refactored local actions to cleaner syntax

roles/vpn/tasks/client_configs.yml

@@ -1,8 +1,7 @@
 ---
 
 - name: Register p12 PayloadContent
-  local_action: >
+  shell: cat private/{{ item }}.p12 | base64
-    shell cat private/{{ item }}.p12 | base64
   register:  PayloadContent
   become: no
   args:
@@ -15,8 +14,7 @@
     PayloadContentCA: "{{ lookup('file' , 'configs/{{ IP_subject_alt_name }}/pki/cacert.pem')|b64encode }}"
 
 - name: Build the mobileconfigs
-  local_action:
+  template:
-    module: template
     src: mobileconfig.j2
     dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.mobileconfig
     mode: 0600
@@ -27,8 +25,7 @@
   no_log: True
 
 - name: Build the strongswan app android config
-  local_action:
+  template:
-    module: template
     src: sswan.j2
     dest: configs/{{ IP_subject_alt_name }}/{{ item.0 }}.sswan
     mode: 0600
@@ -39,8 +36,7 @@
   no_log: True
 
 - name: Build the client ipsec config file
-  local_action:
+  template:
-    module: template
     src: client_ipsec.conf.j2
     dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.conf
     mode: 0600
@@ -49,8 +45,7 @@
     - "{{ users }}"
 
 - name: Build the client ipsec secret file
-  local_action:
+  template:
-    module: template
     src: client_ipsec.secrets.j2
     dest: configs/{{ IP_subject_alt_name }}/ipsec_{{ item }}.secrets
     mode: 0600
@@ -59,8 +54,7 @@
     - "{{ users }}"
 
 - name: Build the windows client powershell script
-  local_action:
+  template:
-    module: template
     src: client_windows.ps1.j2
     dest: configs/{{ IP_subject_alt_name }}/windows_{{ item }}.ps1
     mode: 0600
@@ -69,8 +63,7 @@
   with_items: "{{ users }}"
 
 - name: Restrict permissions for the local private directories
-  local_action:
+  file:
-    module: file
     path: "{{ item }}"
     state: directory
     mode: 0700

roles/vpn/tasks/main.yml

@@ -24,6 +24,7 @@
       tags: update-users
     - include: distribute_keys.yml
     - include: client_configs.yml
+      delegate_to: localhost
       tags: update-users
 
     - meta: flush_handlers

roles/vpn/tasks/openssl.yml

@@ -1,141 +1,133 @@
 ---
 
-- name: Ensure the pki directory does not exist
+- block:
-  local_action:
+  - name: Ensure the pki directory does not exist
-    module: file
+    file:
-    dest: configs/{{ IP_subject_alt_name }}/pki
+      dest: configs/{{ IP_subject_alt_name }}/pki
-    state: absent
+      state: absent
-  become: no
+    when: easyrsa_reinit_existent == True
-  when: easyrsa_reinit_existent == True
 
-- name: Ensure the pki directories exist
+  - name: Ensure the pki directories exist
-  local_action:
+    file:
-    module: file
+      dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
-    dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
+      state: directory
-    state: directory
+      recurse: yes
-    recurse: yes
+    with_items:
-  become: no
+      - ecparams
-  with_items:
+      - certs
-    - ecparams
+      - crl
-    - certs
+      - newcerts
-    - crl
+      - private
-    - newcerts
+      - reqs
-    - private
-    - reqs
 
-- name: Ensure the files exist
+  - name: Ensure the files exist
-  local_action:
+    file:
-    module: file
+      dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
-    dest: "configs/{{ IP_subject_alt_name }}/pki/{{ item }}"
+      state: touch
-    state: touch
+    with_items:
-  become: no
+      - ".rnd"
-  with_items:
+      - "private/.rnd"
-    - ".rnd"
+      - "index.txt"
-    - "private/.rnd"
+      - "index.txt.attr"
-    - "index.txt"
+      - "serial"
-    - "index.txt.attr"
-    - "serial"
 
-- name: Generate the openssl server configs
+  - name: Generate the openssl server configs
-  local_action:
+    template:
-    module: template
+      src: openssl.cnf.j2
-    src: openssl.cnf.j2
+      dest: "configs/{{ IP_subject_alt_name }}/pki/openssl.cnf"
-    dest: "configs/{{ IP_subject_alt_name }}/pki/openssl.cnf"
-  become: no
 
-- name: Build the CA pair
+  - name: Build the CA pair
-  local_action: >
+    shell: |
-    shell openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
+      openssl ecparam -name prime256v1 -out ecparams/prime256v1.pem &&
       openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/cakey.pem -out cacert.pem -x509 -days 3650 -batch -passout pass:"{{ easyrsa_CA_password }}" &&
       touch {{ IP_subject_alt_name }}_ca_generated
-  become: no
+    args:
-  args:
+      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+      creates: "{{ IP_subject_alt_name }}_ca_generated"
-    creates: "{{ IP_subject_alt_name }}_ca_generated"
+    environment:
-  environment:
+      subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
-    subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
 
-- name: Copy the CA certificate
+  - name: Copy the CA certificate
-  local_action:
+    copy:
-    module: copy
+      src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem"
-    src: "configs/{{ IP_subject_alt_name }}/pki/cacert.pem"
+      dest: "configs/{{ IP_subject_alt_name }}/cacert.pem"
-    dest: "configs/{{ IP_subject_alt_name }}/cacert.pem"
+      mode: 0600
-    mode: 0600
-  become: no
 
-- name: Generate the serial number
+  - name: Generate the serial number
-  local_action: >
+    shell: echo 01 > serial && touch serial_generated
-    shell echo 01 > serial &&
+    args:
-      touch serial_generated
+      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-  become: no
+      creates: serial_generated
-  args:
-    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-    creates: serial_generated
 
-- name: Build the server pair
+  - name: Build the server pair
-  local_action: >
+    shell: |
-    shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ IP_subject_alt_name }}.key -out reqs/{{ IP_subject_alt_name }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" -batch &&
+      openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ IP_subject_alt_name }}.key -out reqs/{{ IP_subject_alt_name }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" -batch &&
-    openssl ca -utf8 -in reqs/{{ IP_subject_alt_name }}.req -out certs/{{ IP_subject_alt_name }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" &&
+      openssl ca -utf8 -in reqs/{{ IP_subject_alt_name }}.req -out certs/{{ IP_subject_alt_name }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}" &&
-    touch certs/{{ IP_subject_alt_name }}_crt_generated
+      touch certs/{{ IP_subject_alt_name }}_crt_generated
-  become: no
+    args:
-  args:
+      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+      creates: certs/{{ IP_subject_alt_name }}_crt_generated
-    creates: certs/{{ IP_subject_alt_name }}_crt_generated
+    environment:
-  environment:
+      subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
-    subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
 
-- name: Build the client's pair
+  - name: Build the client's pair
-  local_action: >
+    shell: |
-   shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
+      openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
       openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
       touch certs/{{ item }}_crt_generated
-  become: no
+    args:
-  args:
+      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+      creates: certs/{{ item }}_crt_generated
-    creates: certs/{{ item }}_crt_generated
+    environment:
-  environment:
+      subjectAltName: "DNS:{{ item }}"
-    subjectAltName: "DNS:{{ item }}"
+    with_items: "{{ users }}"
-  with_items: "{{ users }}"
 
-- name: Build the client's p12
+  - name: Build the client's p12
-  local_action: >
+    shell: >
-    shell openssl pkcs12 -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export -name {{ item }} -out private/{{ item }}.p12 -certfile cacert.pem -passout pass:"{{ easyrsa_p12_export_password }}"
+      openssl pkcs12 -in certs/{{ item }}.crt
-  become: no
+      -inkey private/{{ item }}.key
-  args:
+      -export
-    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+      -name {{ item }}
-  with_items: "{{ users }}"
+      -out private/{{ item }}.p12
+      -certfile cacert.pem
+      -passout pass:"{{ easyrsa_p12_export_password }}"
+    args:
+      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+    with_items: "{{ users }}"
 
-- name: Copy the p12 certificates
+  - name: Copy the p12 certificates
-  local_action:
+    copy:
-    module: copy
+      src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
-    src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
+      dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
-    dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
+      mode: 0600
-    mode: 0600
+    with_items:
-  become: no
+      - "{{ users }}"
-  with_items:
-    - "{{ users }}"
 
-- name: Get active users
+  - name: Get active users
-  local_action: >
+    shell: |
-    shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
+      grep ^V index.txt |
-  become: no
+      grep -v "{{ IP_subject_alt_name }}" |
-  args:
+      awk '{print $5}' |
-    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+      sed 's/\/CN=//g'
-  register: valid_certs
+    args:
+      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+    register: valid_certs
 
-- name: Revoke non-existing users
+  - name: Revoke non-existing users
-  local_action: >
+    shell: |
-    shell openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt &&
+        openssl ca -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt &&
-      openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt
+        openssl ca -gencrl -config openssl.cnf -passin pass:"{{ easyrsa_CA_password }}" -revoke certs/{{ item }}.crt -out crl/{{ item }}.crt
-      touch crl/{{ item }}_revoked
+        touch crl/{{ item }}_revoked
+    args:
+      chdir: "configs/{{ IP_subject_alt_name }}/pki/"
+      creates: crl/{{ item }}_revoked
+    environment:
+      subjectAltName: "DNS:{{ item }}"
+    when: item not in users
+    with_items: "{{ valid_certs.stdout_lines }}"
+
+  delegate_to: localhost
   become: no
-  args:
-    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
-    creates: crl/{{ item }}_revoked
-  environment:
-    subjectAltName: "DNS:{{ item }}"
-  when: item not in users
-  with_items: "{{ valid_certs.stdout_lines }}"
 
 - name: Copy the revoked certificates to the vpn server
   copy: