.csr"
     flat: yes
+    fail_on_missing: yes
 
 - name: Copy CSR to CA
   copy:
-    src: "/tmp/._indigovr_cp_{{ INDIGOVR_CERT_NAME }}.csr"
+    src: "/tmp/._indigovr_tmp_{{ INDIGOVR_CERT_NAME }}.csr"
     dest: "{{ INDIGOVR_CA_DIR }}/certs/{{ INDIGOVR_CERT_NAME }}.csr"
   delegate_to: "{{ INDIGOVR_CENTRALPOINT_IP }}"
+  become: true
 
 - name: Sign certificate
   shell: openssl ca -config "{{ INDIGOVR_CA_DIR }}/openssl.cnf" -extensions usr_cert -notext -batch -in "{{ INDIGOVR_CA_DIR }}/certs/{{ INDIGOVR_CERT_NAME }}.csr" -out "{{ INDIGOVR_CA_DIR }}/certs/{{ INDIGOVR_CERT_NAME }}.crt"
   args:
     creates: "{{ INDIGOVR_CA_DIR }}/certs/{{ INDIGOVR_CERT_NAME }}.crt"
   delegate_to: "{{ INDIGOVR_CENTRALPOINT_IP }}"
+  become: true
 
 - name: Fetch certificate
   fetch:
     src: "{{ INDIGOVR_CA_DIR }}/certs/{{ INDIGOVR_CERT_NAME }}.crt"
     dest: "/tmp/._indigovr_tmp_{{ INDIGOVR_CERT_NAME }}.crt"
     flat: yes
+    fail_on_missing: yes
   delegate_to: "{{ INDIGOVR_CENTRALPOINT_IP }}"
+  become: true
 
 - name: Fetch CA certificate
   fetch:
     src: "{{ INDIGOVR_CA_DIR }}/ca.crt"
     dest: "/tmp/.indigovr_tmp_ca.crt"
     flat: yes
+    fail_on_missing: yes
   delegate_to: "{{ INDIGOVR_CENTRALPOINT_IP }}"
+  become: true
 
 - name: Copy certificate to OpenVPN
-  fetch:
+  copy:
     src: "/tmp/._indigovr_tmp_{{ INDIGOVR_CERT_NAME }}.crt"
     dest: "{{ INDIGOVR_CERT_DIR }}/{{ INDIGOVR_CERT_NAME }}.crt"
-    flat: yes
+    group: "{{ INDIGOVR_USER }}"
+    mode: 0644
 
 - name: Copy CA certificate to OpenVPN
-  fetch:
+  copy:
     src: "/tmp/.indigovr_tmp_ca.crt"
     dest: "{{ INDIGOVR_CERT_DIR }}/ca.crt"
-    flat: yes
+    group: "{{ INDIGOVR_USER }}"
+    mode: 0644